VMRay Analyzer Report for Sample #20389 VMRay Analyzer 2.2.0 Process 1 4032 zeuspanda.vir.exe 1832 zeuspanda.vir.exe "C:\Users\CIiHmnxMn6Ps\Desktop\zeuspanda.vir.exe" C:\Users\CIiHmnxMn6Ps\Desktop\ c:\users\ciihmnxmn6ps\desktop\zeuspanda.vir.exe Child_Of Child_Of Created Opened Opened Opened Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Process 2 3380 containers.exe 4032 containers.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe" C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe Child_Of Child_Of Created Opened Opened Opened Created Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Opened Process 3 3372 cmd.exe 4032 cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\CIIHMN~1\AppData\Local\Temp\upd7d80021e.bat" C:\Users\CIiHmnxMn6Ps\Desktop\ c:\windows\syswow64\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Opened Process 4 3364 conhost.exe 3372 conhost.exe \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 C:\Windows c:\windows\system32\conhost.exe Process 5 2696 svchost.exe 3380 svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ c:\windows\syswow64\svchost.exe Copied Wrote_To Wrote_To Wrote_To Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Created Created Created Created Connected_To Connected_To Connected_To Process 6 3744 svchost.exe 3380 svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ c:\windows\syswow64\svchost.exe Created Created Created Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Created Created Created Process 7 2336 containers.exe 1752 containers.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe" C:\Windows\system32\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe Child_Of Child_Of Created Opened Opened Opened Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Process 8 2776 svchost.exe 2336 svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs C:\Windows\system32\ c:\windows\syswow64\svchost.exe Child_Of Child_Of Created Copied Wrote_To Wrote_To Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Created Created Created Created Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Process 9 1252 svchost.exe 2336 svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs C:\Windows\system32\ c:\windows\syswow64\svchost.exe Created Created Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Process 10 788 svchost.exe 484 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\ c:\windows\system32\svchost.exe Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Process 11 3020 wmiprvse.exe 580 wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding C:\Windows\system32\ c:\windows\system32\wbem\wmiprvse.exe Process 12 2628 updee12df24.exe 2776 updee12df24.exe "C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe" -update C:\Windows\system32\ c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe Child_Of Child_Of Created Opened Opened Opened Deleted Created Created Created Created Created Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Deleted Process 13 420 containers.exe 2628 containers.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe" C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe Child_Of Child_Of Created Opened Opened Opened Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Process 14 3964 cmd.exe 2628 cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\CIIHMN~1\AppData\Local\Temp\upd3171fe7c.bat" C:\Windows\system32\ c:\windows\syswow64\cmd.exe Child_Of Opened Opened Opened Opened Deleted Deleted Created Opened Opened Opened Opened Process 15 3980 conhost.exe 3964 conhost.exe \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 C:\Windows c:\windows\system32\conhost.exe Process 16 3460 svchost.exe 420 svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ c:\windows\syswow64\svchost.exe Copied Wrote_To Wrote_To Wrote_To Wrote_To Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Created Created Created Created Created Created Created Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Process 17 976 svchost.exe 420 svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ c:\windows\syswow64\svchost.exe Created Created Created Created Created Created Created Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Created Created Process 18 2732 wmiadap.exe 788 wmiadap.exe wmiadap.exe /F /T /R C:\Windows\system32\ c:\windows\system32\wbem\wmiadap.exe Process 19 4024 wmiprvse.exe 580 wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -Embedding C:\Windows\system32\ c:\windows\system32\wbem\wmiprvse.exe Process 20 828 svchost.exe 484 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\ c:\windows\system32\svchost.exe Process 21 3668 taskhostw.exe 788 taskhostw.exe taskhostw.exe Logon C:\Windows\system32\ c:\windows\system32\taskhostw.exe Process 22 3688 taskeng.exe 788 taskeng.exe taskeng.exe {1BBCBFC5-09FE-40C5-8AED-96852146E5CA} S-1-5-18:NT AUTHORITY\System:Service: C:\Windows\system32\ c:\windows\system32\taskeng.exe Child_Of Child_Of Process 23 2808 officec2rclient.exe 3688 officec2rclient.exe "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /WatchService C:\Windows\system32\ c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe Process 24 2436 officec2rclient.exe 3688 officec2rclient.exe "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /update SCHEDULEDTASK displaylevel=False C:\Windows\system32\ c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe Process 25 2760 adobearm.exe 788 adobearm.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" C:\Windows\system32\ c:\program files (x86)\common files\adobe\arm\1.0\adobearm.exe Child_Of Process 26 3752 reader_sl.exe 2760 reader_sl.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe" C:\Windows\system32\ c:\program files (x86)\adobe\acrobat reader dc\reader\reader_sl.exe File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File Users\CIiHmnxMn6Ps\Desktop\zeuspanda.vir.exe Users\CIiHmnxMn6Ps\Desktop\zeuspanda.vir.exe \??\C:\ \??\C:\Users\CIiHmnxMn6Ps\Desktop\zeuspanda.vir.exe exe File popupkiller.exe popupkiller.exe c:\ c:\popupkiller.exe exe File stimulator.exe stimulator.exe c:\ c:\stimulator.exe exe File tools\execute.exe tools\execute.exe c:\ c:\tools\execute.exe exe File npf_ndiswanip File sice File siwvid File siwdebug File ntice File regvxg File filevxg File regsys File filem File trw File icext File users\ciihmnxmn6ps\desktop\zeuspanda.vir.exe users\ciihmnxmn6ps\desktop\zeuspanda.vir.exe c:\ c:\users\ciihmnxmn6ps\desktop\zeuspanda.vir.exe exe File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe exe MD5 c9522f83c60a595694b2e4c6657982d0 SHA1 8011fd0a959b7d17696306c4ab36c4974540cada SHA256 b34abadaa54fa828fc3d1b1540004f5dd94873918d5b3f2a3eab49272b67415b File Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe \??\C:\ \??\C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe exe File users\ciihmnxmn6ps\appdata\roaming users\ciihmnxmn6ps\appdata\roaming c:\ c:\users\ciihmnxmn6ps\appdata\roaming File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys com\support\flashplayer\sys File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix wix File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\nieo_glbfe5pi.qef users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\nieo_glbfe5pi.qef c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\nieo_glbfe5pi.qef qef File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\kinto.pyi users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\kinto.pyi c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\kinto.pyi pyi File users\ciihmn~1\appdata\local\temp\upd7d80021e.bat users\ciihmn~1\appdata\local\temp\upd7d80021e.bat c:\ c:\users\ciihmn~1\appdata\local\temp\upd7d80021e.bat bat MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Mutex 8C5FF35F44C67C34381EFF128FE58575 Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex Sandboxie_SingleInstanceMutex_Control Mutex Frz_State Mutex 4F35AC27449784784508471CC1E930C7 Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex ACD86ED691154353041C7827C4241C0D WinRegistryKey AppID\{10000002-0000-0000-0000-000000000001} HKEY_CLASSES_ROOT AccessPermission AccessPermission AccessPermission AccessPermission AccessPermission AccessPermission WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE InstallDate InstallDate WinRegistryKey Software\WINE HKEY_CURRENT_USER WinRegistryKey Software\WINE HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE InstallDate WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE DigitalProductId DigitalProductId WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE DigitalProductId WinRegistryKey SOFTWARE\Microsoft HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\VBA HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\SQMClient HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Speech HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\WcmSvc HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Narrator HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\IMEMIP HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Poom HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\WAB HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Shared HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Sensors HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Siuf HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\wfs HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Notepad HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Fax HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\PeerNet HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Unistore HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Feeds HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\GameBar HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Pim HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Osk HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Wisp HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\F12 HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\CTF HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Keyboard HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Ofumig HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Lineo HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Peet HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Exchange HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\MSF HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Abanz HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe \??\C:\ \??\C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe exe File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix wix MD5 51b6060100f780fce4687b38c704d5ce SHA1 042c3d3f4b86f9f96e68920c0b901283bd970e74 SHA256 03740e5e8bdabe598aa134e8ddbc357e579862958521e3d29e6b132c2c1c141d File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\nieo_glbfe5pi.qef users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\nieo_glbfe5pi.qef c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\nieo_glbfe5pi.qef qef Mutex DD53550AC9EB25CC6151CE1EB2A70FC3 Mutex EF45F0E754F1354293A017BE4F985965 Mutex E69AF5C9A1CE7CC06B48F35248935FCD Mutex 4F35AC27449784784508471CC1E930C7 Mutex 8EB663269EDB2551D78D6BE980D8D1D5 Mutex 8592029A1BBD0F5EDCA2A860E613ACDB WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha File users\ciihmn~1\appdata\local\temp\upd7d80021e.bat users\ciihmn~1\appdata\local\temp\upd7d80021e.bat c:\ c:\users\ciihmn~1\appdata\local\temp\upd7d80021e.bat bat File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File STD_ERROR_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.tmp users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.tmp c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copied_To File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix wix Copied_From File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\nieo_glbfe5pi.qef users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\nieo_glbfe5pi.qef c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\nieo_glbfe5pi.qef qef MD5 19e41a9bbee8b943fbffb11b43e91c6a SHA1 6d982ea6d2f07cb2241e397d556491196500013a SHA256 6e00e3dcb22d69648583f51e3192a927412f4d7ab2be7f0c36210e47a71f81c4 File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\kinto.pyi users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\kinto.pyi c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\kinto.pyi pyi MD5 e9a283db6371a73a5c62a14e2c170aa8 SHA1 cddebb3cd338765b636e0a08630d7c016a6ac307 SHA256 3bab6a563dcf574fec0f6098c360456b5f87ecc938e3719d130bb956ec9c6f2e File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe exe Mutex 8EB663269EDB2551D78D6BE980D8D1D5 Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex 3A05CFF4EB7DE2EF8F3985678370FA5D Mutex 99DCC4F63896BA52D9D5D3F7098E00E5 Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex 55A4DE17653FCFB535BFCEB7986C3B1D Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex 843724E431E9542E94836F8E62819404 Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex ACD86ED691154353041C7827C4241C0D Mutex BA6E0713253533C2BD32E023F51DAAB1 Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex 99DCC4F63896BA52D9D5D3F7098E00E5 Mutex BA375714EF21E8EC8F43FB71FA3700CC WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze Uzapze Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze Uzapze WinRegistryKey Software\Microsoft\Windows\Currentversion\Run HKEY_CURRENT_USER containers.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe" REG_SZ WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze SocketAddress 330f35e9f647.loan 443 NetworkConnection HTTP 330f35e9f647.loan 443 URI 330f35e9f647.loan/31F9UVfEun/0I1aalj/7QGREH4HU/RK/5rEg Contains URI None URI 330f35e9f647.loan/mtV/jshKPnn7S1/Vn/HMa/z/b-N/oK/Q Contains File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix wix File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\nieo_glbfe5pi.qef users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\nieo_glbfe5pi.qef c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\nieo_glbfe5pi.qef qef File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe exe Mutex 8592029A1BBD0F5EDCA2A860E613ACDB Mutex 99DCC4F63896BA52D9D5D3F7098E00E5 Mutex ACD86ED691154353041C7827C4241C0D Mutex BA6E0713253533C2BD32E023F51DAAB1 Mutex 99DCC4F63896BA52D9D5D3F7098E00E5 Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex 8EB663269EDB2551D78D6BE980D8D1D5 WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze Uzapze Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze Uzapze Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey Software\Microsoft\Windows\Currentversion\Run HKEY_CURRENT_USER containers.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe" REG_SZ File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe \??\C:\ \??\C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe exe File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix wix Mutex 8C5FF35F44C67C34381EFF128FE58575 Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex DD53550AC9EB25CC6151CE1EB2A70FC3 Mutex 5576A023ACFCB1DF07119694F5D31AAB Mutex E60F35D6C376C5F82E917CA84B9C2F25 Mutex 4F35AC27449784784508471CC1E930C7 WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE InstallDate InstallDate WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE DigitalProductId DigitalProductId File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.tmp users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.tmp c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.tmp tmp Copied_To File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix wix Copied_From File users\ciihmn~1\appdata\local\temp\updee12df24.exe users\ciihmn~1\appdata\local\temp\updee12df24.exe c:\ c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe exe MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe exe Mutex 55A4DE17653FCFB535BFCEB7986C3B1D Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex 843724E431E9542E94836F8E62819404 Mutex ACD86ED691154353041C7827C4241C0D Mutex BA6E0713253533C2BD32E023F51DAAB1 Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex 690CE47B932790ABBAE4486C8750D5B2 Mutex 1F6114CF197C565BFF427879E00139DA Mutex 690CE47B932790ABBAE4486C8750D5B2 Mutex BA375714EF21E8EC8F43FB71FA3700CC WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Akudfeen WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Akudfeen WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey Software\Microsoft\Windows\Currentversion\Run HKEY_CURRENT_USER containers.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe" REG_SZ containers.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe" REG_SZ WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Akudfeen WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Akudfeen WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Akudfeen SocketAddress google.com 80 NetworkConnection HTTP google.com 80 URI 330f35e9f647.loan/8C1SLhHn/2_/8tA/E/H/Fbk/8JMoO2Tv/9/2Kg Contains URI 330f35e9f647.loan/pW6teVTI/k-sq/J/2j7/cmhBJoSRZ8F/qDQ Contains URI google.com/ Contains URI 330f35e9f647.loan/xnecdWiG1/m9/J5MGn6/T/2YACd/yAYfNpLQ Contains URI 330f35e9f647.loan/SEP4vYw6/sPlMZ/3/v0URdi/NOLRdM5J/cg Contains URI 330f35e9f647.loan/NrY/r/c5FHX/_/0aFNoP8C8TO/VnC/g/ Contains URI 330f35e9f647.loan/9piYZTuz9/2sx1Clf5U1sISMKMW81/q/MQ Contains URI 330f35e9f647.loan/l6yH/j4/plG2GbX2ldR8utbqF/HD/A Contains URI 330f35e9f647.loan/WJFCdFULD/tP/ZaEGn/rc/211/J/v/ijQ/fN4EQ Contains URI 330f35e9f647.loan/cIh/g/P/V0METF/RW/hZEvuN/Yd5W/J/w/ Contains URI 330f35e9f647.loan/sTx52Lxwi/k/OhkZ/j_hXlZYAu/ad/N6VyPA Contains URI 330f35e9f647.loan/TkN2Lgy/t9dSY/UHKX3/Va/P4CpZe5q/Lw Contains URI 330f35e9f647.loan/3qeDwipy/0M/15F3rEV/lgCANe/hdf5/O/PQ Contains File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix wix File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe exe Mutex 99DCC4F63896BA52D9D5D3F7098E00E5 Mutex ACD86ED691154353041C7827C4241C0D Mutex BA6E0713253533C2BD32E023F51DAAB1 Mutex BA375714EF21E8EC8F43FB71FA3700CC WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Akudfeen WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze Uzapze WinRegistryKey Software\Microsoft\Windows\Currentversion\Run HKEY_CURRENT_USER containers.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe" REG_SZ File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe exe File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix wix File Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe \??\C:\ \??\C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe exe File users\ciihmn~1\appdata\local\temp\updee12df24.exe users\ciihmn~1\appdata\local\temp\updee12df24.exe c:\ c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe exe File Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe \??\C:\ \??\C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe exe File users\ciihmnxmn6ps\appdata\roaming users\ciihmnxmn6ps\appdata\roaming c:\ c:\users\ciihmnxmn6ps\appdata\roaming File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys com\support\flashplayer\sys File users\ciihmn~1\appdata\local\temp\upd3171fe7c.bat users\ciihmn~1\appdata\local\temp\upd3171fe7c.bat c:\ c:\users\ciihmn~1\appdata\local\temp\upd3171fe7c.bat bat MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex 8C5FF35F44C67C34381EFF128FE58575 Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex 4F35AC27449784784508471CC1E930C7 Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex ACD86ED691154353041C7827C4241C0D WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE InstallDate WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey Software\Microsoft\Windows\Currentversion\Run HKEY_CURRENT_USER containers.exe WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE DigitalProductId WinRegistryKey Software\Microsoft\Windows\Currentversion\Run HKEY_CURRENT_USER containers.exe WinRegistryKey Software\Microsoft\Windows\Currentversion\Run HKEY_CURRENT_USER File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe \??\C:\ \??\C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe exe File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix wix Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex DD53550AC9EB25CC6151CE1EB2A70FC3 Mutex B7B640FD598619C28BD4F0051E0616B4 Mutex C144897552FBD8087BCACE2DF5968566 Mutex 4F35AC27449784784508471CC1E930C7 WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File Users\CIIHMN~1\AppData\Local\Temp\UPDEE1~1.EXE Users\CIIHMN~1\AppData\Local\Temp\UPDEE1~1.EXE \??\C:\ \??\C:\Users\CIIHMN~1\AppData\Local\Temp\UPDEE1~1.EXE EXE File STD_ERROR_HANDLE File users\ciihmn~1\appdata\local\temp\updee12df24.exe users\ciihmn~1\appdata\local\temp\updee12df24.exe c:\ c:\users\ciihmn~1\appdata\local\temp\updee12df24.exe exe File users\ciihmn~1\appdata\local\temp\updee1~1.exe users\ciihmn~1\appdata\local\temp\updee1~1.exe c:\ c:\users\ciihmn~1\appdata\local\temp\updee1~1.exe exe File users\ciihmn~1\appdata\local\temp\upd3171fe7c.bat users\ciihmn~1\appdata\local\temp\upd3171fe7c.bat c:\ c:\users\ciihmn~1\appdata\local\temp\upd3171fe7c.bat bat WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.tmp users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.tmp c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.tmp tmp Copied_To File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix wix Copied_From File users\ciihmnxmn6ps\appdata\local\packages\microsoft.microsoftedge_8wekyb3d8bbwe\ac\#!002\microsoftedge\cookies\u9pt9v3q.txt users\ciihmnxmn6ps\appdata\local\packages\microsoft.microsoftedge_8wekyb3d8bbwe\ac\#!002\microsoftedge\cookies\u9pt9v3q.txt c:\ c:\users\ciihmnxmn6ps\appdata\local\packages\microsoft.microsoftedge_8wekyb3d8bbwe\ac\#!002\microsoftedge\cookies\u9pt9v3q.txt txt File users\ciihmn~1\appdata\local\temp\flab587.tmp users\ciihmn~1\appdata\local\temp\flab587.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\flab587.tmp tmp MD5 d7859b496da03c0e61243641c65b6510 SHA1 0dea29cb67e5b6f628a3e440f10421d8df0ef574 SHA256 da9736e8fac8dba275bd2ae8fe5385b06de8bbf0267ddd628ea603f187e0fc93 File users\ciihmn~1\appdata\local\temp\sofb65d.tmp users\ciihmn~1\appdata\local\temp\sofb65d.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\sofb65d.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmn~1\appdata\local\temp\cabb597.tmp users\ciihmn~1\appdata\local\temp\cabb597.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\cabb597.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmn~1\appdata\local\temp\cabb598.tmp users\ciihmn~1\appdata\local\temp\cabb598.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\cabb598.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmn~1\appdata\local\temp\cabb599.tmp users\ciihmn~1\appdata\local\temp\cabb599.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\cabb599.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmn~1\appdata\local\temp\cabb59a.tmp users\ciihmn~1\appdata\local\temp\cabb59a.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\cabb59a.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmn~1\appdata\local\temp\cabb59b.tmp users\ciihmn~1\appdata\local\temp\cabb59b.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\cabb59b.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmn~1\appdata\local\temp\cabb5ac.tmp users\ciihmn~1\appdata\local\temp\cabb5ac.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\cabb5ac.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmn~1\appdata\local\temp\cabb5ad.tmp users\ciihmn~1\appdata\local\temp\cabb5ad.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\cabb5ad.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmn~1\appdata\local\temp\cabb5be.tmp users\ciihmn~1\appdata\local\temp\cabb5be.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\cabb5be.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmn~1\appdata\local\temp\cabb5bf.tmp users\ciihmn~1\appdata\local\temp\cabb5bf.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\cabb5bf.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmn~1\appdata\local\temp\cabb5c0.tmp users\ciihmn~1\appdata\local\temp\cabb5c0.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\cabb5c0.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\containers.exe exe File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles.ini users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles.ini c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles.ini ini File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\addons.json users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\addons.json c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\addons.json json File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\alternateservices.txt users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\alternateservices.txt c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\alternateservices.txt txt File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-addons.json users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-addons.json c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-addons.json json File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-gfx.json users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-gfx.json c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-gfx.json json File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-plugins.json users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-plugins.json c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist-plugins.json json File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist.xml users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist.xml c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\blocklist.xml xml File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kl0o5i+exwq3txuldkmf9w==.jsonlz4 users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kl0o5i+exwq3txuldkmf9w==.jsonlz4 c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\bookmarkbackups\bookmarks-2017-05-24_14_kl0o5i+exwq3txuldkmf9w==.jsonlz4 jsonlz4 File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\cert8.db users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\cert8.db c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\cert8.db db File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\compatibility.ini users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\compatibility.ini c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\compatibility.ini ini File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\containers.json users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\containers.json c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\containers.json json File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\content-prefs.sqlite users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\content-prefs.sqlite c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\content-prefs.sqlite sqlite File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\cookies.sqlite users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\cookies.sqlite c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\cookies.sqlite sqlite File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\crashes\store.json.mozlz4 users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\crashes\store.json.mozlz4 c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\crashes\store.json.mozlz4 mozlz4 File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4 jsonlz4 File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4 jsonlz4 File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4 jsonlz4 File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4 jsonlz4 File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4 jsonlz4 File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4 jsonlz4 File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\archived\2017-05\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4 jsonlz4 File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\session-state.json users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\session-state.json c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\session-state.json json File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\state.json users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\state.json c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\datareporting\state.json json File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\extensions.ini users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\extensions.ini c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\extensions.ini ini File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\extensions.json users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\extensions.json c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\extensions.json json File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\formhistory.sqlite users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\formhistory.sqlite c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\formhistory.sqlite sqlite File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.dll dll File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-gmpopenh264\1.6\gmpopenh264.info info File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\license.txt users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\license.txt c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\license.txt txt File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\manifest.json json File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll dll File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\gmp-widevinecdm\1.4.8.903\widevinecdm.dll.lib lib File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\key3.db users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\key3.db c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\key3.db db File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\kinto.sqlite users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\kinto.sqlite c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\kinto.sqlite sqlite File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\mimetypes.rdf users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\mimetypes.rdf c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\mimetypes.rdf rdf File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\parent.lock users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\parent.lock c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\parent.lock lock File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\permissions.sqlite users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\permissions.sqlite c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\permissions.sqlite sqlite File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\places.sqlite users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\places.sqlite c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\places.sqlite sqlite File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\pluginreg.dat users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\pluginreg.dat c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\pluginreg.dat dat File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\prefs.js users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\prefs.js c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\prefs.js js File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\revocations.txt users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\revocations.txt c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\revocations.txt txt File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 default\saved-telemetry-pings\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\search.json.mozlz4 users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\search.json.mozlz4 c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\search.json.mozlz4 mozlz4 File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\secmod.db users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\secmod.db c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\secmod.db db File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\securitypreloadstate.txt users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\securitypreloadstate.txt c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\securitypreloadstate.txt txt File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessioncheckpoints.json users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessioncheckpoints.json c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessioncheckpoints.json json File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore-backups\previous.js users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore-backups\previous.js c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore-backups\previous.js js File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore-backups\upgrade.js-20170518000419 js-20170518000419 File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore.js users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore.js c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sessionstore.js js File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sitesecurityservicestate.txt users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sitesecurityservicestate.txt c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\sitesecurityservicestate.txt txt File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\.metadata users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\.metadata c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\.metadata metadata File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\.metadata-v2 metadata-v2 File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite sqlite File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata metadata File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\.metadata-v2 metadata-v2 File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 files\1 File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite sqlite File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage.sqlite users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage.sqlite c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\storage.sqlite sqlite File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\times.json users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\times.json c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\times.json json File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\webappsstore.sqlite users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\webappsstore.sqlite c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\webappsstore.sqlite sqlite File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\xulstore.json users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\xulstore.json c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\profiles\8i341t8m.default\xulstore.json json File users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\crash reports\installtime20170518000419 users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\crash reports\installtime20170518000419 c:\ c:\users\ciihmnxmn6ps\appdata\roaming\mozilla\firefox\crash reports\installtime20170518000419 Mutex 3A05CFF4EB7DE2EF8F3985678370FA5D Mutex 99DCC4F63896BA52D9D5D3F7098E00E5 Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex 55A4DE17653FCFB535BFCEB7986C3B1D Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex 843724E431E9542E94836F8E62819404 Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex 8E6BA92214C9B423A575DAF2D449D162 Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex 1F6114CF197C565BFF427879E00139DA Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex 99DCC4F63896BA52D9D5D3F7098E00E5 Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex BA375714EF21E8EC8F43FB71FA3700CC Mutex 99DCC4F63896BA52D9D5D3F7098E00E5 WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Akudfeen WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey Software\Microsoft\Internet Explorer\IntelliForms\Storage2 HKEY_CURRENT_USER WinRegistryKey Software\Mozilla HKEY_CURRENT_USER WinRegistryKey Software\Mozilla\Firefox HKEY_CURRENT_USER PathToExe WinRegistryKey Software\Mozilla\Firefox\TaskBarIDs HKEY_CURRENT_USER PathToExe WinRegistryKey Software\Mozilla HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Firefox HKEY_LOCAL_MACHINE PathToExe WinRegistryKey Software\Mozilla\Firefox HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Firefox\TaskBarIDs HKEY_LOCAL_MACHINE PathToExe WinRegistryKey Software\Mozilla\Firefox\TaskBarIDs HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Mozilla Firefox HKEY_LOCAL_MACHINE PathToExe WinRegistryKey Software\Mozilla\Mozilla Firefox HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) HKEY_LOCAL_MACHINE PathToExe WinRegistryKey Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Main HKEY_LOCAL_MACHINE PathToExe PathToExe WinRegistryKey Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Main HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Uninstall HKEY_LOCAL_MACHINE PathToExe WinRegistryKey Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Uninstall HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Mozilla Firefox 53.0.3 HKEY_LOCAL_MACHINE PathToExe WinRegistryKey Software\Mozilla\Mozilla Firefox 53.0.3 HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Mozilla Firefox 53.0.3\bin HKEY_LOCAL_MACHINE PathToExe WinRegistryKey Software\Mozilla\Mozilla Firefox 53.0.3\extensions HKEY_LOCAL_MACHINE PathToExe WinRegistryKey Software\Mozilla\Mozilla Firefox 53.0.3\extensions HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Account Manager\Accounts HKEY_CURRENT_USER WinRegistryKey Identities HKEY_CURRENT_USER WinRegistryKey Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\Software\Microsoft\Internet Account Manager\Accounts HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 HKEY_CURRENT_USER WinRegistryKey Software\Mozilla\Firefox HKEY_CURRENT_USER WinRegistryKey Software\Mozilla\Firefox\TaskBarIDs HKEY_CURRENT_USER WinRegistryKey Software\Mozilla\Firefox HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Firefox\TaskBarIDs HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Mozilla Firefox HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Mozilla Firefox 53.0.3 HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Mozilla Firefox 53.0.3\bin HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Mozilla Firefox 53.0.3\extensions HKEY_LOCAL_MACHINE WinRegistryKey Software\Martin Prikryl HKEY_CURRENT_USER WinRegistryKey Software\Martin Prikryl HKEY_LOCAL_MACHINE WinRegistryKey Software\Ghisler\Windows Commander HKEY_CURRENT_USER WinRegistryKey Software\Ghisler\Total Commander HKEY_CURRENT_USER WinRegistryKey Software\Ghisler\Windows Commander HKEY_LOCAL_MACHINE WinRegistryKey Software\Ghisler\Total Commander HKEY_LOCAL_MACHINE WinRegistryKey Software\FileZilla HKEY_CURRENT_USER WinRegistryKey Software\FileZilla Client HKEY_CURRENT_USER WinRegistryKey Software\FileZilla HKEY_LOCAL_MACHINE WinRegistryKey Software\FileZilla Client HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\IntelliForms\FormData HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 53.0.3 (x86 en-GB) HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2 HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757 HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757 HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173 HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173 HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860 HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860 HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655 HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655 HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743 HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743 HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063 HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063 HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573 HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573 HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3D82C954-2957-418B-908F-FE78BF3A8BEB} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{74d0e5db-b326-4dae-a6b2-445b9de1836e} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-0804-1033-1959-001824245926} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757 HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757 HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173 HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173 HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860 HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860 HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655 HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655 HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743 HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743 HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063 HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063 HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573 HKEY_LOCAL_MACHINE UninstallString WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573 HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185} HKEY_LOCAL_MACHINE UninstallString UninstallString WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Akudfeen WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey Software\Mozilla\Firefox HKEY_CURRENT_USER PathToExe WinRegistryKey Software\Mozilla\Firefox\TaskBarIDs HKEY_CURRENT_USER PathToExe WinRegistryKey Software\Mozilla\Firefox HKEY_LOCAL_MACHINE PathToExe WinRegistryKey Software\Mozilla\Firefox\TaskBarIDs HKEY_LOCAL_MACHINE PathToExe WinRegistryKey Software\Mozilla\Mozilla Firefox HKEY_LOCAL_MACHINE PathToExe WinRegistryKey Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) HKEY_LOCAL_MACHINE PathToExe WinRegistryKey Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Main HKEY_LOCAL_MACHINE PathToExe PathToExe WinRegistryKey Software\Mozilla\Mozilla Firefox 53.0.3 HKEY_LOCAL_MACHINE PathToExe WinRegistryKey Software\Mozilla\Mozilla Firefox 53.0.3\bin HKEY_LOCAL_MACHINE PathToExe WinRegistryKey Software\Mozilla\Mozilla Firefox 53.0.3\extensions HKEY_LOCAL_MACHINE PathToExe WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 53.0.3 (x86 en-GB) HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3D82C954-2957-418B-908F-FE78BF3A8BEB} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{74d0e5db-b326-4dae-a6b2-445b9de1836e} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2563E55-3BEC-3828-8D67-E5E8B9E8B675} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-0804-1033-1959-001824245926} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BE960C1C-7BAD-3DE6-8B1A-2616FE532845} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185} HKEY_LOCAL_MACHINE DisplayName DisplayName WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Akudfeen WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Akudfeen WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Akudfeen WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Akudfeen URI 330f35e9f647.loan/KbnKhnNec/qN/5/yGGXDaERSOtCLSf9QC/g Contains URI 330f35e9f647.loan/rSps/ke9sIH_-V/lJ/DI/sKWc/MRONw/ Contains URI 330f35e9f647.loan/1R52/0u4pYTz_/ExM/AI/4f/XM8U/L/d/g Contains URI 330f35e9f647.loan/Ydqt/uth/tJ1TJV1Vo/FcOR/W_NPMA Contains URI 330f35e9f647.loan/OLKU5tAB/rPB/XBjjZZ2/N-Pfmw/N-N_Bg Contains URI 330f35e9f647.loan/BaoB/o/d1zEU_M/SWNz/EN/2nQPZRBg Contains URI 330f35e9f647.loan/De1Yth/p9kt/Cn/nFYkQAKMa/NRvIPHQ/ Contains URI 330f35e9f647.loan/VTNb4H/t/ehSMTnlcHV_E4at/VMNw/Jg Contains URI 330f35e9f647.loan/YrhHB3/us5/0/G0-ef1/NZ/O/fDWW/-V/WDA/ Contains URI 330f35e9f647.loan/ywhAhCZ/mst0E/m/Xuf/FhGG/fO/NQ/c1HMw Contains URI 330f35e9f647.loan/aV1M3/guotHj7McBB8QtOzM9oNJ/Q Contains URI 330f35e9f647.loan/gyRVM2W/hM/VOBU/C/fc/UZI/I-So/MMBZP/Q Contains URI 330f35e9f647.loan/6puLAJKud/1c/xpH0zn/bVRVR8KQTtZ0Dw Contains URI 330f35e9f647.loan/yl/mtBlP3TBX01/IHcuJe/_tHKA Contains URI 330f35e9f647.loan/PlKl8Vi16/s9BXP/zX7TxAHId6ubq9oLQ Contains URI 330f35e9f647.loan/4jfU08/19Z6B/j2VEkt/XJILd/Nv1YEQ Contains URI 330f35e9f647.loan/qE/kvltF/nzoV2/RANMO/gc9JP/AQ Contains URI 330f35e9f647.loan/DStLW/p-9oH1rpd/VV9/Jva2/dttpAA Contains URI 330f35e9f647.loan/3VIs/0OpV/I/D77b/1ICJ_uWMcF3N/w Contains URI 330f35e9f647.loan/Syy/sMVlAHTUdV/hI/I/sucUe/5HFw Contains URI 330f35e9f647.loan/eCf57FZh/hv9/6ZjrrfElUMtT/QNd/FkLA Contains URI 330f35e9f647.loan/5TGta2dCc5/1uhbJ2/y/f/QmJSRI/e/xRe/N/fdg Contains URI 330f35e9f647.loan/jypPt/ic/VsA3/n/HX1FhBdiccsdKLg Contains URI 330f35e9f647.loan/ddDmp7/h/9/hY/Pn/2aQkV1HML/S/Zv/N6KQ Contains URI 330f35e9f647.loan/zrx/mc5kKX_VXFNJC8/Cd/eO/VGPg Contains File users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix c:\ c:\users\ciihmnxmn6ps\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\pgyfoaei3.wix wix File users\ciihmn~1\appdata\local\temp\upd9948.tmp users\ciihmn~1\appdata\local\temp\upd9948.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\upd9948.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmn~1\appdata\local\temp\cab7de7.tmp users\ciihmn~1\appdata\local\temp\cab7de7.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\cab7de7.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmn~1\appdata\local\temp\cab7de8.tmp users\ciihmn~1\appdata\local\temp\cab7de8.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\cab7de8.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmn~1\appdata\local\temp\cab7de9.tmp users\ciihmn~1\appdata\local\temp\cab7de9.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\cab7de9.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmn~1\appdata\local\temp\cab7dea.tmp users\ciihmn~1\appdata\local\temp\cab7dea.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\cab7dea.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\ciihmn~1\appdata\local\temp\cab7deb.tmp users\ciihmn~1\appdata\local\temp\cab7deb.tmp c:\ c:\users\ciihmn~1\appdata\local\temp\cab7deb.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Mutex ACD86ED691154353041C7827C4241C0D Mutex BA6E0713253533C2BD32E023F51DAAB1 WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Axoha WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Akudfeen WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Uzapze WinRegistryKey SOFTWARE\Microsoft\Ombi HKEY_CURRENT_USER Akudfeen Analyzed Sample #20389 Malware Artifacts 20389 Sample-ID: #20389 Job-ID: #14444 This sample was analyzed by VMRay Analyzer 2.2.0 on a Windows 10 Threshold 1 system 0 VTI Score based on VTI Database Version 2.6 Metadata of Sample File #20389 Submission-ID: #21237 C:\Users\CIiHmnxMn6Ps\Desktop\zeuspanda.vir.exe exe MD5 c9522f83c60a595694b2e4c6657982d0 SHA1 8011fd0a959b7d17696306c4ab36c4974540cada SHA256 b34abadaa54fa828fc3d1b1540004f5dd94873918d5b3f2a3eab49272b67415b Opened_By Metadata of Analysis for Job-ID #14444 Timeout True x86 64-bit 10.0.10240.16384 (c68ee22f-dcf6-4778-95c5-4a862be16567) win10_64 True 929.963 Windows 10 Threshold 1 This is a property collection for additional information of VMRay analysis VMRay Analyzer Information Stealing VTI rule match with VTI rule score 1/5 vmray_read_windows_install_date Read the Windows installation date from registry. Read system data Information Stealing VTI rule match with VTI rule score 3/5 vmray_read_windows_license_by_registry Readout Windows license key. Read system data Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "8C5FF35F44C67C34381EFF128FE58575". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "BA375714EF21E8EC8F43FB71FA3700CC". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Sandboxie_SingleInstanceMutex_Control". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Frz_State". Create system object Anti Analysis VTI rule match with VTI rule score 3/5 vmray_detect_wine_by_getprocaddress Possibly trying to detect "wine" by calling GetProcAddress() on "wine_get_unix_file_name". Try to detect application sandbox Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "4F35AC27449784784508471CC1E930C7". Create system object Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process ""C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe"" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "DD53550AC9EB25CC6151CE1EB2A70FC3". Create system object Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process ""C:\Windows\system32\cmd.exe" /c "C:\Users\CIIHMN~1\AppData\Local\Temp\upd7d80021e.bat"" starts with hidden window. Create process with hidden window Anti Analysis VTI rule match with VTI rule score 1/5 vmray_dynamic_api_usage_by_api Resolve above average number of APIs. Dynamic API usage Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\SysWOW64\svchost.exe -k netsvcs" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "EF45F0E754F1354293A017BE4F985965". Create system object Process VTI rule match with VTI rule score 1/5 vmray_allocate_wx_page Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. Create a page with write and execute permissions Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "8EB663269EDB2551D78D6BE980D8D1D5". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "3A05CFF4EB7DE2EF8F3985678370FA5D". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "99DCC4F63896BA52D9D5D3F7098E00E5". Create system object Hide Tracks VTI rule match with VTI rule score 1/5 vmray_hide_data_in_registry Hide 1776 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Uzapze". Write large data into the registry Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "55A4DE17653FCFB535BFCEB7986C3B1D". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "843724E431E9542E94836F8E62819404". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "ACD86ED691154353041C7827C4241C0D". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "BA6E0713253533C2BD32E023F51DAAB1". Create system object Persistence VTI rule match with VTI rule score 1/5 vmray_install_startup_script_by_registry Add ""C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\containers.exe"" to windows startup via registry. Install system startup script or application Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "E69AF5C9A1CE7CC06B48F35248935FCD". Create system object Anti Analysis VTI rule match with VTI rule score 1/5 vmray_delay_execution_by_sleep One thread sleeps more than 5 minutes. Delay execution Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "8592029A1BBD0F5EDCA2A860E613ACDB". Create system object Hide Tracks VTI rule match with VTI rule score 1/5 vmray_hide_data_in_registry Hide 1680 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Axoha". Write large data into the registry Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "5576A023ACFCB1DF07119694F5D31AAB". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "E60F35D6C376C5F82E917CA84B9C2F25". Create system object Anti Analysis VTI rule match with VTI rule score 3/5 vmray_detect_fw_by_wmi_query Check for firewall via WMI query: "select * from firewallproduct". Try to detect firewall Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process ""C:\Users\CIIHMN~1\AppData\Local\Temp\updee12df24.exe" -update" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "690CE47B932790ABBAE4486C8750D5B2". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "1F6114CF197C565BFF427879E00139DA". Create system object Hide Tracks VTI rule match with VTI rule score 1/5 vmray_hide_data_in_registry Hide 95680 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Akudfeen". Write large data into the registry Hide Tracks VTI rule match with VTI rule score 1/5 vmray_hide_data_in_registry Hide 215872 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Akudfeen". Write large data into the registry Hide Tracks VTI rule match with VTI rule score 1/5 vmray_hide_data_in_registry Hide 310112 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Akudfeen". Write large data into the registry Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process ""C:\Windows\system32\cmd.exe" /c "C:\Users\CIIHMN~1\AppData\Local\Temp\upd3171fe7c.bat"" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "B7B640FD598619C28BD4F0051E0616B4". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "C144897552FBD8087BCACE2DF5968566". Create system object OS VTI rule match with VTI rule score 1/5 vmray_use_encryption_api Use above average number of encryption APIs. Use encryption API Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "8E6BA92214C9B423A575DAF2D449D162". Create system object Browser VTI rule match with VTI rule score 3/5 vmray_read_browser_cookies Read Cookies for "Microsoft Internet Explorer". Read data related to browser cookies Hide Tracks VTI rule match with VTI rule score 1/5 vmray_hide_data_in_registry Hide 531328 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Akudfeen". Write large data into the registry Hide Tracks VTI rule match with VTI rule score 1/5 vmray_hide_data_in_registry Hide 807168 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Akudfeen". Write large data into the registry Hide Tracks VTI rule match with VTI rule score 1/5 vmray_hide_data_in_registry Hide 818816 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Akudfeen". Write large data into the registry Hide Tracks VTI rule match with VTI rule score 1/5 vmray_hide_data_in_registry Hide 837968 byte in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ombi\Akudfeen". Write large data into the registry