Malware Analysis Report

2024-11-16 13:32

Sample ID 240526-y7xc3sca24
Target https://mega.nz/folder/NS83jazB#MqObg2t6GAd90aKbpzj9Yw/file/UeckXbJD
Tags
xworm discovery persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://mega.nz/folder/NS83jazB#MqObg2t6GAd90aKbpzj9Yw/file/UeckXbJD was found to be: Known bad.

Malicious Activity Summary

xworm discovery persistence rat trojan

Xworm

Detect Xworm Payload

Registers COM server for autorun

Drops startup file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Creates scheduled task(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Uses Task Scheduler COM API

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 20:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 20:26

Reported

2024-05-26 20:28

Platform

win11-20240508-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/NS83jazB#MqObg2t6GAd90aKbpzj9Yw/file/UeckXbJD

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WINDOWS.lnk C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WINDOWS.lnk C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\InprocServer32\ = "C:\\Program Files\\obs-studio\\data\\obs-plugins\\win-dshow\\obs-virtualcam-module64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINDOWS = "C:\\Users\\Admin\\AppData\\Roaming\\WINDOWS.EXE" C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\obs-outputs\locale\ja-JP.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\obs-outputs\locale\nn-NO.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\win-capture\locale\en-US.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\obs-vst\locale\eu-ES.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\text-freetype2\locale\nl-NL.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\bin\64bit\imageformats\qsvg.dll C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\az-AZ.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\obs-ffmpeg\locale\bg-BG.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\obs-transitions\luma_wipes\sinus9.png C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\win-capture\locale\sr-SP.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\rtmp-services\locale\tl-PH.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\frontend-tools\locale\ka-GE.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\image-source\locale\id-ID.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\text-freetype2\locale\gl-ES.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-scripting\64bit\obslua.pdb C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\obs-vst\locale\hi-IN.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\aja\locale\ar-SA.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\fi-FI.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\obs-plugins\64bit\locales\ur.pak C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\vlc-video\locale\it-IT.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-studio\themes\Rachni\radio_unchecked_focus.png C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\obs-x264\locale\de-DE.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\vlc-video\locale\bn-BD.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\win-dshow\locale\pt-BR.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\image-source\locale\sl-SI.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\obs-text\locale\fi-FI.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\win-capture\locale\bn-BD.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\obs-outputs\locale\ur-PK.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\obs-vst\locale\ka-GE.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\win-capture\locale\sr-SP.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\obs-browser\locale\gl-ES.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-studio\locale\be-BY.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\decklink\locale\uk-UA.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\obs-text\locale\nn-NO.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-studio\themes\Light\mute.svg C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\obs-qsv11\locale\de-DE.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\coreaudio-encoder\locale\nn-NO.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\rtmp-services\locale\zh-CN.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\win-wasapi\locale\et-EE.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\win-wasapi\locale\sl-SI.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\frontend-tools\locale\eu-ES.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-studio\locale\et-EE.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\obs-outputs\locale\hi-IN.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\obs-plugins\64bit\locales\fa.pak C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\win-wasapi\locale\es-ES.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\win-wasapi\locale\th-TH.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\image-source\locale\it-IT.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\obs-x264\locale\en-US.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-studio\themes\Dark\settings\video.svg C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\obs-websocket\locale\hy-AM.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\win-capture\locale\uk-UA.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\win-capture\get-graphics-offsets64.exe C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\libobs\solid.effect C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-studio\themes\Rachni\radio_checked.png C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\aja\locale\eu-ES.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\image-source\locale\bn-BD.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\image-source\locale\kab-KAB.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\obs-text\locale\lt-LT.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-studio\themes\Acri\radio_checked.png C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File opened for modification C:\Program Files\obs-studio\data\obs-plugins\obs-vst\locale\sv-SE.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\obs-transitions\locale\es-ES.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\win-capture\locale\ca-ES.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-plugins\win-capture\graphics-hook64.pdb C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
File created C:\Program Files\obs-studio\data\obs-studio\locale\cs-CZ.ini C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\CLSID = "{A3FCE0F5-3493-419F-958A-ABA1250EC20B}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\FriendlyName = "OBS Virtual Camera" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\InprocServer32\ = "C:\\Program Files\\obs-studio\\data\\obs-plugins\\win-dshow\\obs-virtualcam-module32.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b714e56313200001000800000aa00389b71 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\ = "OBS Virtual Camera" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\InprocServer32\ = "C:\\Program Files\\obs-studio\\data\\obs-plugins\\win-dshow\\obs-virtualcam-module64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\ = "OBS Virtual Camera" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86} C:\Windows\system32\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b714e56313200001000800000aa00389b71 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\CLSID = "{A3FCE0F5-3493-419F-958A-ABA1250EC20B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\FriendlyName = "OBS Virtual Camera" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Fake Call Studio..zip:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: 33 N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WINDOWS.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A
N/A N/A C:\Program Files\obs-studio\bin\64bit\obs64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1124 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 3280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 3280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1124 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/NS83jazB#MqObg2t6GAd90aKbpzj9Yw/file/UeckXbJD

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcfa663cb8,0x7ffcfa663cc8,0x7ffcfa663cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5376 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004CC

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Temp1_Fake Call Studio..zip\Fake Call Studio.exe

"C:\Users\Admin\AppData\Local\Temp\Temp1_Fake Call Studio..zip\Fake Call Studio.exe"

C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE

"C:\Users\Admin\AppData\Local\Temp\FAKE CALL STUDIO.EXE"

C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE

"C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WINDOWS" /tr "C:\Users\Admin\AppData\Roaming\WINDOWS.EXE"

C:\Users\Admin\AppData\Local\Temp\nsu4B0.tmp\check_for_64bit_visual_studio_2019_runtimes.exe

C:\Users\Admin\AppData\Local\Temp\nsu4B0.tmp\check_for_64bit_visual_studio_2019_runtimes.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OBS Studio\OBS Studio (64bit).lnk"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Program Files\obs-studio\bin\64bit\obs64.exe

"C:\Program Files\obs-studio\bin\64bit\obs64.exe"

C:\Program Files\obs-studio\data\obs-plugins\enc-amf\enc-amf-test64.exe

../../data/obs-plugins/enc-amf/enc-amf-test64.exe

C:\Program Files\obs-studio\bin\64bit\obs-qsv-test.exe

"C:/Program Files/obs-studio/bin/64bit/obs-qsv-test.exe" 4F87 50C5

C:\Program Files\obs-studio\data\obs-plugins\win-capture\get-graphics-offsets64.exe

../../data/obs-plugins/win-capture/get-graphics-offsets64.exe

C:\Program Files\obs-studio\data\obs-plugins\win-capture\get-graphics-offsets32.exe

../../data/obs-plugins/win-capture/get-graphics-offsets32.exe

C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe

"C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent-product="Chrome/103.0.5060.134 OBS/29.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --parent_pid=5832 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\obs-browser\debug.log" --mojo-platform-channel-handle=4508 --field-trial-handle=4880,i,11266456950298330976,15141799980637133331,131072 --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,WinUseBrowserSpellChecker /prefetch:2

C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe

"C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --no-sandbox --log-severity=disable --user-agent-product="Chrome/103.0.5060.134 OBS/29.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --parent_pid=5832 --log-file="C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\obs-browser\debug.log" --mojo-platform-channel-handle=5008 --field-trial-handle=4880,i,11266456950298330976,15141799980637133331,131072 --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,WinUseBrowserSpellChecker /prefetch:8

C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe

"C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent-product="Chrome/103.0.5060.134 OBS/29.0.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --parent_pid=5832 --log-file="C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\obs-browser\debug.log" --mojo-platform-channel-handle=5028 --field-trial-handle=4880,i,11266456950298330976,15141799980637133331,131072 --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,WinUseBrowserSpellChecker /prefetch:8

C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe

"C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe" --type=renderer --log-severity=disable --user-agent-product="Chrome/103.0.5060.134 OBS/29.0.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --parent_pid=5832 --no-sandbox --autoplay-policy=no-user-gesture-required --log-file="C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\obs-browser\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=5244 --field-trial-handle=4880,i,11266456950298330976,15141799980637133331,131072 --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,WinUseBrowserSpellChecker /prefetch:1

C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe

"C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe" --type=renderer --log-severity=disable --user-agent-product="Chrome/103.0.5060.134 OBS/29.0.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --parent_pid=5832 --no-sandbox --autoplay-policy=no-user-gesture-required --log-file="C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\obs-browser\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=5252 --field-trial-handle=4880,i,11266456950298330976,15141799980637133331,131072 --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,WinUseBrowserSpellChecker /prefetch:1

C:\Users\Admin\AppData\Roaming\WINDOWS.EXE

C:\Users\Admin\AppData\Roaming\WINDOWS.EXE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5544 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,2564185779317601382,13214119987810674590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
LU 31.216.145.5:443 mega.nz tcp
NL 66.203.127.11:443 eu.static.mega.co.nz tcp
NL 66.203.127.11:443 eu.static.mega.co.nz tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 11.127.203.66.in-addr.arpa udp
LU 66.203.125.13:443 g.api.mega.co.nz tcp
NL 66.203.127.11:443 eu.static.mega.co.nz tcp
LU 31.216.145.5:443 mega.nz tcp
LU 66.203.125.13:443 g.api.mega.co.nz tcp
N/A 224.0.0.251:5353 udp
LU 89.44.168.86:443 gfs270n892.userstorage.mega.co.nz tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
BE 94.24.37.80:443 gfs206n170.userstorage.mega.co.nz tcp
BE 94.24.37.80:443 gfs206n170.userstorage.mega.co.nz tcp
BE 94.24.37.80:443 gfs206n170.userstorage.mega.co.nz tcp
BE 94.24.37.80:443 gfs206n170.userstorage.mega.co.nz tcp
LU 89.44.168.53:443 gfs270n427.userstorage.mega.co.nz tcp
LU 89.44.168.53:443 gfs270n427.userstorage.mega.co.nz tcp
LU 89.44.168.53:443 gfs270n427.userstorage.mega.co.nz tcp
LU 89.44.168.53:443 gfs270n427.userstorage.mega.co.nz tcp
DE 94.24.36.71:443 gfs262n361.userstorage.mega.co.nz tcp
DE 94.24.36.71:443 gfs262n361.userstorage.mega.co.nz tcp
DE 94.24.36.71:443 gfs262n361.userstorage.mega.co.nz tcp
DE 94.24.36.71:443 gfs262n361.userstorage.mega.co.nz tcp
NL 185.206.24.121:443 gfs204n169.userstorage.mega.co.nz tcp
NL 185.206.24.121:443 gfs204n169.userstorage.mega.co.nz tcp
NL 185.206.24.121:443 gfs204n169.userstorage.mega.co.nz tcp
NL 185.206.24.121:443 gfs204n169.userstorage.mega.co.nz tcp
ES 185.206.27.73:443 gfs214n163.userstorage.mega.co.nz tcp
ES 185.206.27.73:443 gfs214n163.userstorage.mega.co.nz tcp
ES 185.206.27.73:443 gfs214n163.userstorage.mega.co.nz tcp
ES 185.206.27.73:443 gfs214n163.userstorage.mega.co.nz tcp
FR 185.206.26.78:443 gfs208n168.userstorage.mega.co.nz tcp
FR 185.206.26.78:443 gfs208n168.userstorage.mega.co.nz tcp
FR 185.206.26.78:443 gfs208n168.userstorage.mega.co.nz tcp
FR 185.206.26.78:443 gfs208n168.userstorage.mega.co.nz tcp
BE 94.24.37.80:443 gfs206n170.userstorage.mega.co.nz tcp
BE 94.24.37.80:443 gfs206n170.userstorage.mega.co.nz tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:15064 tcp
N/A 127.0.0.1:15064 tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:15064 tcp
CA 142.4.216.103:443 obsproject.com tcp
CA 142.4.216.103:443 obsproject.com tcp
CA 142.4.216.103:443 obsproject.com tcp
US 23.160.0.253:443 ingest.twitch.tv tcp
CA 142.4.216.103:443 obsproject.com tcp
CA 142.4.216.103:443 obsproject.com tcp
N/A 127.0.0.1:56221 tcp
N/A 127.0.0.1:56244 tcp
N/A 127.0.0.1:56246 tcp
N/A 127.0.0.1:56248 tcp
N/A 127.0.0.1:56270 tcp
N/A 127.0.0.1:56275 tcp
N/A 127.0.0.1:15064 tcp
CA 142.4.216.103:443 obsproject.com tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
N/A 127.0.0.1:15064 tcp
N/A 127.0.0.1:15064 tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:15064 tcp
LU 66.203.125.13:443 g.api.mega.co.nz tcp
LU 89.44.168.219:443 gfs270n078.userstorage.mega.co.nz tcp
LU 31.216.145.5:443 mega.nz tcp
LU 31.216.145.5:443 mega.nz tcp
N/A 127.0.0.1:15064 tcp
N/A 127.0.0.1:15064 tcp
US 104.18.1.146:443 cdn.sellix.io tcp
US 104.18.1.146:443 cdn.sellix.io tcp
US 104.18.5.210:443 cdn-theme.mysellix.io tcp
US 104.18.1.146:443 cdn.sellix.io tcp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
NL 23.63.101.153:80 apps.identrust.com tcp
US 104.18.4.210:443 cdn-theme.mysellix.io tcp
US 104.18.4.210:443 cdn-theme.mysellix.io tcp
US 151.101.1.229:443 cdn.jsdelivr.net udp
US 104.17.246.203:443 unpkg.com tcp
US 104.17.246.203:443 unpkg.com tcp
US 104.17.246.203:443 unpkg.com tcp
FR 216.58.215.36:443 www.google.com tcp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 210.4.18.104.in-addr.arpa udp
US 8.8.8.8:53 153.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 36.215.58.216.in-addr.arpa udp
US 8.8.8.8:53 203.246.17.104.in-addr.arpa udp
FR 216.58.215.36:443 www.google.com udp
FR 216.58.215.36:443 www.google.com udp
DE 52.222.236.71:443 widget.trustpilot.com tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:15064 tcp
N/A 127.0.0.1:15064 tcp
US 8.8.8.8:443 dns.google udp
FR 172.217.20.195:443 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8f2eb94e31cadfb6eb07e6bbe61ef7ae
SHA1 3f42b0d5a90408689e7f7941f8db72a67d5a2eab
SHA256 d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de
SHA512 9f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703

\??\pipe\LOCAL\crashpad_1124_NZCACNNFTIHCQIGR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d56e8f308a28ac4183257a7950ab5c89
SHA1 044969c58cef041a073c2d132fa66ccc1ee553fe
SHA256 0bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae
SHA512 fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 69468c05f9ace0f0fbf54fcd0fa9cf04
SHA1 c9a88d41856600c909e4d5d3e82225739cb49609
SHA256 07c074a4c40788ba1454a8d86fe450f8945162cb4b590babd4995ba3b0d4ae26
SHA512 98cc4ed9cd270e05c0b4c94348a71d590a66f21330005fc68d6a85e1978a7bdf11ad88b4bad8850d5674fd5c1618e71096d858c7600cfa1b471f292a00ef7a62

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c2ff753bc8f72c29f01c50ffd4e48bb4
SHA1 19c61e79da2bafdd7b35fe2105d8fcd14ba805d1
SHA256 8332087f1ce95c582c838a9382197acb8b38b790e6f9897ededfe83e1517b999
SHA512 482af7f4a24cabf6a7e576c3df21f3f0da6d9832d4ae880fe034505ee4df49e9a7249ba9a45418f56147b2b2b5edd4379b84cf12b0243863bb658f02f906ef4c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7ccecef1007e11f85b3b21d1276a49a7
SHA1 257d6154b7896d571f0788b06b0b9dadbb9be48c
SHA256 f158bb02db904e21db484858e990eeb43421ba74ebb2110d4d38668ef6a6ffd7
SHA512 1f6d01ed97d18b3a9732b2318bc26f2457874e5b068ed3ff592c275cf2bd218ff151ce4a8a51d18c087c748bd5cbbfea8d5074dfcbf1174cd3b6d7aac6acfce4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\00\00000000

MD5 477f32d988a38dea77c0b80d5d72cadc
SHA1 6bb074df62e8ff6dfe794433bbac330cc5e6ae32
SHA256 83dd92b2c9e234d2ce4a0c9d7b43cb86fd9516612ae13e7fd9c8003cbd647781
SHA512 3bec6e3eaa1bdda3be037d100e84aa55e2c648a215d9c0a5096e8466a204e3d8f341f72afa621feb6af43723d088242cbf12a2d3b2646ef9f68b23ba732a3ca6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 96ae2be49594e87d2ba9b5537643e6c4
SHA1 1780af8c6b811b70e148ed4539329f6bacca31a9
SHA256 52f16410c50ed7c853535046e478e279cf43eb8a2643c80f6ab5a0234f94efee
SHA512 f1a206c0cdf4afcfbcae6536dd1ac0c54715d0d6573d5741bf5edd8db0fa6634597f56dcba26e2051b0443c58555d21fd68cf221975558d2e6a74e72b7f6f344

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 b1d98e67195c9a664c356b91f7031d84
SHA1 90468aa7520fec0501c336e78a109be77d0fdc83
SHA256 846d42f6f31da67722dd916d87b3341f2453d7879abd0da1d6e422bee86c7080
SHA512 51de416613b5e7898da922f7350c88e0ad37bc181ab6e23c7f120ba84f66342680d699dfdb9a7dd2cbe0e47e333a504ed681377cbb12aae304a9ae65f9e398da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57bd16.TMP

MD5 eecc5a079aba1d0373fd1b9055ab2af1
SHA1 84dd9565aed7401e31cf30599af7f5cb3d42725c
SHA256 9cb1154b09713dace6605c3f92c0863307b2c5ecec50e9ba210bfa726a50dbf3
SHA512 71e903140389f9f96ee3772e2e59ae16fab050436aa63f533304147568061b8625434c5996d0ab189c73ba719099f49d4d506234671d551fd0527d9c6060bcde

C:\Users\Admin\Downloads\Fake Call Studio..zip:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e9374581aa8d80c316a649d694df61f3
SHA1 02de949cc79375d983e8cbdbe34d0e4b8d0c6ec3
SHA256 38ec0490e91dd38b74ef7852e60f0a939de6e250e898e42051dad6aa0d08d4a1
SHA512 3e361251bf7fb9e1ba8d048c19c9a1f1a6b3f445890f08b54f9798a9f0b13b6b423c5d89062a03157f465100221bf4a9e2613c4a929da3be5001283abac48069

C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE

MD5 9ddc991ead1c44d3e2b4f9e4b80171a9
SHA1 761a566a66dc819010c7e2695caddc4971f0affc
SHA256 dc8c639d8e7a45a4969edd88e76486ff7cb43a5c1fe3adcf9291b9549532b40e
SHA512 2ae05442ffc9432f9726e7fc4e9a99605e1dd31ad7f63369d13f7106b733d29cad6c76c717b65cc390a5e1eef48a3222cbb9401b6de1751c4c5bc076bd2c97cc

memory/1224-264-0x0000000000080000-0x00000000000A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsu4B0.tmp\InstallOptions.dll

MD5 0a9fb96a7579b685ec36b17fc354e6a3
SHA1 355754104dd47d5fcf8918dee0dc2e2ee53390a6
SHA256 b34fb342f21d690aac024b6f48a597e78d15791ef480ac55159cd585d0f64af7
SHA512 67870206fa7f1e7df45c8c1bc2f51fb430f0a048a2bdb55a4a41525388ca3b50203784537f139169705a03db4bb13b591162a79a5d2df81a4d11fd849615c86b

C:\Users\Admin\AppData\Local\Temp\nsu4B0.tmp\ioSpecial.ini

MD5 ba1ad02fbf5fef1f31e9c5730b435fe0
SHA1 3d9f59cc24f5754656b0c4a7c195e8becd77f857
SHA256 fa65d6882ec61c75fd5151de91f20604fc17dc48d126d0f4f335e5ac94cc0d7f
SHA512 4fb4fc08990710c1f4b727786782635e34044e8ae31aa4585aa0a7ec29978130ec57965440408110c3fa5f0fe01f25405123a7dec3016bf80855d694c48f6bf0

C:\Users\Admin\AppData\Local\Temp\nsu4B0.tmp\System.dll

MD5 564bb0373067e1785cba7e4c24aab4bf
SHA1 7c9416a01d821b10b2eef97b80899d24014d6fc1
SHA256 7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA512 22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

C:\Users\Admin\AppData\Local\Temp\nsu4B0.tmp\OBSInstallerUtils.dll

MD5 e1f825260e7224ef0526514754f7d0e8
SHA1 553d67289b039ffea5d8b59f509b9265dca2ba19
SHA256 1d84aa191fbbd842d5eeed302195579de1256a9acb980308bf31a631ac01e530
SHA512 b9453eb4ae6edbfd86e438ed0825725ab91100b8403a933bb0e359703be462f6d3d37f8bfb32eeae375a46512c619370f9802925ae0d8898f540f933b05b281f

C:\Users\Admin\AppData\Local\Temp\nsu4B0.tmp\check_for_64bit_visual_studio_2019_runtimes.exe

MD5 57f1798a181003beaa9b27102ce2e9a6
SHA1 a635a2c39b497bb171c828b6051cbfed6a20c0fe
SHA256 40a1f047394f523b3e27f5fe404511a6eb9f8bc3d2ab14dc8a888914e1ef45ef
SHA512 6fe6a52578f95fd79ab5730c69e33f519ee3530f646ca46438ca142ec37ccc3e4afe88fc8350c9709ef342084f940d86d55d248c71074fbeb802313b20f02439

C:\Program Files\obs-studio\data\obs-plugins\enc-amf\locale\oc-FR.ini

MD5 4d0290bdbd3ba248244c3e3f9c50dfa2
SHA1 2b49a13582b9288d69b7f5d7448a9e9b6f0b5f13
SHA256 d8e9550eef49057d39667cc3ee51032ec34822399777944741a58e3eb55379a1
SHA512 9935bc68adb6307c77c9d366b8e7359e231759d1edec96f1ec9ce99e77a1f5c6010307de557672164392cc3be4045f5b16625d3f2a2c255f73b90bb6800c1067

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\ba-RU.ini

MD5 d5f4c6cff81e55478335437d97bf8cbd
SHA1 f42df1513c240f5ba834e4c9349257e1ecf57b11
SHA256 1bc80e21a21739c13d697904ec4dfcb1589a78dc6ba9cc11d6a9d963dfb6d5dd
SHA512 644498d60ad41bc16027e51f4712d1a3250d7a95a22fb29059c4d2fc3242571eb6ede209843348fac348774f15e1593fcc088c612c0fc3581b51cdd173731c03

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\bg-BG.ini

MD5 52dea8f19e42ea641c14958313c7aa93
SHA1 11490d4a1026c9eebab6320eb884d6b2055139d4
SHA256 600ee0d17d261454eddcefc499ffdcad332471686fd03cf2f7976ff7e9b0b647
SHA512 5cc1f4f82ce0dac01522104976d77dfe56d7462c81ef74de9f6bcdb1e3f674d2f54b5b08eab0ac4e68cf3783f51c37e8c27e789e552223c789f50f4f23f00c0a

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\ca-ES.ini

MD5 c1a789eeecea0b31674f4bb56179c2a8
SHA1 0723ddc1143312dd6524e50cfa6ba803b80f2eeb
SHA256 d20154c84c92de93dfce480e3c99ba0d016df1297870439d3526c9f9be94f49a
SHA512 c429481a727699e1288d47b27f98c6a8da35d52e8b34ba8858654ca69c8cd77024b3de5a61c87c839d1fedb4717ea135662bb0546997d5f8532a238b64a88c1e

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\de-DE.ini

MD5 978c35d8c0de5e7397b870b81ca82c08
SHA1 10a1a4e2021c9959b22269d2691e6322d88f65e7
SHA256 a9a2df3eba93ef6e3006d1c51ac3487a01fd4856e0de6c7dc2c4c6a5e021b4b3
SHA512 b00e0affa48052867c3f00a97b794725644f7aa6cf55aceb99a717f8e9e0ff19fc49e64ab9175f74f98c3ce35c8836d619bca3211fa178503df652e69b52039e

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\el-GR.ini

MD5 b57c13280b92da14544ef5a2c65255d3
SHA1 498c6714273c620acaf1e1f7ee1f18d6b2cf743a
SHA256 da54f941e958cc5340618a1c70c9e048cc92cd6884019846ed77cc1c0cf06f16
SHA512 f7c7aa01f338212451355185e9ff45a5f055052136811d2d9a94514a09ecfdc544ad07f835a74b274f700d7b8e6614934444f0c2cbbaba5b750f19931a350ecf

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\da-DK.ini

MD5 137a92c58a1b6b41571e3bdb084c4dd5
SHA1 f1cb97f2f2408b123bfa16e72202c4927a3ca6af
SHA256 b065e68d418e95aa77531942e693bdd86c4e111cd06c94d8129ccea56e760d28
SHA512 62c5c80a6bccd2645d0492ee650715a9ec91181ec278209036b84e0cdb8b0b9dc02d9d208f8c84af6ff923d41e419c756610e86f663521230c6e3a7f50588f47

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\cs-CZ.ini

MD5 b732128ec7cb15e4231f78e11e806eec
SHA1 e4dd9784be340befdd7471e2760ff63cfaa44e3c
SHA256 26d8b7ff7b952a8c225433c564286dfc9e8744a9154cf6246dda4e484a662fe3
SHA512 1509c9db4bf62bcdecd0da139547ab43e8f8fdbc0fbc5eb6ae98dc3bb7c76d89df8c1a3ae6fc63d61bba3075a34feced75c3399281de98ef5abc4e7231243264

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\eo-UY.ini

MD5 c927a81671c7919bdd7930bc2cf4da7d
SHA1 b81533c34fc19f8da6bc2f4059e30f60f5533ad1
SHA256 eb99858fca431e56dd25d651117b245259fbb74109edaf0eae776ea08dfcd2de
SHA512 bc9e70226dfa0c35e1e56ab766537033d6fd47e9d5415d3cc87445aecdacbac77ae63a1924c2f54de8a7df68bc4b4ed6a4871aa2ea68097c3dd762fa3e831f89

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\es-ES.ini

MD5 3f74278d09199d50a8e09b49bce1a6c1
SHA1 487ef50e4bc573e2a4f4e5a47eaf679f45912cbf
SHA256 ae7c39eded92c67fcf4d3377ba5a0be4978dbbbddea8bc45f930ee119cb055a2
SHA512 bf20779f146e920aaa727c0a7b9fb263ac7c32efbb8d7779bb2ea9cfd547077d129f8367caaf0af8471f3a36af2e2e71d1f1a2b1f81ff0aba2fc764866bb1088

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\eu-ES.ini

MD5 ebd8c24001ff5314e5f92f6070370d09
SHA1 76c28abedd8408f6f32e4c1e9314722a4314d039
SHA256 842c0ddce47ee0c3281caf1c0fd6f708cab3880d5e51ce828a2e1e150ba6271b
SHA512 caf5dfffab9a665934dffbaffa2178c5377a94c82c5cc3cddff3da9c3591e86afbe30c55c2d6c89fb59d85f90c67035261a3e7aa5276490c1225873247d3673e

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\fa-IR.ini

MD5 b94ebdaeb2aa44e8593ad180554046b0
SHA1 0c9f649d2d37ddf802a29b4280af92c4c4af22c5
SHA256 167c220dc80857b33c7411e7140be3b4ca512e6a80668906db2fc44f959f9dd8
SHA512 c7c78474db4e6e532d0a8222a361fafc28a95f454ec17a4a51408880b1ba521d36ce2611c97413f162e967b79ce82e64e2fb899958e6e01fb72c16b3f33dfbd5

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\fil-PH.ini

MD5 7505184f55cb5a79bc0e571c3db48059
SHA1 0d81c959a57d2ba8bb24e0b6e05e89a364b488c5
SHA256 4e074acbf7ea6abbe2c4747db8b73561cd73697e01bf8d4b04a18668d97a135e
SHA512 ece1622e4247467b73edd442af37968eb9ea8838ec3ba827735d7009ff3698b52f3b19ed3705e386c321241444c3361db02edc2eeadd411bee70cc0685d3748a

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\hy-AM.ini

MD5 1c8e7b0cfea5bf933ac65ed77b646556
SHA1 4eeff6b8c2de6fc963d34d32f636c684b62707a8
SHA256 218c83084dee287c8fe9779c6ef04f07c9c28c6dae1d7237b283406c76942f0a
SHA512 f19f001073b3c7a52bb0e73274095124a0b54cb1d188825e1cb2e72548c5bbda099beec16e5031c00781655598e2feddf39b81c13fba171c7c5d36db5b32043a

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\id-ID.ini

MD5 a6c05ea110cc4b840e2e36379fbeec3a
SHA1 b672dd6eefe7f7d202b33ea65eac5323b9257ea6
SHA256 cb3611a529dee3cb593401d7ce921d8e1d0dc93d8ac34bf782e17cbafa1fd2be
SHA512 b34d438b92791f34dfe027e22fa1fad27f2ee253e94290becc68e13e7ed56d062d7c352616e9d1c212b78177310140a127ede9a8bfe773fbc33dd3e4d211a8d9

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\hu-HU.ini

MD5 dc981247653fbcc7706184f19583226d
SHA1 498a2a8512f6c66c83cc627443f6fe7ebe44dffe
SHA256 db31d405c4eed9fb94debdf768f708edbdafdc7d90fae1d9dfdbd7b18a60c7da
SHA512 f9781e01576599b050764d85db85c4fb58cad80932ae3d1bb167db64b26a3fbff845cf695935fab8f87ce870d39e8eb10cc8a6210f514dc44a8627a90ecaed22

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\kab-KAB.ini

MD5 842bdef57410c721508b83df07c3a5fb
SHA1 fb4b2d8dc6946fce53934f396e07b1deed92c829
SHA256 487527c8eea191d95bc40d4b66ff9b0809ce268c8c5693849b207b826c8db812
SHA512 a0be71bfd856264c24b358aa63e3d94fb79dbc919d7252a00ee3599d9ae7afbd341fed5d931227ac817f073fce46bf9b4215567860f418f1e4ddd37e6a70a515

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\kmr-TR.ini

MD5 eab8eda462380012ee7573a2e269fa6d
SHA1 e19001c0ab3ac3e09c98b324cc2c433f7c181481
SHA256 3ded6030508977272b0aff51b08d2c2436793903304f0476ac094664e03842e1
SHA512 957fb3b597343621ae8fcd722e2e3b9d9648cd944ad3a9dc5cf243d7524b97270fd45f5b7d73194c6fcd738593445e3acba7511a079b34ad0684660a95f2aa32

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\ko-KR.ini

MD5 188e32ba4770181af29908d10598dd77
SHA1 5cd700ac4b8dcae08fdd8f6e525bd4c1889f6c0b
SHA256 daa6598207d406f30c054eae04ee089a26b3c6e0b703774503712d08e9160636
SHA512 992bcf836250929fb6e43b14a95abc50469d7244409759a72946e98f7b20da87669943a9a4fe40358245b4460aeadace9ce0ef3b969fa7f5ae772be92593ab6b

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\lt-LT.ini

MD5 44af17b40677fe75028f8213768c2cb1
SHA1 cb41b1aabd80c94f58aa8f4977ab7013bae9d25f
SHA256 7d8a58b5c23e5df515bf80ea94c8598a801f0bfbbc0a91dc053a0ea42e3dc71b
SHA512 3148234e9c9e3ba85e9629e36cc98ffa40f002ef6ab2a9bd39dcb8c9f76c0e4e2c501c8efaf27bb3ae5690d43b61d4379e5a524d900028e05de61e57bf22d67f

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\ms-MY.ini

MD5 74330df8706c206637d2e4a42f9954d8
SHA1 95d91da5e9b7b8fe43bc78f96c018b85252dd9e1
SHA256 2994467d0eb28e0fa78272d0bf59e40db5d7be3865496402927af4f9e708f915
SHA512 989d1625c798deb863376091e3eb9f71c1f196cbaa08ba4f8419444c173e44c90752dd7adcaaf531e85327d864c785f09dee665f1a652794b0da4307c801ee31

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\nl-NL.ini

MD5 cc71dfda8719a7d26fb45f2a8b77f6b6
SHA1 1a8c9d5839dc8e77b47938837578b248f0425a33
SHA256 8cbfd54623c01f664ac501a9ff108e36df89ba0a291cfcedfac07caa6ed430c3
SHA512 3a0c8903cfb92e1bc8a7a857e52c9e68fc9b24d1b822ae5a8c76df912b18932b16e8870e55f1c6aba6e88e2036346c193eded3437ee67ecdd27a370ddd7f1594

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\nn-NO.ini

MD5 cbe720726d1824a6729263e22c6491ed
SHA1 5377eb9e38997cfb9487c05ee05408880811f843
SHA256 678429b815970a2498ab6f6e31b064f5061e28c646263d7147eddbbe2eb8b98d
SHA512 0ca96f9e9e0fad562035ccea8b1cfc69a395f97c3e07da4700144f4c2ddc7bcca42647f13be1cd516da4579a7aa164bfc3fe62acdcad4330bf9a396bf46a023c

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\pl-PL.ini

MD5 61d3a13a5b3de237266656bf65d3a452
SHA1 38674c61e5a6db1840741194a9a44670ac6a4f82
SHA256 9f5ebda286b5d4181ba45d96060dc613f826e50543842e8ec2f788cdba7a1cd1
SHA512 8185efd5c58b5a84d527791b4f38ed00f62b6556ebb69eec7e7af0f11651ae222af0544a1661d0e1a307ead81f06b7781eddf6349427b550e2753b388472f459

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\oc-FR.ini

MD5 d643102b55986f48e1352e8ffc07f0b8
SHA1 cab58e4590c256de33748c46d191e2f39479f707
SHA256 5bce8a8ee30384753f530dc180807c5b4845dcb81b2b53640305ab66e3f485d7
SHA512 36976215d02aa7ba1667c64f64a8803a17a3bbf65bc05018661b1df9a5227c989e72ac1beb298b03076af396e99ddd8e1e27679729269d6fd5782dc2859cf742

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\nb-NO.ini

MD5 5e418a375ee5987cb741c9091b2fc868
SHA1 9a4b3337e5ba74102d9b4dba3412067a4ee05461
SHA256 9a20f9c128a36d29093db378078166e70ba0817e7f17e19d96d57753aa258571
SHA512 00dc2859a5a62220be67e2efcaad05fa89e4cc2904bd3c8c9a10dad71f204a43df66d671f8573a5cdd02df9baa1b01beaeb7718babbad83a9fdad0dde6b134cc

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\mn-MN.ini

MD5 81bf910e5c223e14fe6f83fa5446f91d
SHA1 d0c6b23f05e4a22f4921b558a49d27355b5d4da8
SHA256 64bffe8e51ccf5e5b195c09946a193ad5591fc870e616899234886108c09d9c1
SHA512 6dff32e5b44c608dafa77ec10fc776eea8d54836aaa27d4f9716cd116403d642b49b204f38d5f9d521e6d75f856cf0d9997b4994eea2ddd98ecce9e47882dbbc

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\pt-BR.ini

MD5 ff5635b40b50c8d393447727aa70f005
SHA1 1fc9e14b72ec4435049a6dd00fc482773c9bf620
SHA256 ca499efa1d0d9fb1c439d658f43c55615e83aeecba3ae4ec6f7a64fcad477a5e
SHA512 923744970c602b1ed16b94b349a003da6ae86b662ec6aa5b8bbce3c0d614e1cd5f4b02822a7b04b0ab41698e2914e43d26a74f705fb00a692dd559b44d9923ad

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\pt-PT.ini

MD5 f32654eaf9fa3e330c01ffa9f958c6d0
SHA1 6da7ea9189e9742b09b04956eb33f337e7a92f8f
SHA256 ce92dbaba53f56dbeed7c530b4c14168d1b8e2b494a7964fa632f8dd8eab3e7b
SHA512 7fefbd8e983cfd9670e44596fc4ce777398d77811db534f53330c77af1b90205852f8d60896fa00854ffa5af6bd18b62ff7254610db0f6d196a8616204b8074c

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\ro-RO.ini

MD5 d2ebec8a8dccdb6bdf7047a7bec0be42
SHA1 15bbc7e4cf1188d60d5f5de63efe1ac710de69be
SHA256 fce0555b00e0d3c1be8588e4954a8a948bd30a23c59cb12afbc719980ae28c56
SHA512 a317c01588cc2f1587f490175f016f9a3ad64cf01984cf5bac9326d3b35b2434c47bd394f72a7522da84320cf3c1457a6b0203a9a700d07c56360eb3e90eeb0f

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\ru-RU.ini

MD5 61a7660f74a3e7343fd4c8659d3ee5d7
SHA1 7cb88cdd7456f64d34f5aa2fd104f2d1d3ee5d50
SHA256 9be1d2501c303eead02d53aa38481ae299cdcfe613264ef4b3080a5c871b11eb
SHA512 d576fed9b7f54d6749078bad8cb5b33d6cdb988378fc32960217fc71e85fa7af0a442f864571cad292fffa935c84e209d6e4c587d59b97a467a6b33cfabf26b3

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\sr-CS.ini

MD5 db634f2bd65b17c869ee35e2b25b9627
SHA1 e3c181c63096400fac919408ebcd333102bb4bcb
SHA256 6bccf75e8afca1754eb0f3f04cb9dd768d06602daebf64616b6a7c7e8f82e726
SHA512 a5e9b7513c9120cfba59e82be804cd605b5369e4278e7704097a3a9d06f9d35bf64e232ffe73856f668bc3ca8b62cfc5581b98667aad69762822ef501afc950c

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\sv-SE.ini

MD5 2bea6bba887906ec79c1c40fbbb9e588
SHA1 a1780611f51f830783118664e9c424cbef5aaf6b
SHA256 699aad31267e2ba355d1dcd99387777114d407ebc84a92bdb13a0caa6e3a2b5e
SHA512 5770a37953bcdbecf203c3f679ddd771ce7003c44c3c49acbe7804fd064c76c446ab743966a0b034ee393786d817a6d1832fabeae90307a9426aebb242f59bd2

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\tr-TR.ini

MD5 d5059752887ae52673b8ec648bd184ad
SHA1 f4992c171c950491768321cf40c8d77864a15c97
SHA256 a1446bfd2b76fc4df75b6caf11aee04fdf82231ee982a7465d5be2946cbf1f0f
SHA512 44f61a0337c92a934e7b8bb1c26420acafa6e4d62284ea6476f24474a4c998d5d6eee9b19d7ebd56df8b0218fcab1295d159dd6c86cd658cae08056972ee9294

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\uk-UA.ini

MD5 8121688cb5456c37fe92ea1a792a3e3c
SHA1 9f80b8b8777ace77805b3894083310e538379913
SHA256 6776fb0cfef2a6dcfdb77021d9fd9396f85c42c2d185450d84c9fe7e4ccb1e3b
SHA512 478c0df5f5261337f3dcdbef7c1f4dc6196041eacd07d3e4b4e2d4280269ec80037203899f7961d6ea215d632f1d95123cd9158d38c65283c263a8d184a85ca9

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\zh-CN.ini

MD5 ee2f7ab2d1d006908465816549518737
SHA1 3cc57476429bb536b8bed47399cf38f27c8d8eab
SHA256 97a100a390cf8bb5efa64c1ff1369d4c16ea66b6163b56bee52496bbcbdaf4d0
SHA512 a5ae8453938cc0bfbdb00bf01bebdce1d2aefeef21bd537efd20b6d1fd2b72085c2d7c14f9a9d5d06d61d885b4b016a862aea30eb90eff97987a489d6122ddf0

C:\Program Files\obs-studio\data\obs-plugins\obs-browser-page\locale\zh-TW.ini

MD5 210e8e8e28ed7fdbfe1454b992c5494c
SHA1 929f937b05b2e5fac20ec277a7b254b0c85e5d6a
SHA256 f4f0617ceb2268781a91bc3985db0b13322b1e6417ca41f8a2e1833332bf960e
SHA512 79731751695623eebe1fcc6f14bab8c448ee80ebe669812e9b367bd0708b86421c45a5c03a11b3158aa59a6faa8d371012d50acd1a6e18b2a2971171d12cd4d9

C:\Program Files\obs-studio\data\obs-plugins\obs-text\locale\sr-CS.ini

MD5 9902f8f948327de43afe0401e1f01427
SHA1 570bbc50f7444244db06181f4675395eec849636
SHA256 5e730a09bd90808ec16124a50ec51b39bcc9463360bd9dacdb1c79a7568660a8
SHA512 514d665e5848f64499a81e3e6a73461e4d3de42ed1514adfc941d5e893c65e42d6d7bca89f1079912db4834bbc20649253e5ec9be4937456baade7a227242bff

C:\Program Files\obs-studio\data\obs-plugins\win-wasapi\locale\sr-CS.ini

MD5 29a020a076a1c890004dea9e8a4032b0
SHA1 910b00f38e5c44a17bd37f6c4ebf3a12bbde14be
SHA256 78998d70ce8593034807c8848fb5f724dbbb38b10ba706022f77c38aaa5e7736
SHA512 906a0d43eefe2720ac21d257b81cfd3d0135954007fdd61991ad5770e84e4eb45077c62a651f6bbf449fd72a29ebffe6d18cf9ba6ef2f24d3fe8c9cf53a35a0b

C:\Program Files\obs-studio\data\obs-studio\themes\Dark\media\media_pause.svg

MD5 0622e49ab812fbf546065cbad92967ff
SHA1 b6aa640d608fe86b7778e876ea4954b0ee656aad
SHA256 576c5a9c87b23a8056313142906906cc91550353fab1bfd0f6d72c096562f825
SHA512 bf6f967cc4c64409070776b3c99becfc0e27b644a9ac59b18221df19e3f6a40d70b766d5bd7bcf5de3b304ea880dfa3c5399bb45327469871fba1152a40301bc

C:\Program Files\obs-studio\data\obs-studio\themes\Dark\sources\media.svg

MD5 3dbd8444f27eaaa3a0736f7325bfd205
SHA1 b6d0f49bbcefc2ebf9179f0df1be96d6ab8f0e9c
SHA256 fba634eeb70059f9ea171acc44657db6bb9d43204b18c99340393dcd48642ab0
SHA512 34f4f4b768cee5213b43a33cb73964438847120e6b285832732fc7859f6db0cc8877ebf8988771fcf24774bc102a1f67cd44a127eeadc8eb2f7fd4c495cf7bc4

C:\Program Files\obs-studio\data\obs-studio\themes\Light\mute.svg

MD5 e026122ed46de977c4159c9105338d40
SHA1 a6a70fd02b5887e1122e04c09a259d1bd697bd8e
SHA256 0a96f8637dda33b6bd56d8795734faf8408a90cfe3e3066f22bc41cbabfa7a33
SHA512 1e89eae9ceeab647ad9503de480913d08b2dc29ec255ad56db76c6bae31ebc0f5cb5b4f3dae6287b26fc891de1f85ecb1c99e780e440753898ff9478216950a8

C:\Program Files\obs-studio\data\obs-studio\themes\Light\media\media_pause.svg

MD5 47322e3540c489359ddf705bbfa7508f
SHA1 b58e15bef70c5782792604f21ea0183fefcd5e0f
SHA256 6f2b52f414b06557e7c6b3e690332d2af2e65347255d274762c13152101842fa
SHA512 64ffe7641bd47cf950e5dd87ef73e2e2e1062193a841a28ba8b8f7a5fb0ec9b641c8e37824072ead1b5bc616c1ad2b4e283fa94f93a2e4cc931b29895fca040b

C:\Program Files\obs-studio\data\obs-studio\themes\Light\sources\media.svg

MD5 f321f421c11804104323cf033e8e921c
SHA1 6f6c3adc942d9c839a7d40be12a32ca7e4c275eb
SHA256 c1da89bc3a0d03b90cea6af14129e25b5b69bed17bf79e0641d284408e4f2fde
SHA512 1895bc23d580e65c821c615c318f007d853145353afde7c0347e038660080d2621e209815bd10bfc4002955dd4f0154951d4cffe47d30b550f389f030ce87373

C:\Program Files\obs-studio\data\obs-studio\themes\Rachni\checkbox_checked_focus.png

MD5 0ca13c84736f193c4ddc36408b63eb79
SHA1 daf222b1b08d7f2645fdc2e25e63be2aa50e9b79
SHA256 9b7da86b40e8fe9da37ba2a4337c9bce14b07153a9722dd3de7772c1c5933ded
SHA512 1f95694e920b1be5a7d9a4c4f7eabccde8326965d8b1e3211085c67e84229f76300aed6ae29e2d79e817857cfe7608919233057fad6fda3bf515c59f3604099c

C:\Program Files\obs-studio\data\obs-studio\themes\Rachni\sizegrip.png

MD5 3cc9de00b77ffe788eb826b8608cad0c
SHA1 d7ea0e97469cd971b8e00ee564a540f24a9f1752
SHA256 31582f8295152ee22f44910556be5c2280934214a0ea3db73897a4c93cef34e3
SHA512 ed0f66eb14fd12f5a6e52825d209cf74e48be44933e2702f790ad0024b31d2f4c998d87e04f14fc80fb56bc6b2a257907a2a143334e79ae0cbc07e264ebb0c96

C:\ProgramData\obs-studio-hook\graphics-hook32.dll

MD5 824aa4f68dddf4388269d2836d9b940e
SHA1 272fc50e6c8c80e32631302fcf03ae4292be0e07
SHA256 a3e38c01c7d59c678e0dc3c0b7c3fe6d3a0dfe3ad0ae6a4301919423887a094d
SHA512 60c04efe4c54e24dbdda516e4f68596f5dd210fdfa9454c5bc672ae70d942ac4a08527bee1e7af263046609412443414f4a04e9d0a3eed8584cb4fd4a0e64ee6

C:\Program Files\obs-studio\bin\64bit\obs64.exe

MD5 2c6951f198f7ee4aaab9f16be137d84a
SHA1 edb4323ae536bb00df9df56ddef87dcca23f119f
SHA256 291c2f070367f3f2cf4248d0a5a4ff5f5da9c8e842477adebb9d6367da66209d
SHA512 77dbaa444908fe8a6ff06f6cacd1889dcfd37c35330154a2299c375056b8f65924de54635e52f3572ed10824e456b91dade17fbc0f1cb594706d01d69380ebf2

C:\Users\Admin\AppData\Local\Temp\nsu4B0.tmp\ioSpecial.ini

MD5 dc79c383a716c72a8d1b4099101570b7
SHA1 71d4a319e4dcdbc3c10337514fc3f52b3e4daa85
SHA256 34ebe80c2d5b8b5febf520571a220fbd1079bf4853593088973cdaab333fdb5c
SHA512 22d3ac5c78b6c1166854a0719ad0162bf74e966f55b588849467962bfb24ad2723bb4410a04be7b6cb07c09579d28551db34b6c0373c9bb4acdf17fdbc1af64e

C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll

MD5 3f5b8592394a7b730b617fcaea57aa11
SHA1 fe41c8440bdaf052eb6cd63fb6ef699aa6266864
SHA256 7ed46b7edaa691410b841e96887e16a98309a28916d27460de4f344a904fde4b
SHA512 a8014e1eafdeb16236bb62c0f456135bae707623f6b684865aa6328efb89c2dfdf4631d6f8e53e69356a70498006f727cc04f1b7b11a77dc0bceefa341b52d79

C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll

MD5 9169a66ff89f2ebf5f892246f72dcb0c
SHA1 4d0fc937437cab38c64931ff8006ae31a7a8c5ea
SHA256 01ea5948c5712811b8e4ebadd2c82605b9dce53445a413ddf4aceadeb65a9e1b
SHA512 727cd7eff9eab1336755909471d0a5d9eae1f069d8c3ec842fc93e9455db7be54986b0408260f44f463a45ae7c22174c2b9162491575f49b7f16000d93c19139

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 008114e1a1a614b35e8a7515da0f3783
SHA1 3c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA256 7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512 a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

C:\Users\Admin\AppData\Local\Temp\nsu4B0.tmp\ioSpecial.ini

MD5 12495645927dc2a568399309dd5fe254
SHA1 1cc9894807bb566d6f407e1c2aad8c00bcd5c63b
SHA256 d4a0f376b43d38957dbebe206125354aa475112d8dc9a3cd92e55fe395561982
SHA512 dc005ebd5aea24010f8a4115f8ca4fb7efeab0b7dd3abce2af705873a7a91809a8d84e79385cae8fd52bd360c84ac5ae88bc78c76c8356f18f7248e1e860ec20

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OBS Studio\OBS Studio (64bit).lnk

MD5 ba6fd78102c32e6ad50add114e0576d3
SHA1 03b5b6bcab63f34005e51b21da76673bd7804b33
SHA256 fab817a26c2ae41651c8096cb0288a71e0d04ad381e1acbf6f678a518e4e867b
SHA512 020ca3204cbc06a4237de5f3c0585c67051dd6b2cbd55077d50b05a2f8d6e50e2332fec4177d0e336b433b1dcd4747573aeca15f3ef134135fdde5dca626fd4a

C:\Program Files\obs-studio\bin\64bit\libcurl.dll

MD5 43169d2161051db42f5b7e1fbc24cf5f
SHA1 1557fe8f7066fede8ec9a2aad79bfd08110c1c4e
SHA256 e1b9cc4b0c2ac3122311df5de738c59bed42fa0d8f94749b8b88f52f1e4b6796
SHA512 c74d4de80842942ecedfe3c85e50513f18a0ee289db5dc72ff57ba343fcce528518a0ebeb80e7e37ef3c05513dcc9b1cc195f8142e25307f62e49d16ddfa5a58

C:\Program Files\obs-studio\bin\64bit\Qt6Widgets.dll

MD5 13b5853924cf11d5dd7a1bc17d0a5611
SHA1 bc0cb64e546462154b3d699409a66161296f4ab5
SHA256 695446af2760d1952c7127a7975806ea1006360a510e5fde9a19588ec33bbdfb
SHA512 d7144c1d1c00c9c0617d9b273df88555ba40ae7837f7b36a47f0eb8e8f6cd51b793875e10a8880387502e1c8b3bf3adcdd270979685180289bc23ec1dcc008b0

C:\Program Files\obs-studio\bin\64bit\obs.dll

MD5 a72212f40da724256c258f6440f6cd7d
SHA1 3409a4682c35e1717e0e1ec578a5bf7c787abcfe
SHA256 5670cd6ade9425f06f9a7c358be38ce28bf6df624296cb033fa883b1b5ca1557
SHA512 b7c6f186a3a1701ad9244d895dd719b8c3944f11971882d7284b107bd548d379cb1c6de919d55e10157fc5714ca5757e3fe8e4686715943fdb939670922c048a

memory/5832-6393-0x00007FF63CF70000-0x00007FF63D3B3000-memory.dmp

C:\Program Files\obs-studio\bin\64bit\obs-frontend-api.dll

MD5 ed347a80e2c5dac823c55241b0831322
SHA1 80727c91ce31d594ff920c126133c2de40b42470
SHA256 787b86678f9b915a5793697332dd9ec30c21fdcc7b85fa1c2baa267cdd1a2206
SHA512 bc6f35e6f0cafebad90c02435f475100a61616ddc63c475494d44a26ddc074ff2b9814b3c2bcdd74e5c341672337bdad4a564386c60b4d3317e2dc4139c54bdc

C:\Users\Admin\AppData\Roaming\obs-studio\global.ini

MD5 5e1a6ec63e7f3c47ee8e518eb9363bda
SHA1 7ee6c56636dc5bb77c624542dfed81cf61e1301c
SHA256 90eb7d1ad2ba1c3f742eb01a0930d3e98a5fafcdbfebe4a30a429872721ef04e
SHA512 178aa925045f84eae42846cca4d7f8a8f339a044eda2e15d2ac07c2dcbf4911a38e5df7e4e1ad288b696285daf00c630ffa79216aca9421318c0af8a220f0dac

C:\Program Files\obs-studio\bin\64bit\w32-pthreads.dll

MD5 2f116d295cbeff99487d6bc5b06e1963
SHA1 9155286b7d4c001e1d3670001b1f0a7d4b666edc
SHA256 ca3fcf379a89ad16ef7e2289d83f749d2d1c09102e89a78bf9db71bae7998fa0
SHA512 ba73175fca93ac463830fc58bea848d9ea920762b59b853848f752f325ce1e9320d778cbde959c0f594c9f32d92cde15e5dfd4b6cc503dad341df0a741c20f12

C:\Program Files\obs-studio\bin\64bit\zlib.dll

MD5 84a4eb39d67e49914b878aec39b1e5ef
SHA1 38bf9658d5f71ea2783db0441c7aa77604644d42
SHA256 da6115453a00948d3c32575051bd95f16f672ff5a2ceb572b7e9a5eaa42787c7
SHA512 b112a64bb93550cac59045eea9715b9278a8f0a57b2b912833399b67fe3db3c0f5546eb63b4adc653d24fddd9d25dd9a1d9baa7725e5b760fb1c1da238e6df6d

memory/5832-6394-0x00007FF63CF70000-0x00007FF63D3B3000-memory.dmp

C:\Program Files\obs-studio\bin\64bit\swscale-6.dll

MD5 2d54c19c41d82f19093f6c63f9be714e
SHA1 4db01c043aa24804aea4d6abe44cb60d08e307ed
SHA256 fb8c2300924f1c3e7957c66219114120c48c27281064f51643a725d0b066a0e4
SHA512 9397ea93f81e2891649a5ed7b9953d677bc7b3cb3dd7c72c1548e38a5c68ac0ccfc50ab8d17442bb9703b2bd0df37207d4de794a120770cdc23be9d6a3bb0312

C:\Program Files\obs-studio\bin\64bit\Qt6Core.dll

MD5 11d956a007ba8857ea8fac4ed9b5f6f8
SHA1 37ad844a76d453f9468a4048814aec011c75021a
SHA256 ebe487c9ec63d9c73e349a8f8ef14fe5731fbcdf501acfe36f29fdd12e6c0624
SHA512 242d81f8cd7a742783d8747c2b82945e4a0989fd6ca456ed460ae7aff5513781637d4c739a9d4176660d66d497eda2d1f2c9174fd70ccb58d78bcc40af4ad378

C:\Users\Admin\AppData\Roaming\obs-studio\basic\profiles\Untitled\basic.ini

MD5 574329e5c00e0f8389faa4b2e0064b7e
SHA1 68751df643d5fceefe80ccf8ea59005c1f689539
SHA256 e01782e0ad6fe923a9edd4565817f2d1695653145014a59ccdd895e0c3a98b21
SHA512 03bc61017296342f451ebfa7fda96be5a5eabc6f54ed8fecd1d6d1c44f397184c1d1322650b3e3dd8ab061d532bbb76e45142171c87ee89fbdd6a12cad32e10f

C:\Users\Admin\AppData\Roaming\obs-studio\basic\profiles\Untitled\basic.ini

MD5 ca6c5ed863b84359de0f7d0e4a05901e
SHA1 9870338c383a8d0d94e06b0cdd84af4beb6bb974
SHA256 7fa8fe85d7505d7565ed9dceaa85ca7ca0d478cac1528597348fa990f312ae0c
SHA512 4b0cbfef4db08a6a8a53d2d407093c2c93df82ada823275e185aca4cdd8fad6b4f6122c44af09569cfacfc6d79599246b90cf5718e27afa4ed27a51d60ea029d

C:\Users\Admin\AppData\Roaming\obs-studio\basic\profiles\Untitled\basic.ini

MD5 d785072bd43717886593f737817fff15
SHA1 8c7ef0936b7f5a5cec10e9b5e1278400e276e6f7
SHA256 7989006d0b1b17f5e4f4e20960713600d80612c3799963454e463f689a3cf613
SHA512 8bcd4ed11b248d2934bb7fed91cd8645b77f89ac75f357277a9de04e1121ef4217e982783d61c32b1e8e04d2c14eb82fab78926dc46861db511a8741a62c0c20

C:\Program Files\obs-studio\bin\64bit\Qt6Network.dll

MD5 c0a45658d6a449b10bab51e4d13461a9
SHA1 5e5900782001a1f1f943f3652021f26adbe6e91c
SHA256 b247675f3a8052f99e86d03b69c662b8896692c592cfb0db9ca32a5fa7804156
SHA512 b0211999fb364ee4ce0de45ae5d4393086b1330ee265709a8e1f23e3126f6f73f300085b02da28afa4a381ad1280008ce5bdb018f2caf81d8d105ea06100dbf1

C:\Program Files\obs-studio\bin\64bit\Qt6Xml.dll

MD5 b78c1020fa210bff7749daeb632d8bc7
SHA1 0f6f9c94651fc6067fb2285af6f5f2700eb14324
SHA256 e033d6aff84d7654dc509cc8fb43e46f31289b5061c7c2363a818eb45276ed0b
SHA512 2010c73d64be24a77c7d1fcb3bad2314e3ffccbbee3641adf7b1410842e275f6af9ac2774b434c38c0a2c1dfc9fe90ce4f835842bc72d1cb7ee995513ebfe794

C:\Program Files\obs-studio\bin\64bit\Qt6Gui.dll

MD5 f0920dae438b523b053beac25ea3d10c
SHA1 bda9dd677be8f0c2707d499658dc55a6b9ce6666
SHA256 0febba928e5c28dae04876510b456a237fa494e92cf88b153ce8ace503e877f8
SHA512 f37239c51dc6d7b4d0ecdad8ee42716a09aacee53892c066f990235c45c25dad778da19a9758b52263aca023efe1478079527bb07d1a064f6a2d0e88a56a6f57

memory/5832-6391-0x00007FFCD9810000-0x00007FFCD9DAF000-memory.dmp

C:\Program Files\obs-studio\bin\64bit\Qt6Svg.dll

MD5 44fcf537c8916b85c4bd803e4b61bd62
SHA1 9e9e76e0edb3e199afcb20182db0ac2a6f4f0eb9
SHA256 debff1c113092d78eaea9d01718db8dd9bc0e34c75080910af30951679394bf4
SHA512 278670adca2c1338f6cd4584f6a420e18d6773d4024a12336beb68291516de07f5e30ed583984fce0d276ad02b9d3671299c369b04013d68ac71ff53f5881875

C:\Program Files\obs-studio\bin\64bit\swresample-4.dll

MD5 fc94301c5553d4faa998913174056f95
SHA1 a5de4ab38172b883fef4fb90806010303a7cd3e2
SHA256 034207bc3a897ec3f1be90bf3eaf9baf56e5f8068e4c8e2c7a6dbd108279de1b
SHA512 50e0ddd0de3529adc84b6f7f2f1361fe02be80b37ed2dfc5cd081f456678d93693efe3e7e66a9a50930cd63cebbf0139b09f09e5b34ee597c266f29667d55000

C:\Program Files\obs-studio\bin\64bit\avformat-59.dll

MD5 2dd7edd759f67dc6e1e72f40690a65e8
SHA1 8aeb80591d942cb1559274773728aa75b1896b5e
SHA256 dd613d5c5ea73341769f7f74a04d1430eace29eeb5a6032769beda35f4b16153
SHA512 3e7516023a1f8cdb74c0d94e0854a7c7a85c311b2fe18e7769002ce16ba8a8053c582aecce1cfa3970000cabf67646d6b39949a030c3cdee34e74761460918e5

C:\Program Files\obs-studio\bin\64bit\avutil-57.dll

MD5 ecb6526801232f8c593d64718ea84a24
SHA1 6ed845896619e26a4438106e3ebc8e03ee3b0acd
SHA256 ffd4bb3a6ad222f66d8d71075eb056282235f2d64399135bdcf68404d5c4dbc1
SHA512 c29b4fa23e15a9d7c33e388375d2eec363c3c7227f7f4ad6bab084ab1ce6a6588dee23478a10361ae173cd74a0c1be344b8a1c594b67d5529ce8ebc70c5c2ab2

C:\Program Files\obs-studio\bin\64bit\avcodec-59.dll

MD5 4e11757e6e100d8ad5a9669495be4cf1
SHA1 8ea51d57083ad3da35bbdb961893a68ca1136c84
SHA256 db9fb64bf039a90d9ce6e8b597a5bab6dd289b4223866ef128f7aa3e7fa93ceb
SHA512 98b08636ee69acfebb25033eea2e89bd240c2477a249455856939b09311805b7046bfc467ac023867860e0ef0654317b03bd62c8e1f555e693716fc146f01ace

C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\rtmp-services\services.json

MD5 50c422a979e96a968def5960ff89aff1
SHA1 ecc2b59cded66e640ca93e6ad716a31a215a2e86
SHA256 acf6dab082a433100ca4b25579260fca4d87fd8aadf285690884b8f3e7f90b9d
SHA512 e4a8acd7ad90b6b92a85cdfc17110d2f698a8252011cfafdbf6efa063141addfb49ee0ac2f7aef0b66094c9f961e276c95849dee690ba79ecaecadf08139cb4e

C:\Users\Admin\AppData\Roaming\obs-studio\global.ini

MD5 f5a16ac06453b7e4cf17ab4e90f00eaf
SHA1 365fe9f459828fc73d2c670b73c5838dae282e09
SHA256 4263ddd35b9fedec213417adb5aa2694982d8fbeaf2a1b9010df069c3382bbe3
SHA512 9daa0a8adea38a38fe12dec3db4d0af11ce2e5bac5c89858fba9ef067b1552f1ba1fbb3f572fd3e1904ce7cfae62b56810fce7e62464f3a76cb71e3ae3830dbf

C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\rtmp-services\services.json

MD5 b5b4af42d637ef33305d8d6e97a397ce
SHA1 4f951f7e70ff8690ec3228e5c49e74da41be2c16
SHA256 f14bbf129bba54d9ab0e7bd71bb51ae985d6983e28b81fa96160038d1d690961
SHA512 146daf26d31f53363ad6a740822a8c19abe2c938968d4a2262e06d54f7f0b3188de7c3abad2f23d98e964aa69d679e402a097d05d13410ccc5873df77d0b7833

C:\Users\Admin\AppData\Roaming\obs-studio\global.ini

MD5 66293a6fbfdd491ad5cc2112937f8147
SHA1 1566f32b27fc8b156c3d26afed4018b17f2516be
SHA256 0b27a864ee912dc3d4284d758ff78dfc7f20a3fee239a47657cb843a8fb3d15f
SHA512 05a9a971489c85cfb5e41cb42dfa13479bba9d2cd0d65f02b62aaf53fcccc803c1c3c053ece575e8da2c00ad769461fd8f8649ae6394044e5bbdae506aa490cd

memory/5832-6518-0x00007FFCE2050000-0x00007FFCE2107000-memory.dmp

memory/5832-6519-0x000000006AD00000-0x000000006AD24000-memory.dmp

memory/5832-6517-0x00007FFCE8B20000-0x00007FFCE8B48000-memory.dmp

memory/5832-6516-0x00007FFCD9DB0000-0x00007FFCDA1FE000-memory.dmp

memory/5832-6515-0x00007FFCE0520000-0x00007FFCE0726000-memory.dmp

memory/5832-6514-0x00007FFCDA200000-0x00007FFCDCBDA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

MD5 f998b8f6765b4c57936ada0bb2eb4a5a
SHA1 13fb29dc0968838653b8414a125c124023c001df
SHA256 374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef
SHA512 d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6c7cef9fa28f4e83d71a4fb3924dba87
SHA1 66a88b1b7c5a62027302a08a894d5437c8699eaa
SHA256 3f1c286dea551b3cec542d9cc2de6eb4820f69fce2652d159ad0f0549d70649b
SHA512 15841444e5d5c6cb5f029aef596359dcb69feb08d448027034f0c8af0d142b6c70eba10b33b0e018ac6b94262ff2f38c9e92db40f9731482e186e9a2a1bdffbe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe598b3f.TMP

MD5 b17478c49b55b2935423cc5a1f40702f
SHA1 69ddfb0e4ef2d71053d6d55a84cddf1948151d9e
SHA256 62ed8d15aef652451749810e93ac9706b47a9df26037c815d11d8eab95f1f812
SHA512 2e7957e45abd95d69947f3ddbb368037a6842274048e82d8c1bf53d91a5b38624c5e5e2f62740f323af52eaf39e875c4f0ddb77297d3753d5ca5bb1c60464888

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 84b714ee6ce01d90e71b1ebb9742dd66
SHA1 f8f73466b9c5567311dbbfcd554d889881731b7d
SHA256 1d7bf5aa22b7d5a624543cae13a5dda471f2a91562e65b1d26a3fceda45e0606
SHA512 7f47638a1537176771409acf0d5fcfc6802d2db0beb27d0b576c81748949ff769d3def83a3fc7f35b4918a3cd2016b04e1f1d73df3730f52144df7f9919262b9