xworm | b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Prism Release V1.5.exe
Size

5.1MB
MD5

ac80f970a7ae1c07663abdd11d752d34
SHA1

5ee4c0de86dc91aebb47f3ea6b7e624e861fdfad
SHA256

b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001
SHA512

7bd6150976477bec27532e7d7449e8a1ee6997b41359f3b31e2da8db0602f1ac0dfae171d8ebe00a0e18c2c77c7f9e4ed18352f7d8cf76c1cff855166ed6f94b
SSDEEP

98304:crjAG8empOd+SyaREAaOeaD5lWsjvi+ffzwZZHUzItLqbn82rh:3ppcNJQkjvi+ffzwZZJiR1

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

91.92.241.69:5555

Attributes

Install_directory
%ProgramData%
install_file
Windows Runtime.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\dllhost.exe	family_xworm
behavioral2/memory/2268-32-0x0000000000030000-0x000000000004A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4700 powershell.exe
1436 powershell.exe
4068 powershell.exe
4908 powershell.exe
4548 powershell.exe
4396 powershell.exe

pid	process
4700	powershell.exe
1436	powershell.exe
4068	powershell.exe
4908	powershell.exe
4548	powershell.exe
4396	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Prism Release V1.5.exedllhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Prism Release V1.5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dllhost.exe

Drops startup file 2 IoCs

Processes:

dllhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk	dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk	dllhost.exe

Executes dropped EXE 5 IoCs

Processes:

dllhost.exePrism Executor.exenexusloader.exeWindows Runtime.exeWindows Runtime.exe

pid process

2268 dllhost.exe
2248 Prism Executor.exe
3608 nexusloader.exe
3484 Windows Runtime.exe
5996 Windows Runtime.exe
Loads dropped DLL 5 IoCs

Processes:

nexusloader.exe

pid process

3608 nexusloader.exe
3608 nexusloader.exe
3608 nexusloader.exe
3608 nexusloader.exe
3608 nexusloader.exe

pid	process
2268	dllhost.exe
2248	Prism Executor.exe
3608	nexusloader.exe
3484	Windows Runtime.exe
5996	Windows Runtime.exe

pid	process
3608	nexusloader.exe
3608	nexusloader.exe
3608	nexusloader.exe
3608	nexusloader.exe
3608	nexusloader.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Runtime = "C:\\ProgramData\\Windows Runtime.exe"	dllhost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
9	ip-api.com

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3252 schtasks.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings firefox.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

dllhost.exe

pid process

2268 dllhost.exe

pid	process
3252	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe

pid	process
2268	dllhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exe

pid	process
1436	powershell.exe
1436	powershell.exe
4700	powershell.exe
4700	powershell.exe
4908	powershell.exe
4908	powershell.exe
4700	powershell.exe
1436	powershell.exe
4908	powershell.exe
4548	powershell.exe
4548	powershell.exe
4548	powershell.exe
4396	powershell.exe
4396	powershell.exe
4396	powershell.exe
4068	powershell.exe
4068	powershell.exe
4068	powershell.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe
2268	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid process

2268 dllhost.exe

pid	process
2268	dllhost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

dllhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWindows Runtime.exefirefox.exeWindows Runtime.exe

description	pid	process
Token: SeDebugPrivilege	2268	dllhost.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	2268	dllhost.exe
Token: SeDebugPrivilege	3484	Windows Runtime.exe
Token: SeDebugPrivilege	1716	firefox.exe
Token: SeDebugPrivilege	1716	firefox.exe
Token: SeDebugPrivilege	5996	Windows Runtime.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

firefox.exe

pid process

1716 firefox.exe
1716 firefox.exe
1716 firefox.exe
1716 firefox.exe
1716 firefox.exe
1716 firefox.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

firefox.exe

pid process

1716 firefox.exe
1716 firefox.exe
1716 firefox.exe
1716 firefox.exe
1716 firefox.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dllhost.exefirefox.exe

pid process

2268 dllhost.exe
1716 firefox.exe

pid	process
1716	firefox.exe
1716	firefox.exe
1716	firefox.exe
1716	firefox.exe
1716	firefox.exe
1716	firefox.exe

pid	process
1716	firefox.exe
1716	firefox.exe
1716	firefox.exe
1716	firefox.exe
1716	firefox.exe

pid	process
2268	dllhost.exe
1716	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Prism Release V1.5.exePrism Executor.exedllhost.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1604 wrote to memory of 4700	1604	Prism Release V1.5.exe	powershell.exe
PID 1604 wrote to memory of 4700	1604	Prism Release V1.5.exe	powershell.exe
PID 1604 wrote to memory of 4700	1604	Prism Release V1.5.exe	powershell.exe
PID 1604 wrote to memory of 1436	1604	Prism Release V1.5.exe	powershell.exe
PID 1604 wrote to memory of 1436	1604	Prism Release V1.5.exe	powershell.exe
PID 1604 wrote to memory of 1436	1604	Prism Release V1.5.exe	powershell.exe
PID 1604 wrote to memory of 2268	1604	Prism Release V1.5.exe	dllhost.exe
PID 1604 wrote to memory of 2268	1604	Prism Release V1.5.exe	dllhost.exe
PID 1604 wrote to memory of 2248	1604	Prism Release V1.5.exe	Prism Executor.exe
PID 1604 wrote to memory of 2248	1604	Prism Release V1.5.exe	Prism Executor.exe
PID 2248 wrote to memory of 3608	2248	Prism Executor.exe	nexusloader.exe
PID 2248 wrote to memory of 3608	2248	Prism Executor.exe	nexusloader.exe
PID 2268 wrote to memory of 4908	2268	dllhost.exe	powershell.exe
PID 2268 wrote to memory of 4908	2268	dllhost.exe	powershell.exe
PID 2268 wrote to memory of 4548	2268	dllhost.exe	powershell.exe
PID 2268 wrote to memory of 4548	2268	dllhost.exe	powershell.exe
PID 2268 wrote to memory of 4396	2268	dllhost.exe	powershell.exe
PID 2268 wrote to memory of 4396	2268	dllhost.exe	powershell.exe
PID 2268 wrote to memory of 4068	2268	dllhost.exe	powershell.exe
PID 2268 wrote to memory of 4068	2268	dllhost.exe	powershell.exe
PID 2268 wrote to memory of 3252	2268	dllhost.exe	schtasks.exe
PID 2268 wrote to memory of 3252	2268	dllhost.exe	schtasks.exe
PID 4836 wrote to memory of 1716	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 1716	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 1716	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 1716	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 1716	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 1716	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 1716	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 1716	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 1716	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 1716	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 1716	4836	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4308	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4308	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe
PID 1716 wrote to memory of 4664	1716	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe
"C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAdABtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAegBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBnAGUAdABwAHIAaQBzAG0AIAAtACAAUgB1AG4AIABBAHMAIABBAGQAbQBpAG4AIABJAGYAIABJAG4AagBlAGMAdABpAG8AbgAgAEYAYQBpAGwAcwAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAdQBzAGQAIwA+AA=="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAdwBhACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Users\Admin\dllhost.exe
"C:\Users\Admin\dllhost.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"
3⤵
- Creates scheduled task(s)
PID:3252

C:\Users\Admin\Prism Executor.exe
"C:\Users\Admin\Prism Executor.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\nexusloader.exe
"C:\Users\Admin\Prism Executor.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3608

C:\ProgramData\Windows Runtime.exe
"C:\ProgramData\Windows Runtime.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.0.35682807\1938772953" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ddfe263-0ec0-4dd7-88d3-a3c14a53141f} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 1948 219146d9158 gpu
3⤵
PID:4308

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.1.446440770\1792840606" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a778e791-78ec-4b26-b3c4-1c542cd94271} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 2348 21907c70a58 socket
3⤵
PID:4664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.2.700015724\363079945" -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 3144 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d60a3331-5c9f-499d-987d-b4d576784252} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 3160 2191465ae58 tab
3⤵
PID:3788

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.3.2038223076\1005855260" -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3608 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c2ce1b3-5eae-4abb-a60f-4e8c8d4a8334} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 3624 21907c6dc58 tab
3⤵
PID:1164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.4.2090275595\1523311465" -childID 3 -isForBrowser -prefsHandle 4680 -prefMapHandle 4676 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {611be4a1-b7f5-4ef0-b8bb-3e37b1189678} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 4692 2191a786d58 tab
3⤵
PID:5344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.5.608705048\71504514" -childID 4 -isForBrowser -prefsHandle 4964 -prefMapHandle 2892 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2f3ff47-fe40-4c3e-9772-f83423588995} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 4952 21907c61358 tab
3⤵
PID:6000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.6.1954166490\853083925" -childID 5 -isForBrowser -prefsHandle 5344 -prefMapHandle 5348 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fd6e46c-f43a-4ece-b281-52ee32c54929} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 5336 21919342758 tab
3⤵
PID:6008

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.7.60248656\632143970" -childID 6 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c31811d3-2a7d-464b-b9b0-8273c60ff6c0} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 5512 21919342a58 tab
3⤵
PID:6016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.8.1957125246\1328769048" -childID 7 -isForBrowser -prefsHandle 4760 -prefMapHandle 6132 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c69fd7fc-2328-4ffd-803c-25469e99a07c} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 4628 2191a788558 tab
3⤵
PID:5716

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.9.920285735\1992755726" -childID 8 -isForBrowser -prefsHandle 3592 -prefMapHandle 4076 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff4fc889-4b13-42f7-b5a3-ade84783c4b2} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 4944 21918495158 tab
3⤵
PID:4908

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.10.336556927\772972749" -childID 9 -isForBrowser -prefsHandle 3564 -prefMapHandle 3568 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0b8da90-7089-4901-9c6a-81367fc2a3dc} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 5176 2191c37dc58 tab
3⤵
PID:5500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.11.189417213\723425205" -childID 10 -isForBrowser -prefsHandle 6156 -prefMapHandle 3592 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f7993b3-0f37-44d5-add6-fd1b8d77937f} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 5268 2191d940d58 tab
3⤵
PID:6100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.12.1816902579\1246439403" -parentBuildID 20221007134813 -prefsHandle 6496 -prefMapHandle 6440 -prefsLen 26725 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c93434c-64b7-4518-831f-656d2ca56906} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 6488 2191db70858 rdd
3⤵
PID:5220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.13.173325312\1702560172" -childID 11 -isForBrowser -prefsHandle 6696 -prefMapHandle 6700 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a15bb4b6-3cd2-4646-b5eb-090289d5faeb} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 6676 2191de05058 tab
3⤵
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:5608

C:\ProgramData\Windows Runtime.exe
"C:\ProgramData\Windows Runtime.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ef72c47dbfaae0b9b0d09f22ad4afe20

SHA1
5357f66ba69b89440b99d4273b74221670129338

SHA256
692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

SHA512
7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ad148cc543edfb880854c755c2ad2081

SHA1
b81e48b6803d15a7a33d80f445fd61c5162a2d35

SHA256
a316471edb159f94a596f031c2a45818dae3936034e8474d238455e26a351e23

SHA512
9f6066e011637150355b8debfd24b65e0bd7ba1bc1133d4850bd490a8d99b52c38b00baf20674f16bb4998c9287c3b15362e143dbe27698f524302c7a5d350a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tcl86t.dll
Filesize
1.8MB

MD5
ad03d1e9f0121330694415f901af8f49

SHA1
ad8d3eee5274fef8bb300e2d1f4a11e27d3940df

SHA256
224476bedbcf121c69137f1df4dd025ae81769b2f7651bd3788a870a842cfbf9

SHA512
19b85c010c98fa75eacfd0b86f9c90a2dbf6f07a2b3ff5b4120108f3c26711512edf2b875a782497bdb3d28359325ad95c17951621c4b9c1fd692fde26b77c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tk86t.dll
Filesize
1.5MB

MD5
e3c7ed5f9d601970921523be5e6fce2c

SHA1
a7ee921e126c3c1ae8d0e274a896a33552a4bd40

SHA256
bd4443b8ecc3b1f0c6fb13b264769253c80a4597af7181884bda20442038ec77

SHA512
bfa76b6d754259eabc39d701d359dd96f7a4491e63b17826a05a14f8fdf87656e8fc541a40e477e4fef8d0601320dd163199520e66d9ee8b5d6bb5cd9a275901

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c0hiuz4r.z0s.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\VCRUNTIME140.dll
Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\_tkinter.pyd
Filesize
60KB

MD5
0f1aa5b9a82b75b607b4ead6bb6b8be6

SHA1
5d58fd899018a106d55433ea4fcb22faf96b4b3d

SHA256
336bd5bffdc0229da4eaddbb0cfc42a9e55459a40e1322b38f7e563bda8dd190

SHA512
b32ea7d3ed9ae3079728c7f92e043dd0614a4da1dbf40ae3651043d35058252187c3c0ad458f4ca79b8b006575fac17246fb33329f7b908138f5de3c4e9b4e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\nexusloader.exe
Filesize
3.5MB

MD5
58545dc488990ac11872079d119f8284

SHA1
dade5c16834d582a5187041697cc5a7c2eae2f88

SHA256
6669bd79928492ab626c6cc64de35e3da76d655bbd197b5cc644584014fea5bc

SHA512
93d6e3f6a2ff03b4b58db7c04f8ad00e5c5f95eceefd199b73a8af6009ef381f758825ebe3d0d3076f917299c850b2859fb2ec35eeef59126617d2a0ec54dcd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\python310.dll
Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl8\8.5\msgcat-1.6.1.tm
Filesize
33KB

MD5
db52847c625ea3290f81238595a915cd

SHA1
45a4ed9b74965e399430290bcdcd64aca5d29159

SHA256
4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55

SHA512
5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\auto.tcl
Filesize
20KB

MD5
5e9b3e874f8fbeaadef3a004a1b291b5

SHA1
b356286005efb4a3a46a1fdd53e4fcdc406569d0

SHA256
f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840

SHA512
482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\encoding\cp1252.enc
Filesize
1KB

MD5
5900f51fd8b5ff75e65594eb7dd50533

SHA1
2e21300e0bc8a847d0423671b08d3c65761ee172

SHA256
14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0

SHA512
ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\encoding\symbol.enc
Filesize
1KB

MD5
1b612907f31c11858983af8c009976d6

SHA1
f0c014b6d67fc0dc1d1bbc5f052f0c8b1c63d8bf

SHA256
73fd2b5e14309d8c036d334f137b9edf1f7b32dbd45491cf93184818582d0671

SHA512
82d4a8f9c63f50e5d77dad979d3a59729cd2a504e7159ae3a908b7d66dc02090dabd79b6a6dc7b998c32c383f804aacabc564a5617085e02204adf0b13b13e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\http1.0\pkgIndex.tcl
Filesize
735B

MD5
10ec7cd64ca949099c818646b6fae31c

SHA1
6001a58a0701dff225e2510a4aaee6489a537657

SHA256
420c4b3088c9dacd21bc348011cac61d7cb283b9bee78ae72eed764ab094651c

SHA512
34a0acb689e430ed2903d8a903d531a3d734cb37733ef13c5d243cb9f59c020a3856aad98726e10ad7f4d67619a3af1018f6c3e53a6e073e39bd31d088efd4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\init.tcl
Filesize
23KB

MD5
e10e428598b2d5f2054cfae4a7029709

SHA1
f8e7490e977c3c675e76297638238e08c1a5e72e

SHA256
61c55633fa048deb120422daed84224f2bb12c7c94958ca6f679b219cf2fa939

SHA512
88ef7628af5b784229dda6772c6ddd77905238a1648d4290b496eafeec013107437218e4834b7198aeb098bc854dcb9f18083c76dd5bf3ce9cedf3d5c9e4faae

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\opt0.4\pkgIndex.tcl
Filesize
607B

MD5
92ff1e42cfc5fecce95068fc38d995b3

SHA1
b2e71842f14d5422a9093115d52f19bcca1bf881

SHA256
eb9925a8f0fcc7c2a1113968ab0537180e10c9187b139c8371adf821c7b56718

SHA512
608d436395d055c5449a53208f3869b8793df267b8476ad31bcdd9659a222797814832720c495d938e34bf7d253ffc3f01a73cc0399c0dfb9c85d2789c7f11c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\package.tcl
Filesize
22KB

MD5
55e2db5dcf8d49f8cd5b7d64fea640c7

SHA1
8fdc28822b0cc08fa3569a14a8c96edca03bfbbd

SHA256
47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad

SHA512
824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\tclIndex
Filesize
5KB

MD5
996f74f323ea95c03670734814b7887f

SHA1
49f4b9be5ab77e6ccab8091f315d424d7ac183f3

SHA256
962c60eb7e050061462ff72cec9741a7f18307af4aaa68d7665174f904842d13

SHA512
c4694260c733dc534dc1a70791fa29b725efd078a6846434883362f06f7bf080ca07478208b1909630e1b55fbdccf14484b78b0a5b8c6dad90f190c8c9d88a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\tm.tcl
Filesize
11KB

MD5
52db1cd97ceab81675e86fa0264ea539

SHA1
b31693b5408a847f97ee8004fed48e5891df6e65

SHA256
6c02298d56e3c4c6b197afc79ec3ce1fc37ae176dc35f5d7ac48246f05f91669

SHA512
5032b0a79d0cd5a342af2f9edf8b88b7214e9aa61ba524a42c5be2286741e18fa380ad2d40dda9a0257afceed2ef6e48624013e854f37b5e41cb88a831ad04c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\button.tcl
Filesize
20KB

MD5
cf6e5b2eb7681567c119040939dd6e2c

SHA1
3e0b905428c293f21074145fe43281f22e699eb4

SHA256
2f013b643d62f08ddaaa1dea39ff80d6607569c9e1acc19406377b64d75ccf53

SHA512
be03edea59be01d2b8de72b6ebe9dceb13d16c522bb5c042cdae83c84eafc6ac7b3650bf924f5f84f4f126634f9d17d74d087316d289f237129921a89aa4e0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\entry.tcl
Filesize
17KB

MD5
1d9ff9bb7fedb472910776361510c610

SHA1
c190dd07bcc55741b9bdfc210f82df7b7c2fac81

SHA256
dd351da6288cf7e9f367fd97c97cb476193ff7461b25e31667e85fe720edea04

SHA512
85d25622f4e0c9517d8caa454ec4e81c8cbbec25e418f5a2d885d5561999cfb3c3026aac8bf1ca6f9b40993802fda86d60ff8fd2e30a77d56f1c1914af695f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\icons.tcl
Filesize
10KB

MD5
2652aad862e8fe06a4eedfb521e42b75

SHA1
ed22459ad3d192ab05a01a25af07247b89dc6440

SHA256
a78388d68600331d06bb14a4289bc1a46295f48cec31ceff5ae783846ea4d161

SHA512
6ecfbb8d136444a5c0dbbce2d8a4206f1558bdd95f111d3587b095904769ac10782a9ea125d85033ad6532edf3190e86e255ac0c0c81dc314e02d95cca86b596

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\listbox.tcl
Filesize
14KB

MD5
b3b6a3bd19ddde4a97ea7cf95d7a8322

SHA1
2f11d97c091de9202f238778c89f13a94a10d3be

SHA256
b92526a55409c67473740551ca128498824d25406e3cc9bb0544e8296d3c5de4

SHA512
f2bc1fbbd20132725d283b9fab20c3e38ed185a62297e1418572c03fa90b3f813b878be281bb4bdfa1c813b7ee7eff11cbb2f89b5411b1707d90b0e5fd746fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\menu.tcl
Filesize
37KB

MD5
12ec5260eb7435c7170002e011fe8f17

SHA1
e88f5423a7133784a1a2d097c4e602e5de564034

SHA256
588727079af7ecc44755efe33ebb7414ad2ee68390fc249ce073d38e03c78a4e

SHA512
5848e5a642f0cfba8b456a6dcef711737229e5f59beb7981a52440a47f5ba9ec85374be8e8b1ccdd952ac71164da04ff88ef07204fd62509952db2cdb6503700

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\panedwindow.tcl
Filesize
5KB

MD5
2da0a23cc9d6fd970fe00915ea39d8a2

SHA1
dfe3dc663c19e9a50526a513043d2393869d8f90

SHA256
4adf738b17691489c71c4b9d9a64b12961ada8667b81856f7adbc61dffeadf29

SHA512
b458f3d391df9522d4e7eae8640af308b4209ce0d64fd490bfc0177fde970192295c1ea7229ce36d14fc3e582c7649460b8b7b0214e0ff5629b2b430a99307d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\pkgIndex.tcl
Filesize
372B

MD5
d942ff6f65bba8eb6d264db7d876a488

SHA1
74d6ca77e6092d79f37e7a1dcd7cced2e89d89cb

SHA256
e0bac49b9a3f0e50be89f692273cea7b7462bfc3e054f323261ef99b708c70a3

SHA512
3ac7d992300252109606074aefb693a31cd5cceffb6d7b851a2c8895a0d5e165a139b7038657306128af39c44785b7b4da35b8e1aeb4c30f3f7e7cfcfb789c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\scale.tcl
Filesize
7KB

MD5
1ce32cdaeb04c75bfceea5fb94b8a9f0

SHA1
cc7614c9eade999963ee78b422157b7b0739894c

SHA256
58c662dd3d2c653786b05aa2c88831f4e971b9105e4869d866fb6186e83ed365

SHA512
1ee5a187615ae32f17936931b30fea9551f9e3022c1f45a2bca81624404f4e68022fcf0b03fbd61820ec6958983a8f2fbfc3ad2ec158433f8e8de9b8fcf48476

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\scrlbar.tcl
Filesize
12KB

MD5
b44265f793563ad2ad66865dec63b2c2

SHA1
23e6f7095066ed3b65998324021d665d810e6a93

SHA256
189e7ee4b67861001c714a55880db34acf7d626a816e18b04b232af9e6e33e81

SHA512
3911b13f42091620d8d96ed0cc950792175f88399912092161e1a71f564c7e72b6d448d3b761b6b6b73400ccc8fabd94cb3bfcc8cb3ad8ebdb590c3ffc623dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\spinbox.tcl
Filesize
15KB

MD5
9971530f110ac2fb7d7ec91789ea2364

SHA1
ab553213c092ef077524ed56fc37da29404c79a7

SHA256
5d6e939b44f630a29c4fcb1e2503690c453118607ff301bef3c07fa980d5075a

SHA512
81b4cec39b03fbeca59781aa54960f0a10a09733634f401d5553e1aaa3ebf12a110c9d555946fcdd70a9cc897514663840745241ad741dc440bb081a12dcf411

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\text.tcl
Filesize
32KB

MD5
33230f852aac8a5368aeba1834dcec77

SHA1
beba97c48a110f4a9fe86f60e5fd4ca6ac55e964

SHA256
f26ed909a962d02bc03585a6c756f4fe992c311c7f53648137e427747120b441

SHA512
caac54334c4eb439c18f03eeb5de83aa6bbd6bb07b760a40c60f2d34f5ee1fdd542f83ad427059863f96b0a8f2cb96658171a7cd0c0c2c49e002bd02e6d418f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\tk.tcl
Filesize
23KB

MD5
25094462d2ea6b43133275bf4db31a60

SHA1
6bb76294e8fdf4d40027c9d1b994f1ab0014b81b

SHA256
3e998b41ab23677db31902e1e876e644b279b2e6d8896443f6c434352801cdd1

SHA512
8bdae921f367b864ea7f36c9a549ee870d4e4e3c6e942d70722a84ae6b23ff00a33638d8ca8f3b9b8fe084875ba7c8976975849f4dc47cdb5671df47af68cfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\altTheme.tcl
Filesize
3KB

MD5
ae1b9c4dc2de8e899749fb4e1fcb4df6

SHA1
2a09d325ca56c930b3afb1ee43c944fd4416b8e1

SHA256
92b8be9d8934850b6d240b970603b0ad7c6dd4a45134545694fb52966d742861

SHA512
2803f96729805c90143e0c4c9bf25398bac7d6e4402cb09be354c35566fc3c3bd9522372147c0e956bdbbc2943b9aecb0f5c96b527a26fd790b8fdb5b99efe10

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\button.tcl
Filesize
2KB

MD5
ea7cf40852afd55ffda9db29a0e11322

SHA1
b7b42fac93e250b54eb76d95048ac3132b10e6d8

SHA256
391b6e333d16497c4b538a7bdb5b16ef11359b6e3b508d470c6e3703488e3b4d

SHA512
123d78d6ac34af4833d05814220757dccf2a9af4761fe67a8fe5f67a0d258b3c8d86ed346176ffb936ab3717cfd75b4fab7373f7853d44fa356be6e3a75e51b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\clamTheme.tcl
Filesize
4KB

MD5
beced087eeb3d5c9b2eabdb19c030d52

SHA1
be285e65905d335be442606afa3a88e408d5ec5b

SHA256
93c29536262c582104bf1804d7b06c7565b7d621f2e3605ff8b6c981a3b4ab01

SHA512
84b733c3fbe63c32b5b1e6cd132bd1b55f07b47612b70455c17c4d6d239682672c838cc3d739283079d0d2d8567fca9b763465d8d2148d25b5952282ed521a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\classicTheme.tcl
Filesize
3KB

MD5
70f3edfbfd4c16febdd8311290a0effe

SHA1
4b1d63d59c72c357931a8cbbf071654492a9b371

SHA256
c7b1f40d77820fbaf2195f2bb3f334b38fec653fe47653f9e30a01ad4ca63ba5

SHA512
a58c584ada6d271316266d58641be260f98e6fa0ae867ee9e343807a2955ddd3544b864cca80dc7f164ed4be5331575b696650ff0bb469c3647c5cb122f2a64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\combobox.tcl
Filesize
11KB

MD5
06b885722c8555668bcbe8d7d9aa4c75

SHA1
8172c8886884de462549aa94fca440b99da90583

SHA256
057f8f447de3a753714b8f82b96054e1849a2424749f3482492eae192baacdcf

SHA512
d81ab53d48ed1d79da57fc2d2b599199ee985e237046244a2f820daacd2e8565c65d63e9b6f80175c30fd48290226a547d6d603293a4b7e4a455795f7fce7179

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\cursors.tcl
Filesize
3KB

MD5
74596004dfdbf2ecf6af9c851156415d

SHA1
933318c992b705bf9f8511621b4458ecb8772788

SHA256
7bdffa1c2692c5d1cf67b518f9acb32fa4b4d9936ed076f4db835943bc1a00d6

SHA512
0d600b21db67bf9dadbdd49559573078efb41e473e94124ac4d2551bc10ec764846dc1f7674daa79f8d2a8aeb4ca27a5e11c2f30ede47e3ecee77d60d7842262

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\defaults.tcl
Filesize
4KB

MD5
16843ecd9e716a87d865a6539ef44751

SHA1
3df76af0d6e4c386d63dd061100702dbb0f72a42

SHA256
d83248b535a9417ce0ca598bbe245f24252adc90e3611c1191a045d9c0a9c99f

SHA512
7f5e7a200fd6b012a9336035211d9d89f0504f61156629ebcc1a03bcf8462ba8d219de376b6bb3ebb9e6a9507f0ac6f7d658eed5b953110df553b3c0c44ebc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\entry.tcl
Filesize
16KB

MD5
3dea98c515f6f731e666656da9708f12

SHA1
212865fc5c635eeca380efc1b3fbb85554714c47

SHA256
fe32f8b154893218acaba93ac4b8e1170d9b3e3ab66df63df85c0a31c17592be

SHA512
2901b5f92df95cbd1ec71acf86646af2f1d6058232eef1b5779192bad6df0bbbbc5902e363f809671f06d13270b1581d55f611556d48b1a843194477a113aeab

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\fonts.tcl
Filesize
5KB

MD5
7017b5c1d53f341f703322a40c76c925

SHA1
57540c56c92cc86f94b47830a00c29f826def28e

SHA256
0eb518251fbe9cf0c9451cc1fef6bb6aee16d62da00b0050c83566da053f68d0

SHA512
fd18976a8fbb7e59b12944c2628dbd66d463b2f7342661c8f67160df37a393fa3c0ce7fdda31073674b7a46e0a0a7d0a7b29ebe0d9488afd9ef8b3a39410b5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\menubutton.tcl
Filesize
6KB

MD5
fe89894d8cbf415541a60d77192f0f94

SHA1
c0716b2d8e24592757b62d24eeed57121b60e00f

SHA256
d9af20135ef1bfeb3e0fd9fdabe821474de3ed43b3745a42fe564d24a8b9fd9c

SHA512
66488cbcac49cca47c9c560648e891d429f40e46549f58687b98073eba4807a8458a277be093ebfc50709a8a87a529df4e526eccfb60803ce16af17b97accd3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\notebook.tcl
Filesize
5KB

MD5
82c9dfc512e143dda78f91436937d4dd

SHA1
26abc23c1e0c201a217e3cea7a164171418973b0

SHA256
d1e5267cde3d7be408b4c94220f7e1833c9d452bb9ba3e194e12a5eb2f9adb80

SHA512
a9d3c04ad67e0dc3f1c12f9e21ef28a61fa84dbf710313d4ca656bdf35dfbbfba9c268c018004c1f5614db3a1128025d795bc14b4fffaa5603a5313199798d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\panedwindow.tcl
Filesize
1KB

MD5
a12915fa5caf93e23518e9011200f5a4

SHA1
a61f665a408c10419fb81001578d99b43d048720

SHA256
ce0053d637b580170938cf552b29ae890559b98eb28038c2f0a23a265ddeb273

SHA512
669e1d66f1223cca6ceb120914d5d876bd3cf401ee4a46f35825361076f19c7341695596a7dbb00d6cff4624666fb4e7a2d8e7108c3c56a12bda7b04e99e6f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\progress.tcl
Filesize
1KB

MD5
b0074341a4bda36bcdff3ebcae39eb73

SHA1
d070a01cc5a787249bc6dad184b249c4dd37396a

SHA256
a9c34f595e547ce94ee65e27c415195d2b210653a9ffcfb39559c5e0fa9c06f8

SHA512
af23563602886a648a42b03cc5485d84fcc094ab90b08df5261434631b6c31ce38d83a3a60cc7820890c797f6c778d5b5eff47671ce3ee4710ab14c6110dcc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\scale.tcl
Filesize
2KB

MD5
b41a9df31924dea36d69cb62891e8472

SHA1
4c2877fbb210fdbbde52ea8b5617f68ad2df7b93

SHA256
25d0fe2b415292872ef7acdb2dfa12d04c080b7f9b1c61f28c81aa2236180479

SHA512
a50db6da3d40d07610629de45f06a438c6f2846324c3891c54c99074cfb7beed329f27918c8a85badb22c6b64740a2053b891f8e5d129d9b0a1ff103e7137d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\scrollbar.tcl
Filesize
2KB

MD5
cf7bc1ffbf3efee2ca7369215a3b1473

SHA1
e2632241089f9dc47fa76cd0c57615d70753008c

SHA256
b3a0e10c95b28c90cccfc373152bd30ab7da2fb4c0e96409aeeb01d453f36b4a

SHA512
01841cda93aa0ce1a5b1fc65db153902b872b7e9d1030ef8902e086bbeb35649fd742dd96d1aed9cf620692fde6f4e2ccd865dc7a125452ffd16a65918956dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\sizegrip.tcl
Filesize
2KB

MD5
3c8916a58c6ee1d61836e500a54c9321

SHA1
54f3f709698fad020a048668749cb5a09ede35ab

SHA256
717d2edd71076ea059903c7144588f8bbd8b0afe69a55cbf23953149d6694d33

SHA512
2b71569a5a96cac1b708e894a2466b1054c3fae5405e10799b182012141634bd2a7e9e9f516658e1a6d6e9e776e397608b581501a6cfe2eb4ec54459e9ecb267

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\spinbox.tcl
Filesize
4KB

MD5
ebce661f8125f54c7dff9f076fb2bfe2

SHA1
966603a85eadba4e003e8307a7e581cd6839716f

SHA256
7c2ffd7308bdea852851335d5b5eb5dcca0e4d4a0cea16f786b40009ffd58b71

SHA512
35f518e20986ab951ff33091f405ea1647534ccb77c8c36a94b1ab4a973df3ed52355864702b6526888830af8c912105e542027b5d68f81ac2a9f40ad2ba2632

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\treeview.tcl
Filesize
9KB

MD5
5bec78db1a86b4bc17a5108806c5371e

SHA1
4b2b08240f778864c5045f546a620702ae126ccb

SHA256
0e05adf29b616989cb4724e57a26f1044598781f0cc10d5eb5ac4af7d705ddca

SHA512
29dff439bb5caa23f8f38ea136406fa2db68be021068f80bad2e2ec811ae5c5b08f4f287719db946db780122af05654392ea771fb523bdc1569b364689d3ec86

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\ttk.tcl
Filesize
4KB

MD5
e38b399865c45e49419c01ff2addce75

SHA1
f8a79cbc97a32622922d4a3a5694bccb3f19decb

SHA256
61baa0268770f127394a006340d99ce831a1c7ad773181c0c13122f7d2c5b7f6

SHA512
285f520b648f5ec70dd79190c3b456f4d6da2053210985f9e2c84139d8d51908296e4962b336894ee30536f09fae84b912bc2abf44a7011620f66cc5d9f71a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\utils.tcl
Filesize
8KB

MD5
f868a26a299885824b14ca28f68039ce

SHA1
e37a1889e6cc215102ec078d0455622415ed8486

SHA256
6c35cd6c7f3ac4be3fe0cc7633dbbde5123155921a441ba702b4347e6f967f34

SHA512
14d8fd30fe670ce4630ce5b7b1e4b04a2a3f97d6483d87d0d7a2b675e880ab75e947820a4babd337452d683e0cbb7b92b4c866af19a8dcd5711016e012d597e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\vistaTheme.tcl
Filesize
9KB

MD5
ad2d78020875529834dd0ea74251e2d3

SHA1
80cc99972a056396dd55e9505ccb02e16462b115

SHA256
ce1a53a769de9e230f586efafd2fb455980b45941e5db553bd3a2f0062b50f3e

SHA512
59ec21a44769fec0b462f0675217882ecf5cbc64056024e4259d91233a1397b4b89957bd474387c992a8753dc9c350fda7e6e5c6e9d29c655d62362a018e2194

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\winTheme.tcl
Filesize
2KB

MD5
8b4813a1c6915fd35b52ac854230bcc1

SHA1
db981087f2a311361446014fadbd8b199d856716

SHA256
05fad058280e7a8947a9f71122b442b92d7d578b4618b08bf0b71b6dac5aa22f

SHA512
e0a69e94aabd725b441d6c4920f1cd54451bcc00090d9319cb55286a46a7f35066d1959de149d900198f777671004f6d8a64e7d31e42f8a76e89ed122a79a9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\xpTheme.tcl
Filesize
2KB

MD5
1026799ffe26aaa8661f64d6f2cbe4dd

SHA1
5cd337feb3130d146134e06c4a1826ba29157e7a

SHA256
ff421674388da5d3a0c687f342f8d1e3c7f247f3cb59d5512b31f91a54a4c318

SHA512
90f1062caa87c0d65aede1d71370ebe35ad90f4033e6077169b7168b4754c0ff46a9f6348f4d907dcf20ab8f63bb6e0d106a05f068c5abeb86d26f5ea00f503c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
ed711fe1756be07bd7d52f09197110da

SHA1
4d9bb58f60d83d77d864fe580d54a113a80c42c0

SHA256
365100fbdfdede2f0f818e039ee6c25fdfd45c0e4fa3c8b3f3005af94e432155

SHA512
c3bb44a403981851ee5cd58e787e26d74a2e1df1f3a8a7fdb09160c9de619550c2983d1abbb7fd40faac4cf75d6945ece095f1bbe895a87ad3f59350eddb44a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\e11e5212-73c7-4789-acf3-32b538b4032e
Filesize
746B

MD5
9b5b96ab518be7f4c0bc14c684edcca6

SHA1
5f21678661d4d234540c47934e11c09ca53b4b10

SHA256
e77fc92380ec2ecbb9c8406ece543ca8ade257ae0fcef1fbc171722426ed6027

SHA512
15e0104f2e774bb923817ff8d493d2d4b6ce5fcee5e7044413e6d8f89bea894e36d4d04429065cabac8bfb8d22e5ba08c65550e51cea7feb396a5b1ad75b43ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\ed2c2cd6-b4b7-4160-a9a0-d880fb9709a9
Filesize
10KB

MD5
3d78c6074d7f524095b4c7983d86647f

SHA1
65b1a0c8018c14e2d66538b92b245d4d58afc12b

SHA256
b7ebf7cf53bb9c5091f1cff2bf63bc8fbf5e5c65deb9e73832a82ce56ed8ed35

SHA512
4393db369f7f7d4c77aa93dcc3009f4d3ef28fb185b86786db5f4549c72242597ea67e1356dfb95eac1ec2d0c2d560286c9bbbb0d4ee0f18e9bafb79a10fa2b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
Filesize
6KB

MD5
3e70ce5e3dee6b04c905648b716ab51a

SHA1
adc10e020b5e404c3238de3605233457f4d3899b

SHA256
3784b39e01fb40ac4f33deee3508cfac8cb7994e0e236552f329a98a22782441

SHA512
dc88f6ae9ed8e01852ec968c2dbf0ecd23f39803b21ad0fe6f869144e40417c52be91bab4b882ce7d11415ef9ccedd46a7ad5de37c29d10dd4de4e59ebda9055

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
Filesize
6KB

MD5
9c024939eab5036985819bbda388818a

SHA1
3e62562e92408a880c4d27334231119d3e36c89e

SHA256
3e3969425884c1852243c514a209b0db251916ec88c9ee9de96950b881dbe0df

SHA512
35c0fbac85657328d3493f47f02e896dbb0fc61658f07aa752dccf73d89288754ace168eca22f2658228d1d4a4f2b2b52dbb655bd1bf628288fba66f54914708

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
Filesize
7KB

MD5
ef22fae60051f6858433ee20d04a4980

SHA1
23ddbfd00ad266420f43f81731d978be268e60a5

SHA256
f5e923e6ceb37c5170785b1161a14087e6c2a6adadc872eb2b0367ed682d27e5

SHA512
e2a588a346efdcb43d22dc0e0fe087ac8a6c64b6d4ff9a2c7a9f86d24b01ea2ecf69b97a5b147a770385aafdb1ef1006bf48e75597352fe404b8756d03169792

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
Filesize
6KB

MD5
9ea67bae7954a4780b3e536597756e93

SHA1
f38d209b39730d388e9bfc6f20f827f2a23e4325

SHA256
e00c7a435aab2ed20fbbe8ad2e17634ee1b02c2392346ae3e726bce02397a6e9

SHA512
09bc47a6232ac89dc2f2e8a64de116a206d06bef0840edec9dbb032fbff008655a76afa9601f641d13f38ec066fd9c5a15aaedbe8ed26887d8c590114d24ae03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
57749702866f3021368b5ec72f0bc7ba

SHA1
8e7448b38728fd067dc30b520d569345f89eac48

SHA256
baaf77958b2a1313972f5c75cd98d4d87d4527a1a8d78569504197d67c85cdf8

SHA512
082bfd04b7955bb98803fb8b5f54d8f566a758e2621a726bd4056cc0bfcf31aced8a263f9ca609b9e2d0b651345e06dee97f72908e586eccec1c8f6e4b44db95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
7506c7db800d9c36705ec2b1916baf6b

SHA1
48647928b1c8c2279f1621ab144596fe00f04800

SHA256
15a682c10166616ab664c79e2e054dac47d24683a436b58764f5688531e02d6c

SHA512
5973d82261e25d53f6eca1a3338abcc0395133c173f77da2bb94c2941aec8d89342e4625827fbe719a3adc5d57d783c2521c1b472b53dea38cd68b2d97dce4d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
9KB

MD5
c5f88a3ba7edbe7effec4ced7baf518e

SHA1
0dcd2ae571a1d66f99a45239b853777ed3492914

SHA256
55e957a1794d4e8a3f03247efe928609eac04d709662b519cd69ad0982c822a4

SHA512
96e54db90b2a2aef3acf81484411e030299c16bdfa611f70688bacea3f732f6e3445f12481252c72987b6312d9a927c5027c72c33abdbdee1a6f90cd382fda47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
8KB

MD5
67876631c1a3ffca04db9e47c2663319

SHA1
fe64c843ee49b4c264e0fc52ef17fdb37a8f2a80

SHA256
5249668ec40d1d4be705771a3c7f566b5f94c8c76bb12a667551c06d3e822768

SHA512
58154a973a269ba6ceb8f7cf3e6046631edc32765a7d2d6ef33befb8e3773ac84f75d210b81813fe87abc33556a809902cbbfb0176fe1525a225e072ed50eb85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
10KB

MD5
364810e7f1ea3884297da6690a745b89

SHA1
60752005ba11791cd553386d42329fcc7afd2663

SHA256
7450541cacb8a24a365aa9bbf26cf2612d80249fc998c985789763f8546e689f

SHA512
0bb48751ae45efc8b87c88d6984f415c669a888eac4bf65476c569075baf64fe92cb5acbf43baa4fff35de4dcc07603888f16d3cd86bd89f3666afc24d6fbb17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\default\https+++www.pornhub.com\cache\morgue\240\{95265aa1-13fc-4f87-8496-e9e0747c6ef0}.final
Filesize
456B

MD5
4849126d62348e96de9f534891ee372c

SHA1
04208116ad7cb0edcb2c7c754042554104172d10

SHA256
92930e52c17a5e42a09f648d090ba0e48384fe2b6f4f6b3e3fc70bd8a0e6ac5d

SHA512
bd7769637a8707a21027e442faf6911019a2c731bff17fc11b9da0b74490162ea4eba2fca41942a7c114cc75ab1941f208c1fcc789bdc0a594b5ed269f6e6f25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
03994b88bdc9e598d88f9273dfec8e0e

SHA1
9c4d73dc30e024c6884167494d36edc072a59cc6

SHA256
51f2123c825c0e1071fa87a6d9e6cf057b9829be2092ba1277681ce095dd270e

SHA512
17741d2e38e8a695c7b10ad67bf390d5ce515136ccf2e7445aa705d427c2f05213ce83cfa333651971759e49bebd2d70b3fd3535b17008328f69cf3a04c407a0

Download Submit
C:\Users\Admin\Prism Executor.exe
Filesize
5.0MB

MD5
fa819e23d8fee4ea89aaaea55e0b28f5

SHA1
18335d4e0d140dcab66c7197c57f669251898ce5

SHA256
bb4fbbf322982321c56ac48cb7939ef7cb823b510a184c41e284f2cdf1bab68c

SHA512
e6170df5c8705e96a76cb3b366c9410c8f8e5c5dd5753de9be87e47a1c989b4723dd655e3355d52096f7acd3185a5469ed5bf284e7765e9519522ae132cef07d

Download Submit
C:\Users\Admin\dllhost.exe
Filesize
78KB

MD5
4a7f75343aaa5a4d8d18add50ccf3139

SHA1
110c62eee6d7deb4aa9d601c942eae43482d2125

SHA256
34be6a934fd45752e788f9ba20943c8e52d91732d76e9f30a5176e98dccd956e

SHA512
1f1516fc41e0b90d0d47e306da15a542799425159f4ad476cf4fd88b9b56d200c79c72ce29ca5b0acf2a195cabe803c37c72b8d76e99a69a04dbfe1fb9f9fc79

Download Submit
memory/1436-645-0x0000000004B20000-0x0000000004B56000-memory.dmp

Filesize
216KB

Download
memory/1436-1098-0x0000000007100000-0x00000000071A3000-memory.dmp

Filesize
652KB

Download
memory/1436-1125-0x00000000072D0000-0x00000000072E1000-memory.dmp

Filesize
68KB

Download
memory/1436-1095-0x0000000006620000-0x000000000663E000-memory.dmp

Filesize
120KB

Download
memory/1436-1128-0x0000000007660000-0x000000000766E000-memory.dmp

Filesize
56KB

Download
memory/1436-1130-0x0000000007670000-0x0000000007684000-memory.dmp

Filesize
80KB

Download
memory/1436-1131-0x00000000076B0000-0x00000000076CA000-memory.dmp

Filesize
104KB

Download
memory/1436-1084-0x0000000006690000-0x00000000066C2000-memory.dmp

Filesize
200KB

Download
memory/1436-1085-0x0000000074570000-0x00000000745BC000-memory.dmp

Filesize
304KB

Download
memory/1436-1112-0x00000000076E0000-0x0000000007776000-memory.dmp

Filesize
600KB

Download
memory/1436-1132-0x00000000076A0000-0x00000000076A8000-memory.dmp

Filesize
32KB

Download
memory/1436-1035-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/1436-1101-0x0000000007280000-0x000000000728A000-memory.dmp

Filesize
40KB

Download
memory/1436-1067-0x0000000006640000-0x000000000668C000-memory.dmp

Filesize
304KB

Download
memory/1436-1066-0x00000000060F0000-0x000000000610E000-memory.dmp

Filesize
120KB

Download
memory/2268-29-0x00007FF9D5303000-0x00007FF9D5305000-memory.dmp

Filesize
8KB

Download
memory/2268-32-0x0000000000030000-0x000000000004A000-memory.dmp

Filesize
104KB

Download
memory/4068-1127-0x0000024F3DD60000-0x0000024F3DEAE000-memory.dmp

Filesize
1.3MB

Download
memory/4396-1114-0x0000016EEBBD0000-0x0000016EEBD1E000-memory.dmp

Filesize
1.3MB

Download
memory/4548-1097-0x0000022FFF8C0000-0x0000022FFFA0E000-memory.dmp

Filesize
1.3MB

Download
memory/4700-1099-0x0000000008610000-0x0000000008BB4000-memory.dmp

Filesize
5.6MB

Download
memory/4700-1100-0x00000000077B0000-0x0000000007842000-memory.dmp

Filesize
584KB

Download
memory/4700-1055-0x0000000005EC0000-0x0000000006214000-memory.dmp

Filesize
3.3MB

Download
memory/4700-1083-0x0000000006910000-0x000000000692A000-memory.dmp

Filesize
104KB

Download
memory/4700-646-0x0000000002DE0000-0x0000000002E16000-memory.dmp

Filesize
216KB

Download
memory/4700-1036-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/4700-1034-0x0000000005400000-0x0000000005422000-memory.dmp

Filesize
136KB

Download
memory/4700-844-0x0000000005620000-0x0000000005C48000-memory.dmp

Filesize
6.2MB

Download
memory/4700-1082-0x00000000079E0000-0x000000000805A000-memory.dmp

Filesize
6.5MB

Download
memory/4908-1056-0x0000029866BE0000-0x0000029866C02000-memory.dmp

Filesize
136KB

Download
memory/4908-1070-0x0000029866D70000-0x0000029866EBE000-memory.dmp

Filesize
1.3MB

Download