Malware Analysis Report

2024-09-11 13:54

Sample ID 240615-nnyrpasglm
Target Prism Release V1.5.exe
SHA256 b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001

Threat Level: Known bad

The file Prism Release V1.5.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Loads dropped DLL

Drops startup file

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of SendNotifyMessage

Modifies registry class

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 11:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 11:33

Reported

2024-06-15 11:35

Platform

win7-20240611-en

Max time kernel

147s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk C:\Users\Admin\dllhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk C:\Users\Admin\dllhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\Prism Executor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2744_133629248080724000\nexusloader.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe N/A
N/A N/A C:\Users\Admin\Prism Executor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2744_133629248080724000\nexusloader.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Runtime = "C:\\ProgramData\\Windows Runtime.exe" C:\Users\Admin\dllhost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\dllhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\dllhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\dllhost.exe
PID 2084 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\dllhost.exe
PID 2084 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\dllhost.exe
PID 2084 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\dllhost.exe
PID 2084 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\Prism Executor.exe
PID 2084 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\Prism Executor.exe
PID 2084 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\Prism Executor.exe
PID 2084 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\Prism Executor.exe
PID 2744 wrote to memory of 2548 N/A C:\Users\Admin\Prism Executor.exe C:\Users\Admin\AppData\Local\Temp\onefile_2744_133629248080724000\nexusloader.exe
PID 2744 wrote to memory of 2548 N/A C:\Users\Admin\Prism Executor.exe C:\Users\Admin\AppData\Local\Temp\onefile_2744_133629248080724000\nexusloader.exe
PID 2744 wrote to memory of 2548 N/A C:\Users\Admin\Prism Executor.exe C:\Users\Admin\AppData\Local\Temp\onefile_2744_133629248080724000\nexusloader.exe
PID 2632 wrote to memory of 1288 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 1288 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 1288 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 1572 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 1572 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 1572 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 552 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 552 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 552 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 880 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 880 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 880 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 2304 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\schtasks.exe
PID 2632 wrote to memory of 2304 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\schtasks.exe
PID 2632 wrote to memory of 2304 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe

"C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAdABtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAegBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBnAGUAdABwAHIAaQBzAG0AIAAtACAAUgB1AG4AIABBAHMAIABBAGQAbQBpAG4AIABJAGYAIABJAG4AagBlAGMAdABpAG8AbgAgAEYAYQBpAGwAcwAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAdQBzAGQAIwA+AA=="

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAdwBhACMAPgA="

C:\Users\Admin\dllhost.exe

"C:\Users\Admin\dllhost.exe"

C:\Users\Admin\Prism Executor.exe

"C:\Users\Admin\Prism Executor.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_2744_133629248080724000\nexusloader.exe

"C:\Users\Admin\Prism Executor.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {22E47E27-9F81-4BC0-9316-93813EE47E2E} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 91.92.241.69:5555 tcp

Files

\Users\Admin\dllhost.exe

MD5 4a7f75343aaa5a4d8d18add50ccf3139
SHA1 110c62eee6d7deb4aa9d601c942eae43482d2125
SHA256 34be6a934fd45752e788f9ba20943c8e52d91732d76e9f30a5176e98dccd956e
SHA512 1f1516fc41e0b90d0d47e306da15a542799425159f4ad476cf4fd88b9b56d200c79c72ce29ca5b0acf2a195cabe803c37c72b8d76e99a69a04dbfe1fb9f9fc79

C:\Users\Admin\Prism Executor.exe

MD5 fa819e23d8fee4ea89aaaea55e0b28f5
SHA1 18335d4e0d140dcab66c7197c57f669251898ce5
SHA256 bb4fbbf322982321c56ac48cb7939ef7cb823b510a184c41e284f2cdf1bab68c
SHA512 e6170df5c8705e96a76cb3b366c9410c8f8e5c5dd5753de9be87e47a1c989b4723dd655e3355d52096f7acd3185a5469ed5bf284e7765e9519522ae132cef07d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 bdf6ee25243be9f1c16d1245a5b46a3e
SHA1 1a337833be748f554a1e5555fc53652c60c0ff9d
SHA256 8c5f8a599c16c67c064975adeffce75169e63fe6f6eb50c4552e842983d57e7d
SHA512 653fe60b42720156a1e0a65f5465d8c47f4143346516e9bd104d341977114e9b2774000b1451342d47a36c7808d25ec3fc859baaccdbeb20757e2a5fea5b24d4

memory/2632-71-0x0000000000E00000-0x0000000000E1A000-memory.dmp

\Users\Admin\AppData\Local\Temp\onefile_2744_133629248080724000\nexusloader.exe

MD5 58545dc488990ac11872079d119f8284
SHA1 dade5c16834d582a5187041697cc5a7c2eae2f88
SHA256 6669bd79928492ab626c6cc64de35e3da76d655bbd197b5cc644584014fea5bc
SHA512 93d6e3f6a2ff03b4b58db7c04f8ad00e5c5f95eceefd199b73a8af6009ef381f758825ebe3d0d3076f917299c850b2859fb2ec35eeef59126617d2a0ec54dcd7

C:\Users\Admin\AppData\Local\Temp\onefile_2744_133629248080724000\python310.dll

MD5 384349987b60775d6fc3a6d202c3e1bd
SHA1 701cb80c55f859ad4a31c53aa744a00d61e467e5
SHA256 f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8
SHA512 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

memory/1288-954-0x000000001B320000-0x000000001B602000-memory.dmp

memory/1288-955-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 52f2880cc948664b594234620177e556
SHA1 68edd2c38bbb6c4a5d5ef4ce3f30826d81d82f7d
SHA256 acd2db2d092b1abcae320aa758426326b42269d2ddcb2cc3ddf510d5d224330f
SHA512 2f19a0c87c804427a020bb53608a1c34514bd3e73fc49cba7fb033b1d2dada4ce03f38545bd77ed73692755fe11540396a9d5021072a8afb5d8636ce54544a8a

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 11:33

Reported

2024-06-15 11:36

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\dllhost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk C:\Users\Admin\dllhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk C:\Users\Admin\dllhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\Prism Executor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\nexusloader.exe N/A
N/A N/A C:\ProgramData\Windows Runtime.exe N/A
N/A N/A C:\ProgramData\Windows Runtime.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\nexusloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\nexusloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\nexusloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\nexusloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\nexusloader.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Runtime = "C:\\ProgramData\\Windows Runtime.exe" C:\Users\Admin\dllhost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\dllhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Users\Admin\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Windows Runtime.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Windows Runtime.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\dllhost.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\dllhost.exe
PID 1604 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\dllhost.exe
PID 1604 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\Prism Executor.exe
PID 1604 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe C:\Users\Admin\Prism Executor.exe
PID 2248 wrote to memory of 3608 N/A C:\Users\Admin\Prism Executor.exe C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\nexusloader.exe
PID 2248 wrote to memory of 3608 N/A C:\Users\Admin\Prism Executor.exe C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\nexusloader.exe
PID 2268 wrote to memory of 4908 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 4908 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 4548 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 4548 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 4396 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 4396 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 4068 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 4068 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 3252 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\schtasks.exe
PID 2268 wrote to memory of 3252 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\schtasks.exe
PID 4836 wrote to memory of 1716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 1716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 1716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 1716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 1716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 1716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 1716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 1716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 1716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 1716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4836 wrote to memory of 1716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4308 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1716 wrote to memory of 4664 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe

"C:\Users\Admin\AppData\Local\Temp\Prism Release V1.5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAdABtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAegBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBnAGUAdABwAHIAaQBzAG0AIAAtACAAUgB1AG4AIABBAHMAIABBAGQAbQBpAG4AIABJAGYAIABJAG4AagBlAGMAdABpAG8AbgAgAEYAYQBpAGwAcwAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAdQBzAGQAIwA+AA=="

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAdwBhACMAPgA="

C:\Users\Admin\dllhost.exe

"C:\Users\Admin\dllhost.exe"

C:\Users\Admin\Prism Executor.exe

"C:\Users\Admin\Prism Executor.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\nexusloader.exe

"C:\Users\Admin\Prism Executor.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"

C:\ProgramData\Windows Runtime.exe

"C:\ProgramData\Windows Runtime.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.0.35682807\1938772953" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ddfe263-0ec0-4dd7-88d3-a3c14a53141f} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 1948 219146d9158 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.1.446440770\1792840606" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a778e791-78ec-4b26-b3c4-1c542cd94271} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 2348 21907c70a58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.2.700015724\363079945" -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 3144 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d60a3331-5c9f-499d-987d-b4d576784252} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 3160 2191465ae58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.3.2038223076\1005855260" -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3608 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c2ce1b3-5eae-4abb-a60f-4e8c8d4a8334} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 3624 21907c6dc58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.4.2090275595\1523311465" -childID 3 -isForBrowser -prefsHandle 4680 -prefMapHandle 4676 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {611be4a1-b7f5-4ef0-b8bb-3e37b1189678} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 4692 2191a786d58 tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.5.608705048\71504514" -childID 4 -isForBrowser -prefsHandle 4964 -prefMapHandle 2892 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2f3ff47-fe40-4c3e-9772-f83423588995} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 4952 21907c61358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.6.1954166490\853083925" -childID 5 -isForBrowser -prefsHandle 5344 -prefMapHandle 5348 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fd6e46c-f43a-4ece-b281-52ee32c54929} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 5336 21919342758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.7.60248656\632143970" -childID 6 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c31811d3-2a7d-464b-b9b0-8273c60ff6c0} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 5512 21919342a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.8.1957125246\1328769048" -childID 7 -isForBrowser -prefsHandle 4760 -prefMapHandle 6132 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c69fd7fc-2328-4ffd-803c-25469e99a07c} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 4628 2191a788558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.9.920285735\1992755726" -childID 8 -isForBrowser -prefsHandle 3592 -prefMapHandle 4076 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff4fc889-4b13-42f7-b5a3-ade84783c4b2} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 4944 21918495158 tab

C:\ProgramData\Windows Runtime.exe

"C:\ProgramData\Windows Runtime.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.10.336556927\772972749" -childID 9 -isForBrowser -prefsHandle 3564 -prefMapHandle 3568 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0b8da90-7089-4901-9c6a-81367fc2a3dc} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 5176 2191c37dc58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.11.189417213\723425205" -childID 10 -isForBrowser -prefsHandle 6156 -prefMapHandle 3592 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f7993b3-0f37-44d5-add6-fd1b8d77937f} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 5268 2191d940d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.12.1816902579\1246439403" -parentBuildID 20221007134813 -prefsHandle 6496 -prefMapHandle 6440 -prefsLen 26725 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c93434c-64b7-4518-831f-656d2ca56906} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 6488 2191db70858 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1716.13.173325312\1702560172" -childID 11 -isForBrowser -prefsHandle 6696 -prefMapHandle 6700 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a15bb4b6-3cd2-4646-b5eb-090289d5faeb} 1716 "\\.\pipe\gecko-crash-server-pipe.1716" 6676 2191de05058 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 91.92.241.69:5555 tcp
US 8.8.8.8:53 69.241.92.91.in-addr.arpa udp
N/A 127.0.0.1:50974 tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 52.33.96.36:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 36.96.33.52.in-addr.arpa udp
N/A 127.0.0.1:50983 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.46:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.46:443 play.google.com udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.187.238:443 consent.google.com tcp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.187.238:443 consent.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.roblox.com udp
DE 128.116.123.3:443 www.roblox.com tcp
US 8.8.8.8:53 edge-term4-fra2.roblox.com udp
US 8.8.8.8:53 edge-term4-fra2.roblox.com udp
US 8.8.8.8:53 3.123.116.128.in-addr.arpa udp
DE 128.116.123.3:443 edge-term4-fra2.roblox.com udp
US 8.8.8.8:53 css.rbxcdn.com udp
US 205.234.175.102:443 css.rbxcdn.com tcp
US 205.234.175.102:443 css.rbxcdn.com tcp
US 8.8.8.8:53 roblox-css.cachefly.net udp
US 205.234.175.102:443 roblox-css.cachefly.net tcp
US 205.234.175.102:443 roblox-css.cachefly.net tcp
US 205.234.175.102:443 roblox-css.cachefly.net tcp
US 205.234.175.102:443 roblox-css.cachefly.net tcp
US 8.8.8.8:53 roblox-css.cachefly.net udp
US 8.8.8.8:53 static.rbxcdn.com udp
US 8.8.8.8:53 roblox-static.cachefly.net udp
US 8.8.8.8:53 js.rbxcdn.com udp
US 8.8.8.8:53 roblox-static.cachefly.net udp
US 205.234.175.102:443 js.rbxcdn.com tcp
US 8.8.8.8:53 roblox-js.cachefly.net udp
US 205.234.175.102:443 roblox-js.cachefly.net tcp
US 205.234.175.102:443 roblox-js.cachefly.net tcp
US 205.234.175.102:443 roblox-js.cachefly.net tcp
US 8.8.8.8:53 roblox-js.cachefly.net udp
US 8.8.8.8:53 102.175.234.205.in-addr.arpa udp
US 8.8.8.8:53 roblox.com udp
US 8.8.8.8:53 images.rbxcdn.com udp
GB 128.116.119.4:443 roblox.com tcp
US 8.8.8.8:53 roblox-images.cachefly.net udp
US 205.234.175.102:443 roblox-images.cachefly.net tcp
US 8.8.8.8:53 roblox.com udp
US 8.8.8.8:53 roblox-images.cachefly.net udp
GB 128.116.119.4:443 roblox.com udp
US 8.8.8.8:53 4.119.116.128.in-addr.arpa udp
US 8.8.8.8:53 metrics.roblox.com udp
US 8.8.8.8:53 apis.roblox.com udp
US 8.8.8.8:53 apis.rbxcdn.com udp
US 8.8.8.8:53 ecsv2.roblox.com udp
DE 128.116.123.3:443 ecsv2.roblox.com tcp
DE 128.116.123.3:443 ecsv2.roblox.com tcp
US 8.8.8.8:53 edge-term4-fra2.roblox.com udp
DE 128.116.123.3:443 ecsv2.roblox.com tcp
IE 2.18.24.24:443 apis.rbxcdn.com tcp
US 8.8.8.8:53 a1818.b.akamai.net udp
US 8.8.8.8:53 a1818.b.akamai.net udp
DE 128.116.123.3:443 ecsv2.roblox.com udp
DE 128.116.123.3:443 ecsv2.roblox.com udp
DE 128.116.123.3:443 ecsv2.roblox.com tcp
DE 128.116.123.3:443 ecsv2.roblox.com udp
US 8.8.8.8:53 24.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 id.google.com udp
GB 172.217.16.227:443 id.google.com tcp
US 8.8.8.8:53 id.google.com udp
US 8.8.8.8:53 id.google.com udp
GB 172.217.16.227:443 id.google.com udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.46:443 play.google.com udp
US 8.8.8.8:53 adservice.google.co.uk udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
GB 142.250.187.226:443 adservice.google.co.uk tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 216.58.204.66:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 www.pornhub.com udp
US 66.254.114.41:443 www.pornhub.com tcp
US 8.8.8.8:53 pornhub.com udp
US 8.8.8.8:53 pornhub.com udp
US 8.8.8.8:53 226.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 66.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 static.trafficjunky.com udp
US 8.8.8.8:53 ei.phncdn.com udp
GB 64.210.156.18:443 ei.phncdn.com tcp
GB 64.210.156.18:443 ei.phncdn.com tcp
US 8.8.8.8:53 static.trafficjunky.com.sds.rncdn7.com udp
GB 64.210.156.21:443 static.trafficjunky.com.sds.rncdn7.com tcp
GB 64.210.156.21:443 static.trafficjunky.com.sds.rncdn7.com tcp
GB 64.210.156.21:443 static.trafficjunky.com.sds.rncdn7.com tcp
GB 64.210.156.21:443 static.trafficjunky.com.sds.rncdn7.com tcp
GB 64.210.156.21:443 static.trafficjunky.com.sds.rncdn7.com tcp
GB 64.210.156.21:443 static.trafficjunky.com.sds.rncdn7.com tcp
US 8.8.8.8:53 ei.phncdn.com.sds.rncdn7.com udp
US 8.8.8.8:53 static.trafficjunky.com.sds.rncdn7.com udp
US 8.8.8.8:53 ei.phncdn.com.sds.rncdn7.com udp
US 8.8.8.8:53 prvc.io udp
US 8.8.8.8:53 cdn1-smallimg.phncdn.com udp
US 8.8.8.8:53 media.trafficjunky.net udp
US 8.8.8.8:53 prvc.io udp
US 8.8.8.8:53 smallimg.phncdn.com udp
US 8.8.8.8:53 prvc.io udp
US 104.21.56.52:443 prvc.io tcp
US 66.254.114.156:443 smallimg.phncdn.com tcp
US 8.8.8.8:53 media.trafficjunky.net.sds.rncdn7.com udp
US 8.8.8.8:53 smallimg.phncdn.com udp
US 8.8.8.8:53 media.trafficjunky.net.sds.rncdn7.com udp
GB 64.210.156.18:443 media.trafficjunky.net.sds.rncdn7.com tcp
US 8.8.8.8:53 18.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 21.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 156.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 52.56.21.104.in-addr.arpa udp
US 104.21.56.52:443 prvc.io udp
US 8.8.8.8:53 www-alv.google-analytics.com udp
US 8.8.8.8:53 www-alv.google-analytics.com udp
US 8.8.8.8:53 104.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 ss.phncdn.com udp
GB 64.210.156.20:443 ss.phncdn.com tcp
US 8.8.8.8:53 ss.phncdn.com.sds.rncdn7.com udp
US 8.8.8.8:53 ss.phncdn.com.sds.rncdn7.com udp
US 8.8.8.8:53 20.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 178.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 ht-cdn.trafficjunky.net udp
US 8.8.8.8:53 ht-cdn.trafficjunky.net.sds.rncdn7.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 ht-cdn.trafficjunky.net.sds.rncdn7.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
GB 64.210.156.21:443 ht-cdn.trafficjunky.net.sds.rncdn7.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com udp
US 8.8.8.8:53 pornhub.com udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 storage.googleapis.com udp
GB 142.250.200.59:443 storage.googleapis.com tcp
US 8.8.8.8:53 storage.googleapis.com udp
US 8.8.8.8:53 storage.googleapis.com udp
GB 142.250.200.59:443 storage.googleapis.com udp
US 8.8.8.8:53 59.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 216.239.32.36:443 region1.analytics.google.com tcp
US 8.8.8.8:53 region1.analytics.google.com udp
GB 142.250.200.3:443 www.google.co.uk tcp
US 8.8.8.8:53 www.google.co.uk udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 216.239.32.36:443 region1.analytics.google.com udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 www.google.co.uk udp
GB 142.250.200.3:443 www.google.co.uk udp
US 8.8.8.8:53 pornhub.com udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
BE 108.177.15.157:443 stats.g.doubleclick.net tcp
BE 108.177.15.157:443 stats.g.doubleclick.net udp
US 8.8.8.8:53 157.15.177.108.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 73.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 r1---sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1---sn-aigl6ney.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 166.183.194.173.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\dllhost.exe

MD5 4a7f75343aaa5a4d8d18add50ccf3139
SHA1 110c62eee6d7deb4aa9d601c942eae43482d2125
SHA256 34be6a934fd45752e788f9ba20943c8e52d91732d76e9f30a5176e98dccd956e
SHA512 1f1516fc41e0b90d0d47e306da15a542799425159f4ad476cf4fd88b9b56d200c79c72ce29ca5b0acf2a195cabe803c37c72b8d76e99a69a04dbfe1fb9f9fc79

memory/2268-29-0x00007FF9D5303000-0x00007FF9D5305000-memory.dmp

memory/2268-32-0x0000000000030000-0x000000000004A000-memory.dmp

C:\Users\Admin\Prism Executor.exe

MD5 fa819e23d8fee4ea89aaaea55e0b28f5
SHA1 18335d4e0d140dcab66c7197c57f669251898ce5
SHA256 bb4fbbf322982321c56ac48cb7939ef7cb823b510a184c41e284f2cdf1bab68c
SHA512 e6170df5c8705e96a76cb3b366c9410c8f8e5c5dd5753de9be87e47a1c989b4723dd655e3355d52096f7acd3185a5469ed5bf284e7765e9519522ae132cef07d

memory/1436-645-0x0000000004B20000-0x0000000004B56000-memory.dmp

memory/4700-646-0x0000000002DE0000-0x0000000002E16000-memory.dmp

memory/4700-844-0x0000000005620000-0x0000000005C48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\nexusloader.exe

MD5 58545dc488990ac11872079d119f8284
SHA1 dade5c16834d582a5187041697cc5a7c2eae2f88
SHA256 6669bd79928492ab626c6cc64de35e3da76d655bbd197b5cc644584014fea5bc
SHA512 93d6e3f6a2ff03b4b58db7c04f8ad00e5c5f95eceefd199b73a8af6009ef381f758825ebe3d0d3076f917299c850b2859fb2ec35eeef59126617d2a0ec54dcd7

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\python310.dll

MD5 384349987b60775d6fc3a6d202c3e1bd
SHA1 701cb80c55f859ad4a31c53aa744a00d61e467e5
SHA256 f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8
SHA512 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\VCRUNTIME140.dll

MD5 11d9ac94e8cb17bd23dea89f8e757f18
SHA1 d4fb80a512486821ad320c4fd67abcae63005158
SHA256 e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e
SHA512 aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tk86t.dll

MD5 e3c7ed5f9d601970921523be5e6fce2c
SHA1 a7ee921e126c3c1ae8d0e274a896a33552a4bd40
SHA256 bd4443b8ecc3b1f0c6fb13b264769253c80a4597af7181884bda20442038ec77
SHA512 bfa76b6d754259eabc39d701d359dd96f7a4491e63b17826a05a14f8fdf87656e8fc541a40e477e4fef8d0601320dd163199520e66d9ee8b5d6bb5cd9a275901

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tcl86t.dll

MD5 ad03d1e9f0121330694415f901af8f49
SHA1 ad8d3eee5274fef8bb300e2d1f4a11e27d3940df
SHA256 224476bedbcf121c69137f1df4dd025ae81769b2f7651bd3788a870a842cfbf9
SHA512 19b85c010c98fa75eacfd0b86f9c90a2dbf6f07a2b3ff5b4120108f3c26711512edf2b875a782497bdb3d28359325ad95c17951621c4b9c1fd692fde26b77c33

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\_tkinter.pyd

MD5 0f1aa5b9a82b75b607b4ead6bb6b8be6
SHA1 5d58fd899018a106d55433ea4fcb22faf96b4b3d
SHA256 336bd5bffdc0229da4eaddbb0cfc42a9e55459a40e1322b38f7e563bda8dd190
SHA512 b32ea7d3ed9ae3079728c7f92e043dd0614a4da1dbf40ae3651043d35058252187c3c0ad458f4ca79b8b006575fac17246fb33329f7b908138f5de3c4e9b4e52

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\init.tcl

MD5 e10e428598b2d5f2054cfae4a7029709
SHA1 f8e7490e977c3c675e76297638238e08c1a5e72e
SHA256 61c55633fa048deb120422daed84224f2bb12c7c94958ca6f679b219cf2fa939
SHA512 88ef7628af5b784229dda6772c6ddd77905238a1648d4290b496eafeec013107437218e4834b7198aeb098bc854dcb9f18083c76dd5bf3ce9cedf3d5c9e4faae

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\encoding\cp1252.enc

MD5 5900f51fd8b5ff75e65594eb7dd50533
SHA1 2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512 ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\tclIndex

MD5 996f74f323ea95c03670734814b7887f
SHA1 49f4b9be5ab77e6ccab8091f315d424d7ac183f3
SHA256 962c60eb7e050061462ff72cec9741a7f18307af4aaa68d7665174f904842d13
SHA512 c4694260c733dc534dc1a70791fa29b725efd078a6846434883362f06f7bf080ca07478208b1909630e1b55fbdccf14484b78b0a5b8c6dad90f190c8c9d88a56

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\tm.tcl

MD5 52db1cd97ceab81675e86fa0264ea539
SHA1 b31693b5408a847f97ee8004fed48e5891df6e65
SHA256 6c02298d56e3c4c6b197afc79ec3ce1fc37ae176dc35f5d7ac48246f05f91669
SHA512 5032b0a79d0cd5a342af2f9edf8b88b7214e9aa61ba524a42c5be2286741e18fa380ad2d40dda9a0257afceed2ef6e48624013e854f37b5e41cb88a831ad04c9

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\package.tcl

MD5 55e2db5dcf8d49f8cd5b7d64fea640c7
SHA1 8fdc28822b0cc08fa3569a14a8c96edca03bfbbd
SHA256 47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad
SHA512 824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\pkgIndex.tcl

MD5 d942ff6f65bba8eb6d264db7d876a488
SHA1 74d6ca77e6092d79f37e7a1dcd7cced2e89d89cb
SHA256 e0bac49b9a3f0e50be89f692273cea7b7462bfc3e054f323261ef99b708c70a3
SHA512 3ac7d992300252109606074aefb693a31cd5cceffb6d7b851a2c8895a0d5e165a139b7038657306128af39c44785b7b4da35b8e1aeb4c30f3f7e7cfcfb789c4c

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl8\8.5\msgcat-1.6.1.tm

MD5 db52847c625ea3290f81238595a915cd
SHA1 45a4ed9b74965e399430290bcdcd64aca5d29159
SHA256 4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55
SHA512 5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\tk.tcl

MD5 25094462d2ea6b43133275bf4db31a60
SHA1 6bb76294e8fdf4d40027c9d1b994f1ab0014b81b
SHA256 3e998b41ab23677db31902e1e876e644b279b2e6d8896443f6c434352801cdd1
SHA512 8bdae921f367b864ea7f36c9a549ee870d4e4e3c6e942d70722a84ae6b23ff00a33638d8ca8f3b9b8fe084875ba7c8976975849f4dc47cdb5671df47af68cfab

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\auto.tcl

MD5 5e9b3e874f8fbeaadef3a004a1b291b5
SHA1 b356286005efb4a3a46a1fdd53e4fcdc406569d0
SHA256 f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840
SHA512 482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\opt0.4\pkgIndex.tcl

MD5 92ff1e42cfc5fecce95068fc38d995b3
SHA1 b2e71842f14d5422a9093115d52f19bcca1bf881
SHA256 eb9925a8f0fcc7c2a1113968ab0537180e10c9187b139c8371adf821c7b56718
SHA512 608d436395d055c5449a53208f3869b8793df267b8476ad31bcdd9659a222797814832720c495d938e34bf7d253ffc3f01a73cc0399c0dfb9c85d2789c7f11c0

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\http1.0\pkgIndex.tcl

MD5 10ec7cd64ca949099c818646b6fae31c
SHA1 6001a58a0701dff225e2510a4aaee6489a537657
SHA256 420c4b3088c9dacd21bc348011cac61d7cb283b9bee78ae72eed764ab094651c
SHA512 34a0acb689e430ed2903d8a903d531a3d734cb37733ef13c5d243cb9f59c020a3856aad98726e10ad7f4d67619a3af1018f6c3e53a6e073e39bd31d088efd4af

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\scale.tcl

MD5 1ce32cdaeb04c75bfceea5fb94b8a9f0
SHA1 cc7614c9eade999963ee78b422157b7b0739894c
SHA256 58c662dd3d2c653786b05aa2c88831f4e971b9105e4869d866fb6186e83ed365
SHA512 1ee5a187615ae32f17936931b30fea9551f9e3022c1f45a2bca81624404f4e68022fcf0b03fbd61820ec6958983a8f2fbfc3ad2ec158433f8e8de9b8fcf48476

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\panedwindow.tcl

MD5 2da0a23cc9d6fd970fe00915ea39d8a2
SHA1 dfe3dc663c19e9a50526a513043d2393869d8f90
SHA256 4adf738b17691489c71c4b9d9a64b12961ada8667b81856f7adbc61dffeadf29
SHA512 b458f3d391df9522d4e7eae8640af308b4209ce0d64fd490bfc0177fde970192295c1ea7229ce36d14fc3e582c7649460b8b7b0214e0ff5629b2b430a99307d4

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\menu.tcl

MD5 12ec5260eb7435c7170002e011fe8f17
SHA1 e88f5423a7133784a1a2d097c4e602e5de564034
SHA256 588727079af7ecc44755efe33ebb7414ad2ee68390fc249ce073d38e03c78a4e
SHA512 5848e5a642f0cfba8b456a6dcef711737229e5f59beb7981a52440a47f5ba9ec85374be8e8b1ccdd952ac71164da04ff88ef07204fd62509952db2cdb6503700

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\listbox.tcl

MD5 b3b6a3bd19ddde4a97ea7cf95d7a8322
SHA1 2f11d97c091de9202f238778c89f13a94a10d3be
SHA256 b92526a55409c67473740551ca128498824d25406e3cc9bb0544e8296d3c5de4
SHA512 f2bc1fbbd20132725d283b9fab20c3e38ed185a62297e1418572c03fa90b3f813b878be281bb4bdfa1c813b7ee7eff11cbb2f89b5411b1707d90b0e5fd746fb3

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\entry.tcl

MD5 1d9ff9bb7fedb472910776361510c610
SHA1 c190dd07bcc55741b9bdfc210f82df7b7c2fac81
SHA256 dd351da6288cf7e9f367fd97c97cb476193ff7461b25e31667e85fe720edea04
SHA512 85d25622f4e0c9517d8caa454ec4e81c8cbbec25e418f5a2d885d5561999cfb3c3026aac8bf1ca6f9b40993802fda86d60ff8fd2e30a77d56f1c1914af695f03

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\button.tcl

MD5 cf6e5b2eb7681567c119040939dd6e2c
SHA1 3e0b905428c293f21074145fe43281f22e699eb4
SHA256 2f013b643d62f08ddaaa1dea39ff80d6607569c9e1acc19406377b64d75ccf53
SHA512 be03edea59be01d2b8de72b6ebe9dceb13d16c522bb5c042cdae83c84eafc6ac7b3650bf924f5f84f4f126634f9d17d74d087316d289f237129921a89aa4e0c8

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\icons.tcl

MD5 2652aad862e8fe06a4eedfb521e42b75
SHA1 ed22459ad3d192ab05a01a25af07247b89dc6440
SHA256 a78388d68600331d06bb14a4289bc1a46295f48cec31ceff5ae783846ea4d161
SHA512 6ecfbb8d136444a5c0dbbce2d8a4206f1558bdd95f111d3587b095904769ac10782a9ea125d85033ad6532edf3190e86e255ac0c0c81dc314e02d95cca86b596

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\ttk.tcl

MD5 e38b399865c45e49419c01ff2addce75
SHA1 f8a79cbc97a32622922d4a3a5694bccb3f19decb
SHA256 61baa0268770f127394a006340d99ce831a1c7ad773181c0c13122f7d2c5b7f6
SHA512 285f520b648f5ec70dd79190c3b456f4d6da2053210985f9e2c84139d8d51908296e4962b336894ee30536f09fae84b912bc2abf44a7011620f66cc5d9f71a8c

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\combobox.tcl

MD5 06b885722c8555668bcbe8d7d9aa4c75
SHA1 8172c8886884de462549aa94fca440b99da90583
SHA256 057f8f447de3a753714b8f82b96054e1849a2424749f3482492eae192baacdcf
SHA512 d81ab53d48ed1d79da57fc2d2b599199ee985e237046244a2f820daacd2e8565c65d63e9b6f80175c30fd48290226a547d6d603293a4b7e4a455795f7fce7179

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\entry.tcl

MD5 3dea98c515f6f731e666656da9708f12
SHA1 212865fc5c635eeca380efc1b3fbb85554714c47
SHA256 fe32f8b154893218acaba93ac4b8e1170d9b3e3ab66df63df85c0a31c17592be
SHA512 2901b5f92df95cbd1ec71acf86646af2f1d6058232eef1b5779192bad6df0bbbbc5902e363f809671f06d13270b1581d55f611556d48b1a843194477a113aeab

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\treeview.tcl

MD5 5bec78db1a86b4bc17a5108806c5371e
SHA1 4b2b08240f778864c5045f546a620702ae126ccb
SHA256 0e05adf29b616989cb4724e57a26f1044598781f0cc10d5eb5ac4af7d705ddca
SHA512 29dff439bb5caa23f8f38ea136406fa2db68be021068f80bad2e2ec811ae5c5b08f4f287719db946db780122af05654392ea771fb523bdc1569b364689d3ec86

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\spinbox.tcl

MD5 ebce661f8125f54c7dff9f076fb2bfe2
SHA1 966603a85eadba4e003e8307a7e581cd6839716f
SHA256 7c2ffd7308bdea852851335d5b5eb5dcca0e4d4a0cea16f786b40009ffd58b71
SHA512 35f518e20986ab951ff33091f405ea1647534ccb77c8c36a94b1ab4a973df3ed52355864702b6526888830af8c912105e542027b5d68f81ac2a9f40ad2ba2632

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\panedwindow.tcl

MD5 a12915fa5caf93e23518e9011200f5a4
SHA1 a61f665a408c10419fb81001578d99b43d048720
SHA256 ce0053d637b580170938cf552b29ae890559b98eb28038c2f0a23a265ddeb273
SHA512 669e1d66f1223cca6ceb120914d5d876bd3cf401ee4a46f35825361076f19c7341695596a7dbb00d6cff4624666fb4e7a2d8e7108c3c56a12bda7b04e99e6f9a

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\notebook.tcl

MD5 82c9dfc512e143dda78f91436937d4dd
SHA1 26abc23c1e0c201a217e3cea7a164171418973b0
SHA256 d1e5267cde3d7be408b4c94220f7e1833c9d452bb9ba3e194e12a5eb2f9adb80
SHA512 a9d3c04ad67e0dc3f1c12f9e21ef28a61fa84dbf710313d4ca656bdf35dfbbfba9c268c018004c1f5614db3a1128025d795bc14b4fffaa5603a5313199798d04

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\progress.tcl

MD5 b0074341a4bda36bcdff3ebcae39eb73
SHA1 d070a01cc5a787249bc6dad184b249c4dd37396a
SHA256 a9c34f595e547ce94ee65e27c415195d2b210653a9ffcfb39559c5e0fa9c06f8
SHA512 af23563602886a648a42b03cc5485d84fcc094ab90b08df5261434631b6c31ce38d83a3a60cc7820890c797f6c778d5b5eff47671ce3ee4710ab14c6110dcc35

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\scale.tcl

MD5 b41a9df31924dea36d69cb62891e8472
SHA1 4c2877fbb210fdbbde52ea8b5617f68ad2df7b93
SHA256 25d0fe2b415292872ef7acdb2dfa12d04c080b7f9b1c61f28c81aa2236180479
SHA512 a50db6da3d40d07610629de45f06a438c6f2846324c3891c54c99074cfb7beed329f27918c8a85badb22c6b64740a2053b891f8e5d129d9b0a1ff103e7137d83

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\scrollbar.tcl

MD5 cf7bc1ffbf3efee2ca7369215a3b1473
SHA1 e2632241089f9dc47fa76cd0c57615d70753008c
SHA256 b3a0e10c95b28c90cccfc373152bd30ab7da2fb4c0e96409aeeb01d453f36b4a
SHA512 01841cda93aa0ce1a5b1fc65db153902b872b7e9d1030ef8902e086bbeb35649fd742dd96d1aed9cf620692fde6f4e2ccd865dc7a125452ffd16a65918956dda

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\menubutton.tcl

MD5 fe89894d8cbf415541a60d77192f0f94
SHA1 c0716b2d8e24592757b62d24eeed57121b60e00f
SHA256 d9af20135ef1bfeb3e0fd9fdabe821474de3ed43b3745a42fe564d24a8b9fd9c
SHA512 66488cbcac49cca47c9c560648e891d429f40e46549f58687b98073eba4807a8458a277be093ebfc50709a8a87a529df4e526eccfb60803ce16af17b97accd3d

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\button.tcl

MD5 ea7cf40852afd55ffda9db29a0e11322
SHA1 b7b42fac93e250b54eb76d95048ac3132b10e6d8
SHA256 391b6e333d16497c4b538a7bdb5b16ef11359b6e3b508d470c6e3703488e3b4d
SHA512 123d78d6ac34af4833d05814220757dccf2a9af4761fe67a8fe5f67a0d258b3c8d86ed346176ffb936ab3717cfd75b4fab7373f7853d44fa356be6e3a75e51b9

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\utils.tcl

MD5 f868a26a299885824b14ca28f68039ce
SHA1 e37a1889e6cc215102ec078d0455622415ed8486
SHA256 6c35cd6c7f3ac4be3fe0cc7633dbbde5123155921a441ba702b4347e6f967f34
SHA512 14d8fd30fe670ce4630ce5b7b1e4b04a2a3f97d6483d87d0d7a2b675e880ab75e947820a4babd337452d683e0cbb7b92b4c866af19a8dcd5711016e012d597e2

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\cursors.tcl

MD5 74596004dfdbf2ecf6af9c851156415d
SHA1 933318c992b705bf9f8511621b4458ecb8772788
SHA256 7bdffa1c2692c5d1cf67b518f9acb32fa4b4d9936ed076f4db835943bc1a00d6
SHA512 0d600b21db67bf9dadbdd49559573078efb41e473e94124ac4d2551bc10ec764846dc1f7674daa79f8d2a8aeb4ca27a5e11c2f30ede47e3ecee77d60d7842262

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\fonts.tcl

MD5 7017b5c1d53f341f703322a40c76c925
SHA1 57540c56c92cc86f94b47830a00c29f826def28e
SHA256 0eb518251fbe9cf0c9451cc1fef6bb6aee16d62da00b0050c83566da053f68d0
SHA512 fd18976a8fbb7e59b12944c2628dbd66d463b2f7342661c8f67160df37a393fa3c0ce7fdda31073674b7a46e0a0a7d0a7b29ebe0d9488afd9ef8b3a39410b5a8

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\text.tcl

MD5 33230f852aac8a5368aeba1834dcec77
SHA1 beba97c48a110f4a9fe86f60e5fd4ca6ac55e964
SHA256 f26ed909a962d02bc03585a6c756f4fe992c311c7f53648137e427747120b441
SHA512 caac54334c4eb439c18f03eeb5de83aa6bbd6bb07b760a40c60f2d34f5ee1fdd542f83ad427059863f96b0a8f2cb96658171a7cd0c0c2c49e002bd02e6d418f6

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\spinbox.tcl

MD5 9971530f110ac2fb7d7ec91789ea2364
SHA1 ab553213c092ef077524ed56fc37da29404c79a7
SHA256 5d6e939b44f630a29c4fcb1e2503690c453118607ff301bef3c07fa980d5075a
SHA512 81b4cec39b03fbeca59781aa54960f0a10a09733634f401d5553e1aaa3ebf12a110c9d555946fcdd70a9cc897514663840745241ad741dc440bb081a12dcf411

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\scrlbar.tcl

MD5 b44265f793563ad2ad66865dec63b2c2
SHA1 23e6f7095066ed3b65998324021d665d810e6a93
SHA256 189e7ee4b67861001c714a55880db34acf7d626a816e18b04b232af9e6e33e81
SHA512 3911b13f42091620d8d96ed0cc950792175f88399912092161e1a71f564c7e72b6d448d3b761b6b6b73400ccc8fabd94cb3bfcc8cb3ad8ebdb590c3ffc623dfb

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\sizegrip.tcl

MD5 3c8916a58c6ee1d61836e500a54c9321
SHA1 54f3f709698fad020a048668749cb5a09ede35ab
SHA256 717d2edd71076ea059903c7144588f8bbd8b0afe69a55cbf23953149d6694d33
SHA512 2b71569a5a96cac1b708e894a2466b1054c3fae5405e10799b182012141634bd2a7e9e9f516658e1a6d6e9e776e397608b581501a6cfe2eb4ec54459e9ecb267

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\defaults.tcl

MD5 16843ecd9e716a87d865a6539ef44751
SHA1 3df76af0d6e4c386d63dd061100702dbb0f72a42
SHA256 d83248b535a9417ce0ca598bbe245f24252adc90e3611c1191a045d9c0a9c99f
SHA512 7f5e7a200fd6b012a9336035211d9d89f0504f61156629ebcc1a03bcf8462ba8d219de376b6bb3ebb9e6a9507f0ac6f7d658eed5b953110df553b3c0c44ebc1d

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\altTheme.tcl

MD5 ae1b9c4dc2de8e899749fb4e1fcb4df6
SHA1 2a09d325ca56c930b3afb1ee43c944fd4416b8e1
SHA256 92b8be9d8934850b6d240b970603b0ad7c6dd4a45134545694fb52966d742861
SHA512 2803f96729805c90143e0c4c9bf25398bac7d6e4402cb09be354c35566fc3c3bd9522372147c0e956bdbbc2943b9aecb0f5c96b527a26fd790b8fdb5b99efe10

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\classicTheme.tcl

MD5 70f3edfbfd4c16febdd8311290a0effe
SHA1 4b1d63d59c72c357931a8cbbf071654492a9b371
SHA256 c7b1f40d77820fbaf2195f2bb3f334b38fec653fe47653f9e30a01ad4ca63ba5
SHA512 a58c584ada6d271316266d58641be260f98e6fa0ae867ee9e343807a2955ddd3544b864cca80dc7f164ed4be5331575b696650ff0bb469c3647c5cb122f2a64c

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\winTheme.tcl

MD5 8b4813a1c6915fd35b52ac854230bcc1
SHA1 db981087f2a311361446014fadbd8b199d856716
SHA256 05fad058280e7a8947a9f71122b442b92d7d578b4618b08bf0b71b6dac5aa22f
SHA512 e0a69e94aabd725b441d6c4920f1cd54451bcc00090d9319cb55286a46a7f35066d1959de149d900198f777671004f6d8a64e7d31e42f8a76e89ed122a79a9ff

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\xpTheme.tcl

MD5 1026799ffe26aaa8661f64d6f2cbe4dd
SHA1 5cd337feb3130d146134e06c4a1826ba29157e7a
SHA256 ff421674388da5d3a0c687f342f8d1e3c7f247f3cb59d5512b31f91a54a4c318
SHA512 90f1062caa87c0d65aede1d71370ebe35ad90f4033e6077169b7168b4754c0ff46a9f6348f4d907dcf20ab8f63bb6e0d106a05f068c5abeb86d26f5ea00f503c

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\clamTheme.tcl

MD5 beced087eeb3d5c9b2eabdb19c030d52
SHA1 be285e65905d335be442606afa3a88e408d5ec5b
SHA256 93c29536262c582104bf1804d7b06c7565b7d621f2e3605ff8b6c981a3b4ab01
SHA512 84b733c3fbe63c32b5b1e6cd132bd1b55f07b47612b70455c17c4d6d239682672c838cc3d739283079d0d2d8567fca9b763465d8d2148d25b5952282ed521a79

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tk\ttk\vistaTheme.tcl

MD5 ad2d78020875529834dd0ea74251e2d3
SHA1 80cc99972a056396dd55e9505ccb02e16462b115
SHA256 ce1a53a769de9e230f586efafd2fb455980b45941e5db553bd3a2f0062b50f3e
SHA512 59ec21a44769fec0b462f0675217882ecf5cbc64056024e4259d91233a1397b4b89957bd474387c992a8753dc9c350fda7e6e5c6e9d29c655d62362a018e2194

C:\Users\Admin\AppData\Local\Temp\onefile_2248_133629248208173052\tcl\encoding\symbol.enc

MD5 1b612907f31c11858983af8c009976d6
SHA1 f0c014b6d67fc0dc1d1bbc5f052f0c8b1c63d8bf
SHA256 73fd2b5e14309d8c036d334f137b9edf1f7b32dbd45491cf93184818582d0671
SHA512 82d4a8f9c63f50e5d77dad979d3a59729cd2a504e7159ae3a908b7d66dc02090dabd79b6a6dc7b998c32c383f804aacabc564a5617085e02204adf0b13b13e5b

memory/4700-1034-0x0000000005400000-0x0000000005422000-memory.dmp

memory/1436-1035-0x00000000059F0000-0x0000000005A56000-memory.dmp

memory/4700-1036-0x0000000005D50000-0x0000000005DB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c0hiuz4r.z0s.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4700-1055-0x0000000005EC0000-0x0000000006214000-memory.dmp

memory/4908-1056-0x0000029866BE0000-0x0000029866C02000-memory.dmp

memory/1436-1066-0x00000000060F0000-0x000000000610E000-memory.dmp

memory/1436-1067-0x0000000006640000-0x000000000668C000-memory.dmp

memory/4908-1070-0x0000029866D70000-0x0000029866EBE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

memory/4700-1082-0x00000000079E0000-0x000000000805A000-memory.dmp

memory/4700-1083-0x0000000006910000-0x000000000692A000-memory.dmp

memory/1436-1084-0x0000000006690000-0x00000000066C2000-memory.dmp

memory/1436-1085-0x0000000074570000-0x00000000745BC000-memory.dmp

memory/1436-1095-0x0000000006620000-0x000000000663E000-memory.dmp

memory/1436-1098-0x0000000007100000-0x00000000071A3000-memory.dmp

memory/4548-1097-0x0000022FFF8C0000-0x0000022FFFA0E000-memory.dmp

memory/4700-1099-0x0000000008610000-0x0000000008BB4000-memory.dmp

memory/4700-1100-0x00000000077B0000-0x0000000007842000-memory.dmp

memory/1436-1101-0x0000000007280000-0x000000000728A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ef72c47dbfaae0b9b0d09f22ad4afe20
SHA1 5357f66ba69b89440b99d4273b74221670129338
SHA256 692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f
SHA512 7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

memory/1436-1112-0x00000000076E0000-0x0000000007776000-memory.dmp

memory/4396-1114-0x0000016EEBBD0000-0x0000016EEBD1E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ad148cc543edfb880854c755c2ad2081
SHA1 b81e48b6803d15a7a33d80f445fd61c5162a2d35
SHA256 a316471edb159f94a596f031c2a45818dae3936034e8474d238455e26a351e23
SHA512 9f6066e011637150355b8debfd24b65e0bd7ba1bc1133d4850bd490a8d99b52c38b00baf20674f16bb4998c9287c3b15362e143dbe27698f524302c7a5d350a8

memory/1436-1125-0x00000000072D0000-0x00000000072E1000-memory.dmp

memory/4068-1127-0x0000024F3DD60000-0x0000024F3DEAE000-memory.dmp

memory/1436-1128-0x0000000007660000-0x000000000766E000-memory.dmp

memory/1436-1130-0x0000000007670000-0x0000000007684000-memory.dmp

memory/1436-1131-0x00000000076B0000-0x00000000076CA000-memory.dmp

memory/1436-1132-0x00000000076A0000-0x00000000076A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\e11e5212-73c7-4789-acf3-32b538b4032e

MD5 9b5b96ab518be7f4c0bc14c684edcca6
SHA1 5f21678661d4d234540c47934e11c09ca53b4b10
SHA256 e77fc92380ec2ecbb9c8406ece543ca8ade257ae0fcef1fbc171722426ed6027
SHA512 15e0104f2e774bb923817ff8d493d2d4b6ce5fcee5e7044413e6d8f89bea894e36d4d04429065cabac8bfb8d22e5ba08c65550e51cea7feb396a5b1ad75b43ba

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\ed2c2cd6-b4b7-4160-a9a0-d880fb9709a9

MD5 3d78c6074d7f524095b4c7983d86647f
SHA1 65b1a0c8018c14e2d66538b92b245d4d58afc12b
SHA256 b7ebf7cf53bb9c5091f1cff2bf63bc8fbf5e5c65deb9e73832a82ce56ed8ed35
SHA512 4393db369f7f7d4c77aa93dcc3009f4d3ef28fb185b86786db5f4549c72242597ea67e1356dfb95eac1ec2d0c2d560286c9bbbb0d4ee0f18e9bafb79a10fa2b8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

MD5 9ea67bae7954a4780b3e536597756e93
SHA1 f38d209b39730d388e9bfc6f20f827f2a23e4325
SHA256 e00c7a435aab2ed20fbbe8ad2e17634ee1b02c2392346ae3e726bce02397a6e9
SHA512 09bc47a6232ac89dc2f2e8a64de116a206d06bef0840edec9dbb032fbff008655a76afa9601f641d13f38ec066fd9c5a15aaedbe8ed26887d8c590114d24ae03

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

MD5 ed711fe1756be07bd7d52f09197110da
SHA1 4d9bb58f60d83d77d864fe580d54a113a80c42c0
SHA256 365100fbdfdede2f0f818e039ee6c25fdfd45c0e4fa3c8b3f3005af94e432155
SHA512 c3bb44a403981851ee5cd58e787e26d74a2e1df1f3a8a7fdb09160c9de619550c2983d1abbb7fd40faac4cf75d6945ece095f1bbe895a87ad3f59350eddb44a5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 03994b88bdc9e598d88f9273dfec8e0e
SHA1 9c4d73dc30e024c6884167494d36edc072a59cc6
SHA256 51f2123c825c0e1071fa87a6d9e6cf057b9829be2092ba1277681ce095dd270e
SHA512 17741d2e38e8a695c7b10ad67bf390d5ce515136ccf2e7445aa705d427c2f05213ce83cfa333651971759e49bebd2d70b3fd3535b17008328f69cf3a04c407a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

MD5 3e70ce5e3dee6b04c905648b716ab51a
SHA1 adc10e020b5e404c3238de3605233457f4d3899b
SHA256 3784b39e01fb40ac4f33deee3508cfac8cb7994e0e236552f329a98a22782441
SHA512 dc88f6ae9ed8e01852ec968c2dbf0ecd23f39803b21ad0fe6f869144e40417c52be91bab4b882ce7d11415ef9ccedd46a7ad5de37c29d10dd4de4e59ebda9055

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

MD5 7506c7db800d9c36705ec2b1916baf6b
SHA1 48647928b1c8c2279f1621ab144596fe00f04800
SHA256 15a682c10166616ab664c79e2e054dac47d24683a436b58764f5688531e02d6c
SHA512 5973d82261e25d53f6eca1a3338abcc0395133c173f77da2bb94c2941aec8d89342e4625827fbe719a3adc5d57d783c2521c1b472b53dea38cd68b2d97dce4d8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

MD5 57749702866f3021368b5ec72f0bc7ba
SHA1 8e7448b38728fd067dc30b520d569345f89eac48
SHA256 baaf77958b2a1313972f5c75cd98d4d87d4527a1a8d78569504197d67c85cdf8
SHA512 082bfd04b7955bb98803fb8b5f54d8f566a758e2621a726bd4056cc0bfcf31aced8a263f9ca609b9e2d0b651345e06dee97f72908e586eccec1c8f6e4b44db95

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

MD5 9c024939eab5036985819bbda388818a
SHA1 3e62562e92408a880c4d27334231119d3e36c89e
SHA256 3e3969425884c1852243c514a209b0db251916ec88c9ee9de96950b881dbe0df
SHA512 35c0fbac85657328d3493f47f02e896dbb0fc61658f07aa752dccf73d89288754ace168eca22f2658228d1d4a4f2b2b52dbb655bd1bf628288fba66f54914708

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

MD5 67876631c1a3ffca04db9e47c2663319
SHA1 fe64c843ee49b4c264e0fc52ef17fdb37a8f2a80
SHA256 5249668ec40d1d4be705771a3c7f566b5f94c8c76bb12a667551c06d3e822768
SHA512 58154a973a269ba6ceb8f7cf3e6046631edc32765a7d2d6ef33befb8e3773ac84f75d210b81813fe87abc33556a809902cbbfb0176fe1525a225e072ed50eb85

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

MD5 c5f88a3ba7edbe7effec4ced7baf518e
SHA1 0dcd2ae571a1d66f99a45239b853777ed3492914
SHA256 55e957a1794d4e8a3f03247efe928609eac04d709662b519cd69ad0982c822a4
SHA512 96e54db90b2a2aef3acf81484411e030299c16bdfa611f70688bacea3f732f6e3445f12481252c72987b6312d9a927c5027c72c33abdbdee1a6f90cd382fda47

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\default\https+++www.pornhub.com\cache\morgue\240\{95265aa1-13fc-4f87-8496-e9e0747c6ef0}.final

MD5 4849126d62348e96de9f534891ee372c
SHA1 04208116ad7cb0edcb2c7c754042554104172d10
SHA256 92930e52c17a5e42a09f648d090ba0e48384fe2b6f4f6b3e3fc70bd8a0e6ac5d
SHA512 bd7769637a8707a21027e442faf6911019a2c731bff17fc11b9da0b74490162ea4eba2fca41942a7c114cc75ab1941f208c1fcc789bdc0a594b5ed269f6e6f25

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

MD5 364810e7f1ea3884297da6690a745b89
SHA1 60752005ba11791cd553386d42329fcc7afd2663
SHA256 7450541cacb8a24a365aa9bbf26cf2612d80249fc998c985789763f8546e689f
SHA512 0bb48751ae45efc8b87c88d6984f415c669a888eac4bf65476c569075baf64fe92cb5acbf43baa4fff35de4dcc07603888f16d3cd86bd89f3666afc24d6fbb17

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

MD5 ef22fae60051f6858433ee20d04a4980
SHA1 23ddbfd00ad266420f43f81731d978be268e60a5
SHA256 f5e923e6ceb37c5170785b1161a14087e6c2a6adadc872eb2b0367ed682d27e5
SHA512 e2a588a346efdcb43d22dc0e0fe087ac8a6c64b6d4ff9a2c7a9f86d24b01ea2ecf69b97a5b147a770385aafdb1ef1006bf48e75597352fe404b8756d03169792

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2