c11eb303330b9638936bad26cf02b8313ca43557d2a63f5e5c00d1eab2a9682e

Analysis

max time kernel
134s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OBS-Studio-30.2.2-Windows-Installer.exe
Size

133.3MB
MD5

51bc832235635f695486de858cd4bd70
SHA1

ba8f215b86f5850890054fc94bf436568f792611
SHA256

c11eb303330b9638936bad26cf02b8313ca43557d2a63f5e5c00d1eab2a9682e
SHA512

7d41be2f8acdf88d508e696d7a622407940ee173914bc5c66f917851ad5038edf43d48c18058c8b2d8c67efee1e061c0623f22286238eae26696ae7e36cf1753
SSDEEP

3145728:BcXZ1XDmrk0sggh/IWONMkBOvBX3A0cZHcITZYjRZucclhHJ+jqJZf:iixBdJPQRdclN

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	VC_redist.x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	obs-browser-page.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	obs64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	obs-browser-page.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 13 IoCs

pid	Process
4572	check_for_64bit_visual_studio_2022_runtimes.exe
4300	VC_redist.x64.exe
2400	VC_redist.x64.exe
2988	VC_redist.x64.exe
2556	obs64.exe
5072	obs-qsv-test.exe
4984	get-graphics-offsets64.exe
3956	get-graphics-offsets32.exe
4588	obs-browser-page.exe
1696	obs-browser-page.exe
3316	obs-browser-page.exe
4080	obs-browser-page.exe
3616	obs-browser-page.exe

Loads dropped DLL 64 IoCs

pid	Process
2816	OBS-Studio-30.2.2-Windows-Installer.exe
2816	OBS-Studio-30.2.2-Windows-Installer.exe
2816	OBS-Studio-30.2.2-Windows-Installer.exe
2816	OBS-Studio-30.2.2-Windows-Installer.exe
2400	VC_redist.x64.exe
1532	VC_redist.x64.exe
4068	regsvr32.exe
4568	regsvr32.exe
1156	regsvr32.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{5af95fd8-a22e-458f-acee-c61bd787178e} = "\"C:\\ProgramData\\Package Cache\\{5af95fd8-a22e-458f-acee-c61bd787178e}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\obs-studio\data\obs-plugins\win-capture\graphics-hook64.pdb	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-studio\themes\Yami_Rachni.ovt	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-transitions\locale\eu-ES.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-studio\themes\Light\media\media_next.svg	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\bin\64bit\libobs-winrt.dll	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\image-source\locale\pt-PT.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-filters\LUTs\original.cube	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-text\locale\zh-CN.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-vst\locale\af-ZA.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\win-wasapi\locale\eu-ES.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-studio\themes\Acri\bot_hook.png	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-studio\themes\Dark\recording-inactive.svg	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-browser\locale\si-LK.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-filters\locale\uk-UA.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\coreaudio-encoder\locale\da-DK.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-studio\themes\Light\sources\image.svg	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\decklink\locale\lt-LT.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-qsv11\locale\hu-HU.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\rtmp-services\locale\vi-VN.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\image-source\locale\sv-SE.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\decklink\locale\vi-VN.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-studio\themes\Light\media\media_stop.svg	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\win-dshow\locale\en-GB.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\aja-output-ui\locale\ko-KR.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\text-freetype2\locale\es-ES.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-browser\locale\et-EE.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-vst\locale\fr-FR.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\frontend-tools\locale\sv-SE.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-transitions\luma_wipe_transition.effect	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-websocket\locale\et-EE.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\win-dshow\virtualcam-uninstall.bat	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-studio\themes\Dark\right.svg	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\aja-output-ui\locale\el-GR.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-browser\locale\uk-UA.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-qsv11\locale\sr-SP.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-text\locale\he-IL.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-websocket\locale\nb-NO.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\decklink\locale\sr-SP.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-vst\locale\sv-SE.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\vlc-video\locale\tl-PH.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\obs-plugins\64bit\text-freetype2.pdb	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-filters\luma_key_filter.effect	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\win-wasapi\locale\ug-CN.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\vlc-video\locale\ka-GE.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\rtmp-services\locale\fa-IR.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\image-source\locale\bn-BD.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-filters\LUTs\grayscale.png	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\win-capture\locale\nb-NO.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-transitions\locale\bn-BD.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-webrtc\locale\tr-TR.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-x264\locale\th-TH.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-filters\color_key_filter_v2.effect	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-vst\locale\kab-KAB.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-studio\themes\Light\visible.svg	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-x264\locale\hu-HU.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\win-capture\locale\tl-PH.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\win-wasapi\locale\et-EE.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-ffmpeg\locale\ug-CN.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\vlc-video\locale\hu-HU.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-transitions\locale\ba-RU.ini	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\obs-plugins\64bit\locales\sl.pak	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-studio\themes\Light\sources\windowaudio.svg	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-studio\themes\Light\locked.svg	OBS-Studio-30.2.2-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\obs-plugins\64bit\locales\ur.pak	OBS-Studio-30.2.2-Windows-Installer.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e58d675.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA1F.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}	msiexec.exe
File created	C:\Windows\Installer\e58d69d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE741.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58d675.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e58d688.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58d688.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE377.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDD6C.tmp	msiexec.exe
File created	C:\Windows\Installer\e58d687.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	get-graphics-offsets32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OBS-Studio-30.2.2-Windows-Installer.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004640681c343585510000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004640681c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004640681c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4640681c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004640681c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	obs64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	obs64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	obs64.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b714e56313200001000800000aa00389b71	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b714e56313200001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}v14.40.33810\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.40.33810"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\Language = "1033"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\FriendlyName = "OBS Virtual Camera"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\InprocServer32\ = "C:\\Program Files\\obs-studio\\data\\obs-plugins\\win-dshow\\obs-virtualcam-module32.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}v14.40.33810\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\AdvertiseFlags = "388"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Version = "237536274"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F84DEC95EFBEC084A883CF70C9B2CEF0\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\A4BB3B8BD01A15F4197B6AF4AF3CE17A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}v14.40.33810\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Version = "14.40.33810.0"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.40.33810"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.40.33810"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.40.33810"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\PackageCode = "0F1976868EAF8784585CF1DB265C6A81"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}v14.40.33810\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\FriendlyName = "OBS Virtual Camera"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\CLSID = "{A3FCE0F5-3493-419F-958A-ABA1250EC20B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\Version = "237536274"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\F84DEC95EFBEC084A883CF70C9B2CEF0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\PackageCode = "A40E8013387385E43AA0F61A9357B166"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\InprocServer32\ = "C:\\Program Files\\obs-studio\\data\\obs-plugins\\win-dshow\\obs-virtualcam-module64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4BB3B8BD01A15F4197B6AF4AF3CE17A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Dependents	VC_redist.x64.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	obs64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	obs64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	obs64.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2556	obs64.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2816	OBS-Studio-30.2.2-Windows-Installer.exe
2816	OBS-Studio-30.2.2-Windows-Installer.exe
2816	OBS-Studio-30.2.2-Windows-Installer.exe
2816	OBS-Studio-30.2.2-Windows-Installer.exe
2816	OBS-Studio-30.2.2-Windows-Installer.exe
2816	OBS-Studio-30.2.2-Windows-Installer.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
2816	OBS-Studio-30.2.2-Windows-Installer.exe
2816	OBS-Studio-30.2.2-Windows-Installer.exe
2816	OBS-Studio-30.2.2-Windows-Installer.exe
2816	OBS-Studio-30.2.2-Windows-Installer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2556	obs64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	3604	vssvc.exe
Token: SeRestorePrivilege	3604	vssvc.exe
Token: SeAuditPrivilege	3604	vssvc.exe
Token: SeShutdownPrivilege	2988	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	2988	VC_redist.x64.exe
Token: SeSecurityPrivilege	3720	msiexec.exe
Token: SeCreateTokenPrivilege	2988	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	2988	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	2988	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	2988	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	2988	VC_redist.x64.exe
Token: SeTcbPrivilege	2988	VC_redist.x64.exe
Token: SeSecurityPrivilege	2988	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	2988	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	2988	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	2988	VC_redist.x64.exe
Token: SeSystemtimePrivilege	2988	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	2988	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	2988	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	2988	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	2988	VC_redist.x64.exe
Token: SeBackupPrivilege	2988	VC_redist.x64.exe
Token: SeRestorePrivilege	2988	VC_redist.x64.exe
Token: SeShutdownPrivilege	2988	VC_redist.x64.exe
Token: SeDebugPrivilege	2988	VC_redist.x64.exe
Token: SeAuditPrivilege	2988	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	2988	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	2988	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	2988	VC_redist.x64.exe
Token: SeUndockPrivilege	2988	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	2988	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	2988	VC_redist.x64.exe
Token: SeManageVolumePrivilege	2988	VC_redist.x64.exe
Token: SeImpersonatePrivilege	2988	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	2988	VC_redist.x64.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe
Token: SeTakeOwnershipPrivilege	3720	msiexec.exe
Token: SeRestorePrivilege	3720	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe
2556	obs64.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4984	get-graphics-offsets64.exe
3956	get-graphics-offsets32.exe
2556	obs64.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4572	2816	OBS-Studio-30.2.2-Windows-Installer.exe	100
PID 2816 wrote to memory of 4572	2816	OBS-Studio-30.2.2-Windows-Installer.exe	100
PID 2816 wrote to memory of 4300	2816	OBS-Studio-30.2.2-Windows-Installer.exe	101
PID 2816 wrote to memory of 4300	2816	OBS-Studio-30.2.2-Windows-Installer.exe	101
PID 2816 wrote to memory of 4300	2816	OBS-Studio-30.2.2-Windows-Installer.exe	101
PID 4300 wrote to memory of 2400	4300	VC_redist.x64.exe	102
PID 4300 wrote to memory of 2400	4300	VC_redist.x64.exe	102
PID 4300 wrote to memory of 2400	4300	VC_redist.x64.exe	102
PID 2400 wrote to memory of 2988	2400	VC_redist.x64.exe	103
PID 2400 wrote to memory of 2988	2400	VC_redist.x64.exe	103
PID 2400 wrote to memory of 2988	2400	VC_redist.x64.exe	103
PID 2988 wrote to memory of 2964	2988	VC_redist.x64.exe	112
PID 2988 wrote to memory of 2964	2988	VC_redist.x64.exe	112
PID 2988 wrote to memory of 2964	2988	VC_redist.x64.exe	112
PID 2964 wrote to memory of 1532	2964	VC_redist.x64.exe	113
PID 2964 wrote to memory of 1532	2964	VC_redist.x64.exe	113
PID 2964 wrote to memory of 1532	2964	VC_redist.x64.exe	113
PID 1532 wrote to memory of 1924	1532	VC_redist.x64.exe	114
PID 1532 wrote to memory of 1924	1532	VC_redist.x64.exe	114
PID 1532 wrote to memory of 1924	1532	VC_redist.x64.exe	114
PID 2816 wrote to memory of 4568	2816	OBS-Studio-30.2.2-Windows-Installer.exe	117
PID 2816 wrote to memory of 4568	2816	OBS-Studio-30.2.2-Windows-Installer.exe	117
PID 2816 wrote to memory of 4568	2816	OBS-Studio-30.2.2-Windows-Installer.exe	117
PID 2816 wrote to memory of 4068	2816	OBS-Studio-30.2.2-Windows-Installer.exe	118
PID 2816 wrote to memory of 4068	2816	OBS-Studio-30.2.2-Windows-Installer.exe	118
PID 2816 wrote to memory of 4068	2816	OBS-Studio-30.2.2-Windows-Installer.exe	118
PID 4068 wrote to memory of 1156	4068	regsvr32.exe	119
PID 4068 wrote to memory of 1156	4068	regsvr32.exe	119
PID 2556 wrote to memory of 5072	2556	obs64.exe	122
PID 2556 wrote to memory of 5072	2556	obs64.exe	122
PID 2556 wrote to memory of 4984	2556	obs64.exe	124
PID 2556 wrote to memory of 4984	2556	obs64.exe	124
PID 2556 wrote to memory of 3956	2556	obs64.exe	127
PID 2556 wrote to memory of 3956	2556	obs64.exe	127
PID 2556 wrote to memory of 3956	2556	obs64.exe	127
PID 2556 wrote to memory of 4588	2556	obs64.exe	130
PID 2556 wrote to memory of 4588	2556	obs64.exe	130
PID 2556 wrote to memory of 1696	2556	obs64.exe	131
PID 2556 wrote to memory of 1696	2556	obs64.exe	131
PID 2556 wrote to memory of 3316	2556	obs64.exe	132
PID 2556 wrote to memory of 3316	2556	obs64.exe	132
PID 2556 wrote to memory of 3616	2556	obs64.exe	133
PID 2556 wrote to memory of 3616	2556	obs64.exe	133
PID 2556 wrote to memory of 4080	2556	obs64.exe	134
PID 2556 wrote to memory of 4080	2556	obs64.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\OBS-Studio-30.2.2-Windows-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\OBS-Studio-30.2.2-Windows-Installer.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\nswFD7C.tmp\check_for_64bit_visual_studio_2022_runtimes.exe
  C:\Users\Admin\AppData\Local\Temp\nswFD7C.tmp\check_for_64bit_visual_studio_2022_runtimes.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Users\Admin\AppData\Local\Temp\nswFD7C.tmp\VC_redist.x64.exe
  "C:\Users\Admin\AppData\Local\Temp\nswFD7C.tmp\VC_redist.x64.exe" /quiet /norestart
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\Temp\{0F428FB6-13F8-4989-8D8E-050F69D98E6F}\.cr\VC_redist.x64.exe
    "C:\Windows\Temp\{0F428FB6-13F8-4989-8D8E-050F69D98E6F}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\nswFD7C.tmp\VC_redist.x64.exe" -burn.filehandle.attached=536 -burn.filehandle.self=532 /quiet /norestart
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\Temp\{7B5A39E9-FB61-4058-A5B2-C0C33020C8B1}\.be\VC_redist.x64.exe
      "C:\Windows\Temp\{7B5A39E9-FB61-4058-A5B2-C0C33020C8B1}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{0AF7C9B0-0D40-439D-AF38-E223B7828747} {EBED5935-CB7C-498E-99EF-334C49F95C25} 2400
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=1088 -burn.embedded BurnPipe.{497FA8AA-D7A1-4B51-A685-055E0DCED3B0} {34A9429E-9D36-4411-B2B9-98B5E50005AA} 2988
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=1088 -burn.embedded BurnPipe.{497FA8AA-D7A1-4B51-A685-055E0DCED3B0} {34A9429E-9D36-4411-B2B9-98B5E50005AA} 2988
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{612DAB8D-330B-4AC1-A7E9-ACDD4A62A42F} {1A10B293-C263-4727-BAD5-74EC791BDCC2} 1532
        7⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4568
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:4212

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Program Files\obs-studio\bin\64bit\obs64.exe
"C:\Program Files\obs-studio\bin\64bit\obs64.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Program Files\obs-studio\bin\64bit\obs-qsv-test.exe
  "C:/Program Files/obs-studio/bin/64bit/obs-qsv-test.exe" 4c99 4dc6
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Program Files\obs-studio\data\obs-plugins\win-capture\get-graphics-offsets64.exe
  "../../data/obs-plugins/win-capture/get-graphics-offsets64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4984
- C:\Program Files\obs-studio\data\obs-plugins\win-capture\get-graphics-offsets32.exe
  "../../data/obs-plugins/win-capture/get-graphics-offsets32.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3956
- C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe
  "C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent-product="Chrome/103.0.5060.134 OBS/30.2.2" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --parent_pid=2556 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\obs-browser\debug.log" --mojo-platform-channel-handle=4908 --field-trial-handle=5040,i,14829251107468825301,4393897791277967863,131072 --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,WebBluetooth,WinUseBrowserSpellChecker /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe
  "C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --no-sandbox --log-severity=disable --user-agent-product="Chrome/103.0.5060.134 OBS/30.2.2" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --parent_pid=2556 --log-file="C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\obs-browser\debug.log" --mojo-platform-channel-handle=4400 --field-trial-handle=5040,i,14829251107468825301,4393897791277967863,131072 --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,WebBluetooth,WinUseBrowserSpellChecker /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe
  "C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent-product="Chrome/103.0.5060.134 OBS/30.2.2" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --parent_pid=2556 --log-file="C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\obs-browser\debug.log" --mojo-platform-channel-handle=5184 --field-trial-handle=5040,i,14829251107468825301,4393897791277967863,131072 --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,WebBluetooth,WinUseBrowserSpellChecker /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe
  "C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe" --type=renderer --log-severity=disable --user-agent-product="Chrome/103.0.5060.134 OBS/30.2.2" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --parent_pid=2556 --no-sandbox --autoplay-policy=no-user-gesture-required --log-file="C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\obs-browser\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=5468 --field-trial-handle=5040,i,14829251107468825301,4393897791277967863,131072 --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,WebBluetooth,WinUseBrowserSpellChecker /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3616
- C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe
  "C:\Program Files\obs-studio\obs-plugins\64bit\obs-browser-page.exe" --type=renderer --log-severity=disable --user-agent-product="Chrome/103.0.5060.134 OBS/30.2.2" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --parent_pid=2556 --no-sandbox --autoplay-policy=no-user-gesture-required --log-file="C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\obs-browser\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=5476 --field-trial-handle=5040,i,14829251107468825301,4393897791277967863,131072 --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,WebBluetooth,WinUseBrowserSpellChecker /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4080

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3b8 0x32c
1⤵
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58d67a.rbs

Filesize
19KB

MD5
c67e56b02bc3f12fc017efa16b27c987

SHA1
212b0f385d54ee142db26dbbad0629b4f1ce4f25

SHA256
686bf1350b589c2cf028346ad1d6ce7893cb9c8903f70285c7ad8a2e37a5b8aa

SHA512
9a72fc4c6b9209561f279ddd59073e006a4823999df9a85f070ea93bd5094329fa09879adc592d51ee80cdd9cdc66ebe7701c3591c4e5e8cd167f3feb4c3e3b8

Download Submit
C:\Config.Msi\e58d686.rbs

Filesize
19KB

MD5
5e5c152e880430357559da2a730825d5

SHA1
340e4c837914a2a2d5f4f555ade9c98b2927e931

SHA256
92fd1315c729e9681a3ae857e15bb4c752750cfd9cb7e4f202c965eaa392e49b

SHA512
62b6635252d6f90ac757072dfbf80526298de924d65330b0593f44591bec1badff3be8a3e032103cd7c82d002172f5796fe3f31ba4a8074da60ca3d9bdec6945

Download Submit
C:\Config.Msi\e58d68d.rbs

Filesize
21KB

MD5
dce96a201dad7250b47d79b558051e44

SHA1
812da1826f13aebfbd200a84e1c486052d946466

SHA256
b4fe65b507fdd7c31347e0defcaa89b70f70af586765be55b0bcb94402f68174

SHA512
430a3f707ecf8adf06951ca143dc2e7a681ea44d0181a82f047406a6ae829e8bfe006f38ddcde5893290d35051b3bdb14d5a9d7a419b5094b21e14a9fa6ae2fe

Download Submit
C:\Config.Msi\e58d69c.rbs

Filesize
21KB

MD5
a44e9ff9d9c455cc9e5d3df11a84b814

SHA1
e2f188a0580cddd73d48f8fc82b7a2dfe4171e69

SHA256
c3ab39a8039f10bfa9618061864636a7d20ea4be224f122e7ed7d2b3e43672f9

SHA512
94925908cf4be35efa7309fe9579a07a32bd08bbf41078672810ea1cfb9d5607e8b97757c0b4f6e85239d1ace7ec35a3df5cfc215a6c30ec680a0da60032e81e

Download Submit
C:\Program Files\obs-studio\bin\64bit\Qt6Core.dll

Filesize
6.0MB

MD5
0762b88bcacebbf522d913012d91ea4b

SHA1
e731a4d58f05c3def45e73ef8827cb0553619ebc

SHA256
de5cbead1bc26924505aa081350f233b9ed472bfcf5a17d76f6f8c490e07a76d

SHA512
02b0f34416a634a5874f8dd66390a81311d91aac639d32344ff535273afe5173f34fb9826e7b1bb333cf4a8dd94e96f637e877dde913be239e7c55f1e779dc20

Download Submit
C:\Program Files\obs-studio\bin\64bit\Qt6Gui.dll

Filesize
7.3MB

MD5
f8ffa256dd82305d8e8126846360f1da

SHA1
89f5c5536cd346e2bdb4c65ffd7144937cf752d8

SHA256
b200628e8b572be7c191743775393b119672e8d05ac9e939783963124cf777c8

SHA512
ffcb56eaf79435821f52e72f08007bc914770b9ebfef2a9c2abe19b7bda1e4f39e0355cf0d7258508c076993f928e2fb548cd68945defa7194a444a19a90636c

Download Submit
C:\Program Files\obs-studio\bin\64bit\Qt6Network.dll

Filesize
1.4MB

MD5
ddce05d577d0d2e6c3e93a144f128e23

SHA1
7fc12702f41536bd73f25864e0e182f32f91d336

SHA256
8ebf56451bb054cb7adc802bd30f48ba5aa5ebb05b2df70d9d31e7d490458b30

SHA512
729ab8df0f8ae48954c0977724127de2659836a1dbf2517820a2703b4176f2fcb2f550230efa4e828a3d1fb3e172910ebef676d10066def5775692bcddccc78e

Download Submit
C:\Program Files\obs-studio\bin\64bit\Qt6Svg.dll

Filesize
369KB

MD5
1a695937090d5650bf0139b43dfabd49

SHA1
f3c0b976fdddccaef0ae72afba984ebcc1db859e

SHA256
e2d1856c1ca01d4fb9e81dada32faf522e4eede08cbe0cefe409b6d435eb0b5b

SHA512
d10a4cb0e1d4a2c6ea61e4255d13f7e0d944ef302ab91b917fa49fbd8449aa040e7d0252728b4c426cf7e49f868352e08b9eb3657a5d5eeb90f5f0257c4a0339

Download Submit
C:\Program Files\obs-studio\bin\64bit\Qt6Widgets.dll

Filesize
6.1MB

MD5
e6848de430c0d895eb7e2a4c857710f8

SHA1
ed411a88fda01cccbfc10fb5cc0c9f0695f860da

SHA256
efb88805111bd064c6a2832b311729c17236b5d8c63437b19e207994ed1db921

SHA512
18ebcb55b8f5f908b26757fd09ff03ab7aa402d37a4c920f186b774cdda721bd2916f99b8d040db44ec6d43352d750889575a0e7c2a52e9dd8ef0b51842c5007

Download Submit
C:\Program Files\obs-studio\bin\64bit\Qt6Xml.dll

Filesize
147KB

MD5
9f277e952a04d33f809ef0f0641b4b7a

SHA1
906936a5483a4f029822f91dedf11a6c55c8a3a1

SHA256
66ae1d526082dcc52ac0d503bfd12525f0f463f44ecf6020df68f0323cebe29c

SHA512
dc4d15140899b6e7dbf00ac1760831f094f7e558e054466d13cbbb91c7275d389d1a1cf553db4c7bff857886ce40302fe8b554badb3f1b0ebe1bbb5a483867f4

Download Submit
C:\Program Files\obs-studio\bin\64bit\avcodec-61.dll

Filesize
33.7MB

MD5
8f1b9c7b3bd443fca6d813bf8db3d7c8

SHA1
1686c54937d626a53d0ce29d0de1ccfcab0c7ce4

SHA256
a96a34a1cf09e9e137c3e660432327373a39b97bb6996f120dfc596588d271f7

SHA512
61645810499e1017212ca605f9d2d27405cdcd2cce246a352c64bbff1f50470c0ad08ce4fb8e05875d2dd8f58e70bd5cb56b0c0f961e55bbd8fd82998aae05fd

Download Submit
C:\Program Files\obs-studio\bin\64bit\avformat-61.dll

Filesize
2.2MB

MD5
e0eccd9f5ca450d443eb90fb1c49516a

SHA1
f1280bd7fee74f5674ea7672808639d95e171b6d

SHA256
bc59f2f176887ef96d257392c5fdfbf220e44e850226482d29e09c0e499570b2

SHA512
19a32a8016aed12a0195e0bbcda3d665e6ebd11a5734798d9c705c0f4a62e84ed2a2cfa09b3ccbf48e07ce2889b1c2b47b4ecc8461d55fa6e2d61a6afff3e250

Download Submit
C:\Program Files\obs-studio\bin\64bit\avutil-59.dll

Filesize
905KB

MD5
1b9a6b04205cee41ffc62f71d644c451

SHA1
cd49ccd6fc64b20928a3462a4c4accaccc9fc2dd

SHA256
db319a558f1d7bdc1f9512b3f4d5304d97fd1002d75fddaa460760395910203b

SHA512
28cfcfbd9979777f63270ed67a8b453ad283220a51274ec8caeb1ee8732b14c652f45792e8a00a0b08c9c78670e7610f243a4246692dbc0b695037b025f68a0c

Download Submit
C:\Program Files\obs-studio\bin\64bit\libcurl.dll

Filesize
554KB

MD5
46616276132e99de502535117af6aab5

SHA1
c3cedd0f355e551ca93e58c721c73fb06227bca0

SHA256
dd1ee50bf696d361c3b2c81232ca3374ac826acdaef8431cf85cc21c3a20ff1f

SHA512
848f612c813770f851b868249c916fa127ee54de4c539f085a7699e5bd57f90958c60bf628ef79fe60a0cb7620cfe9a0fc2cf8dde4d2bfc8bd838bb5ec963908

Download Submit
C:\Program Files\obs-studio\bin\64bit\obs-frontend-api.dll

Filesize
39KB

MD5
f3747839c3b931b430f63a28fce6b0ee

SHA1
e42c74e64256d20e4ad54b1d3b1b20a1cf7751fc

SHA256
76b4219c0c31e9c3523d2a888ce1adee2a946bacdbb7b4e7339cacf2dcf764b0

SHA512
4ef948541424ed1058b8ed48f60279f251cc8493bd536717c7a6a848b1b8438f0d47569d5ac558a3e36a34018021e25e1e048808fa45aa086a12fbac28debe68

Download Submit
C:\Program Files\obs-studio\bin\64bit\obs.dll

Filesize
1.0MB

MD5
dbab8ea71b62001473ee033c5116c730

SHA1
afc8d7d2323ded9751dfd6fe9a5533828aa8deb8

SHA256
6dfa042184abc12f2fd586b985e373bfa36cc6653fd57eb453c92e5419d3a910

SHA512
869d20ebc0853b6374734a40beee146da75849537d908b896c0abd888c714f353cf34a1a79c1f6ad92660a08c7907507cd8d5bd52338eb55dc9aa425ef9a09f8

Download Submit
C:\Program Files\obs-studio\bin\64bit\obs64.exe

Filesize
4.8MB

MD5
f57c0c3698e1043aa79b09422b3142f7

SHA1
9f61c05f7f6f9b7f0313426c5563af105f1af233

SHA256
34faa2f7086942a97d10685d70a2788676c337894b5ad09f8e15e6b0db35926c

SHA512
fab0aa9ad2f97172e9f8e82dd6da3f806e9de1683d66b611ae5b2bad3dfb1d561d2952d7211dc0cd8cfa23230bd5c9eed055048b47ed8eedc6447bbd67c8c0fe

Download Submit
C:\Program Files\obs-studio\bin\64bit\swresample-5.dll

Filesize
128KB

MD5
ad52689aa55d9d89bd7e9e4b05cd6729

SHA1
f70ae4a337928964704a832b51a96dfb3b308be7

SHA256
cc68bfbc0825db6ca6b802dcea6cf8d151acaaff1974853620968a9f763bf365

SHA512
ce58b3b3ce7c96bab4757d97fb791f766ccb539a1cc8a3845a63a0078c4a3ebb1385bffc0c152add0ebd453bddef0cc851686ccb47746652e1acb5cedca9f948

Download Submit
C:\Program Files\obs-studio\bin\64bit\swscale-8.dll

Filesize
571KB

MD5
e46d4f133c67fdb94eade7e9b2df9bd3

SHA1
20d2b407cf36cbfe54a83867c0b4077936886984

SHA256
9d80a884f369bdc0fffdb36bebe677087f5b5df27400a293a52a8c5eb97b8e2d

SHA512
f091f35ceeaf0902a6ff6f6b87cdb8797f2c03501fb4d97cc175a5509567e481eda218477e40cea5207ff41f46cc5a039216be0c46c5613f34ec682a1b7019ec

Download Submit
C:\Program Files\obs-studio\bin\64bit\zlib.dll

Filesize
90KB

MD5
da44376014514541164830e404fa63e2

SHA1
69b02a0e1a9981dd95c557083162d37778cfea16

SHA256
642caa6f51426589698362245a66358248ba7252aa55fe2c80e8f42106b35a27

SHA512
0d5649c6987bdc439e8f5e46f147559e5d4096650d871549347e2e2da3294eaf6eb72ff66e5199d5eba7a86ad2867edf0b2ba3480c3686d7bdaca57a9ae38ad3

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\obs-qsv11\locale\en-GB.ini

Filesize
1B

MD5
01abfc750a0c942167651c40d088531d

SHA1
d08f88df745fa7950b104e4a707a31cfce7b5841

SHA256
334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b

SHA512
d369286ac86b60fa920f6464d26becacd9f4c8bd885b783407cdcaa74fafd45a8b56b364b63f6256c3ceef26278a1c7799d4243a8149b5ede5ce1d890b5c7236

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\win-capture\schema\package-schema.json

Filesize
1KB

MD5
cfc8555dce7c954555346ec0ef15fae8

SHA1
da1983d90d8bbbd3eb778ebb92d45427f1b35f41

SHA256
524437addbda00d3a64413b639847211054905a959786a4a5609fcbbb1f101f5

SHA512
4add0e8632568a665d640f63ec9eb992a3f50a21675883d48d26e784caf8b25c4bf6de706c2ab705fdad325adb02cd681779eed632976dfb042caa88a16d390d

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll

Filesize
177KB

MD5
081c54279a2a7ae4d76dc7f90cb9e1ec

SHA1
895bde93e6f5bae8c488945c3a68bdb71cd3a8df

SHA256
6011593d53905e59b0d238857013dcce05d623de1e3d0b593c0eea93ba92a513

SHA512
6adeb7d5617bc13e4bd85397f0fe3e45df7f6bddc4628b7341545e76ae48ff6b76ced0dee19de507a496c1477ff7efeb8e6f9ddccec036bac8bec9bcf5dbf79b

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll

Filesize
221KB

MD5
ff132dfef15b8175c651ae453c8339a2

SHA1
ef6d6cc3a8be8a1082066f263baca05db05aa6ef

SHA256
5bf0e7a2efd1f0a7fcf339178d6485fd4372f67a31276f6557f4c217764670fb

SHA512
d074ad73418b7927cc4316da536f3dd6317849c5efd0451b63a8ab61f6b1e6c9d4197c471635413b159d50545aa4d8a5541885930fcbd3d0ad84946f2c58c21c

Download Submit
C:\Program Files\obs-studio\data\obs-studio\themes\Dark\media\media_pause.svg

Filesize
526B

MD5
f26adafdd9d123f489f874c9a1b4bcbf

SHA1
228f6132d7e7abcf77fcd49409f07e68b25d4adb

SHA256
3a8ebca48196921a623b652c07344507f14fbc265a125ead876e89b28ad946fc

SHA512
3ea1adbc6d327e09418a0476971bbb4868effb171045cc0743d21dbed3535eea275518bf9aef9eecf33e9653b19ddb751d3826d53907690672583243e64c13bf

Download Submit
C:\Program Files\obs-studio\data\obs-studio\themes\Light\media\media_pause.svg

Filesize
526B

MD5
b2e1d7d541b7fab7513d295f0ffdbc6b

SHA1
50fedc18267466537fc9c1d9b362143cb3621b01

SHA256
d71fe1d398ab1a31a0906c1054d67b022954ff3df6a750bb6c5e66375ed9a642

SHA512
575e068c38119ee7f873dc2243a15ca390a409ee5b9d2108ce5ea5ed5fda2974e3316f9d53e5a6a155c1def25f15f1bf575218347be71bde8b5a9310c9799ba3

Download Submit
C:\Program Files\obs-studio\data\obs-studio\themes\Light\sources\media.svg

Filesize
558B

MD5
782275b15439d90e21c0595b28e1f251

SHA1
a40a166994402a2fe2e782864c3612dbf2619179

SHA256
16440c1cf957bf20c8cb01d2a490ff46d4f2812376275d35051b659b62ac888d

SHA512
704da362efe3ee13771d589d1c3a94a8a85836d5c26d35aa76d02f502f683417e162df4067fb7fc26762c858d708b921a5fcf6c80f6505ef90dfa68c102af738

Download Submit
C:\ProgramData\obs-studio-hook\obs-vulkan32.json

Filesize
514B

MD5
59a9aa7a899f33d7f8dfe58424c091e2

SHA1
0b1b8e669ec05f547b2c116606626480b7502d93

SHA256
c16e0707ae66ad71e8a0720aeb6e6997a1017f19762333452aef692115a9ab41

SHA512
77b4d92ce9d6a73336fd7beca77825682dbe5b94c921e87f3d6546765f65aec585b285dbc12c092c313b7055fdc55b1e5bc0b254ee253ea17dcc63027f5a8f56

Download Submit
C:\ProgramData\obs-studio-hook\obs-vulkan64.json

Filesize
514B

MD5
4a0ee9e5f72aec20551148f649ed58c5

SHA1
f5e897db4a7c311b2afbe6054fe28ba459712481

SHA256
7b6b0813fb58b276847a8583eb5c3f94aee7d7ad0ae3a1ef6133d5d8771f20f4

SHA512
8c7977ba8781ab0ad9d0ddeabb230d9466da6c9c47f33cbcee6380079734e832a1000e4a55218ea0d5acaee500fd458a3be76c6d4cb2831767cdc07c3930aad5

Download Submit
C:\ProgramData\obs-studio\shader-cache\1ab7aa1b854459a7.v2

Filesize
840B

MD5
0b2301660cbb980468bf1b8b4eda87c7

SHA1
ef3c7bf64ca477dad586d5ca3aa16318b27f4e72

SHA256
d913ce5b4ace04b97bb8f05bf49d777a5c231ce0737dd5a63bcd3215d8c63bd9

SHA512
b392bf58b9da599c8896f233c4a01e61e23546daef235d279b771a8849ea718a13b457b768b7196e3800ab82d24b946e066d334299142551bf3565d96673cf80

Download Submit
C:\ProgramData\obs-studio\shader-cache\4545d6ee7b176b7d.v2

Filesize
964B

MD5
925008d85689f03f9c2c19b2a58864ef

SHA1
9707491fe67342b0428924976a5d4d4cca787fef

SHA256
b03ed79f9d040f865ac250b25a7a99ccebf244c5bb9d2bae4287f025bae8edc1

SHA512
097e0733c12a57d148ffbdc844f9444026fd13359a52d8fe73d172e8ac8479d4e23dc1a00be3b04f2880e2f094a7a322fcafc3ba00603ee7f89c586a75cf84fe

Download Submit
C:\ProgramData\obs-studio\shader-cache\62281a72182c4ba6.v2

Filesize
908B

MD5
a09b098bf807333abd23734e543dc2e5

SHA1
972a560bbdcad956b41b96d5a5d98b74b3744aeb

SHA256
5e7044f39d34e7f45770264f93647c2701bed73c904f8f233dc5ea94870b4403

SHA512
bfced55e2eeeff8f5393a84b23ca0bec0391411a1b649be153cc1563c1e736e3e124b502fb6df18c5bab5ccb9f6dbd6369cbb5251dd03acfce8078ee96d8eb05

Download Submit
C:\ProgramData\obs-studio\shader-cache\6a755cdc9e6092ae.v2

Filesize
840B

MD5
a301b07b443e54d2763c6cdaf88ffcef

SHA1
f2da06b9dd608eb5786ad2fbbb42aa77f351c39e

SHA256
fccbe79d93005236718ff168a3ba2267d228b4f93cbc848a95eda3b8482b6697

SHA512
db51188f09eb3b13baeb726f80f06dbe36d1ae8c960aa75a7f88eedf42e67e286f3e7f33034fbe9a16c7cd339058dc4782e58467b0c033e94073bd326dcbebf9

Download Submit
C:\ProgramData\obs-studio\shader-cache\7a6e3fecabdd460d.v2

Filesize
888B

MD5
b1695633020889910efc1cd4fb9b02a0

SHA1
09eb2ec232b08bb092fe2cfcee795ee57275f93f

SHA256
3b625049381ef7d97538364c28efbbde8e5eb28f010f077afa36ef5a74778333

SHA512
2b4be7f4c6c8182a119d440204505e1022d017d9199933a9162a35ad5b2092efee29be847caddaf7e73d310a320f69481381a4527a59a9847ded132fc42946bc

Download Submit
C:\ProgramData\obs-studio\shader-cache\7f0084f9c4106e16.v2

Filesize
1KB

MD5
15d39c0e4271b5ccd51d06dd38ea848c

SHA1
beb07872ec6f978633df7a92ad12e239a41f0587

SHA256
ea9109f443a204812899fc727c2e3e779a9114136db0afd729deec2e817a2db0

SHA512
16ab1fb86f5ac7dd412c1e3f87668a8ced4881a578739077ef74f68869e3be4d802fad72232aed270be0be25712de494473b2f883a94acccd1dfa7342a83bf7a

Download Submit
C:\ProgramData\obs-studio\shader-cache\8d390f4ad08d5c53.v2

Filesize
936B

MD5
edac8cc11ee6b2f4eedf0767d9bd1a25

SHA1
816ae2f8507a2dd7f87da5645e5a28f144811539

SHA256
442e3643bab4f98c14485a18e239d2580f18989831f9cadd19129e3df30789e2

SHA512
666d64b4caa7229b888bbffc58db1995c791c8a6b1518fca195f466b6e5f6062f5928f897ed5ff14b02518df6fc078dd45662bbddb5d5805a6cf34d58e4026f5

Download Submit
C:\ProgramData\obs-studio\shader-cache\9ea4a251d7aa3c18.v2

Filesize
624B

MD5
e8f1aac1454a9411ecfd28bdf322b910

SHA1
12ca860dff45487c176212e2e4db4ced5112991e

SHA256
6c40664272501dab61c1507f87b612d40819510781d05971735443cef8ebc95f

SHA512
677dfc0140b6a75fbe9ae6e2c59dc0f305c8d5d7e34f858caad917893614c95c7eed8ddfb280d2f913117e3b02dc6613e369550ba38f97102fd6c4b197930254

Download Submit
C:\ProgramData\obs-studio\shader-cache\cd9cfd09db70c3cd.v2

Filesize
960B

MD5
a36fa067d5417109e7c2a79fa47109e8

SHA1
2cd916c1a5c0a21b021ebc424ab316be4cbcb499

SHA256
c0d87fc26b604a942bb03b1349794cb397ababfb1a14eb09fd8ea1de5144aed2

SHA512
d826b76826b10f675fd40fc36ebf3aaa8b5b69c41090282b491a7ffa77b853db80a3473f6032bd1afe406e5272d671585a93d0bca29d7cf9029ab50a140cd1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240727151417_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
c3d9535f331160210dbdedfd1ac516c3

SHA1
6f07a9a976f8da5358296b9970c0c84462a79000

SHA256
f939d5c42b16568bf90f11b4c3ccdf1dfd7a0cc6a145d0040d4195586ca00da7

SHA512
e25f1605ea6006b62a707484a3ca30e080d72640cef7e0a63438b00bb4973d5c51d979ba6c47d4e6decc7a8b29816de5966feebf4d404957a7ea56e0d09ada3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240727151417_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
565e5f22843df5ef078ec0fcedf23bdd

SHA1
81fb936d55ea4790866646868cd1196e903a030a

SHA256
f1abd3c1590f43a924448ea743411f8909fd8b38ce6514a018f3b6b7a84846ad

SHA512
27cc47dadc56d443548aa75149fda41767121671d4d335794da379c0eac060b99771d49be52f9560b03352e1c3b1b42a945361ca9194ed68fd3704ac96ac98e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFD7C.tmp\InstallOptions.dll

Filesize
15KB

MD5
d1eefb07abc2577dfb92eb2e95a975e4

SHA1
0584c2b1807bc3bd10d4b60d2d23eeb0e6832ca2

SHA256
89dd7d646278d8bfc41d5446bdc348b9a9afaa832abf02c1396272bb7ac7262a

SHA512
eaffd9940b1df59e95e2adb79b3b6415fff5bf196ebea5fe625a6c52e552a00b44d985a36a8dd9eb33eba2425ffea4244ed07a75d87284ff51ec9f9a5e1ac65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFD7C.tmp\OBSInstallerUtils.dll

Filesize
426KB

MD5
e1f825260e7224ef0526514754f7d0e8

SHA1
553d67289b039ffea5d8b59f509b9265dca2ba19

SHA256
1d84aa191fbbd842d5eeed302195579de1256a9acb980308bf31a631ac01e530

SHA512
b9453eb4ae6edbfd86e438ed0825725ab91100b8403a933bb0e359703be462f6d3d37f8bfb32eeae375a46512c619370f9802925ae0d8898f540f933b05b281f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFD7C.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFD7C.tmp\VC_redist.x64.exe

Filesize
24.2MB

MD5
1d545507009cc4ec7409c1bc6e93b17b

SHA1
84c61fadf8cd38016fb7632969b3ace9e54b763a

SHA256
3642e3f95d50cc193e4b5a0b0ffbf7fe2c08801517758b4c8aeb7105a091208a

SHA512
5935b69f5138ac3fbc33813c74da853269ba079f910936aefa95e230c6092b92f6225bffb594e5dd35ff29bf260e4b35f91adede90fdf5f062030d8666fd0104

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFD7C.tmp\check_for_64bit_visual_studio_2022_runtimes.exe

Filesize
10KB

MD5
9baff51bb8539498c81d0c2ed0034d9d

SHA1
e85ff796a54221f723ad36412329d8c650b7717f

SHA256
b324a6025986306656fc2a03d0a3e9ed5917dfa7cf14fbfca888d65b39822074

SHA512
cc4008bb5586840c1f031f09ce04904b22ae5ec43c3331586593fefffa22725c076835627253d6aa0468fd24124068603b82eb45490cf96e20a6c4f1d5472576

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFD7C.tmp\ioSpecial.ini

Filesize
1KB

MD5
35bc89f94979bd97f9ac80553fa0cbd7

SHA1
3c859ba692281cd648cb3afa0ff1c019913d8ee5

SHA256
edfc5f5c3ab3cb4c51cb79ff23a441a5b016f711ea6cf17fdb4138b3f9dc69a8

SHA512
ba1c55d316675cd82120dd1070dac153012411d24eb4a18a0de1d3ef5f17cef4fac1b6101fb7f2d53a9ba05f18c05ea9549a55ffd9af16170ecf46ee5e535757

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFD7C.tmp\ioSpecial.ini

Filesize
1KB

MD5
93579f303daa16de352f01373569e764

SHA1
5c428bc353a12d3878b416632c05cae59db5399b

SHA256
c6da5051d5edca9b46d6ea3d94ac59f208b98a46fd447989ecd03b3d6b73e99a

SHA512
c26ccc900d6e2403f1a1b12a07ccb50e355000a946f2b936047e8de50d7634482448f4c8c61f2623750b6058904e278b62cf217baa81cd66ab38af3c1467a822

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFD7C.tmp\ioSpecial.ini

Filesize
1KB

MD5
25b81474d8d8b9d202d47cd7e78e1816

SHA1
9e246b986245e7ca44edb2f9205f1189f812450a

SHA256
8456a3adda3bbb2caea71f4df9de0d0328a7dca4aeb4a6b3fb1fe761a9b90a4c

SHA512
989f676317fbd497318988dc959211d60daadfb52f6ddc5ed5f5e7cea09f54475e73cc6beb08acdb38ffc9d0597aa891b2ca4c539f2cbf703169aad1a2434b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswFD7C.tmp\ioSpecial.ini

Filesize
1KB

MD5
6c3117614ace6dfcf5f3ef01741ca79f

SHA1
4158e3664eb1b4f7f1c691653011943efbcc1f7a

SHA256
2596fa1bb0f1aa7460ee9e0da0c9f1cca537dce315ca9a7700375c94a2a9a62a

SHA512
b9a73ec104d2be2f15897ce288873fd61c6c7880e743a171dbbacdd14f8803f1e106503d10a3fce5877090ef2a11f86ac3c71ddc3dea16338c4dada3e012f575

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\basic\profiles\Untitled\basic.ini

Filesize
27B

MD5
d785072bd43717886593f737817fff15

SHA1
8c7ef0936b7f5a5cec10e9b5e1278400e276e6f7

SHA256
7989006d0b1b17f5e4f4e20960713600d80612c3799963454e463f689a3cf613

SHA512
8bcd4ed11b248d2934bb7fed91cd8645b77f89ac75f357277a9de04e1121ef4217e982783d61c32b1e8e04d2c14eb82fab78926dc46861db511a8741a62c0c20

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\basic\scenes\Untitled.json

Filesize
2KB

MD5
431c535cb9d474164a59a18c180119dc

SHA1
3f221bcaf4fb1961184774af471dc3c3b8212af9

SHA256
938a7d8194e75511f626a32f90f8c325382343194d6882c72c778864e57b6f8e

SHA512
269aca2381eab740b38c39177f60ef072de2e253d06e8eebb6a3dc00da6ac7b4a09c73887112e1d4f3d31bbff1b6eae1a2f593f334b5ed21dd807672e57f10ce

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\global.ini

Filesize
95B

MD5
5e1a6ec63e7f3c47ee8e518eb9363bda

SHA1
7ee6c56636dc5bb77c624542dfed81cf61e1301c

SHA256
90eb7d1ad2ba1c3f742eb01a0930d3e98a5fafcdbfebe4a30a429872721ef04e

SHA512
178aa925045f84eae42846cca4d7f8a8f339a044eda2e15d2ac07c2dcbf4911a38e5df7e4e1ad288b696285daf00c630ffa79216aca9421318c0af8a220f0dac

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\global.ini

Filesize
1KB

MD5
2d11a7241ec1418d55ae30225dc50a57

SHA1
ac28b9c98b24dd2e2ba5e23d80993ee03728157f

SHA256
9be28c7c42a0b12719f2f347d06835fe480526ac0cbee508327545e874c35e1b

SHA512
d2bb13824b7aa59eca163f0190e4ab274f72b995e86fe933335a371757f427a46a156c3eccea82f036086861bff1f01230d63aa8e612ebc85dd471f004f44a9d

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\global.ini

Filesize
1KB

MD5
285c5fac32681c0aafdf302d25654f28

SHA1
b5a946252ec63fd814ca3025cf55376571570e07

SHA256
5148823476782eca2985bee30e4b5d688e84aa019b15044918988131004766f4

SHA512
5150e04f82fed8af889008792e62b6db7000ac9ebbd058ee658d2dc1db6a82faa01087d5e6d37b65b976e119f6fc1386e33be8eabc2a01afd6c6e145849b4d6d

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\global.ini

Filesize
1KB

MD5
f49d7cf8c6e20d6ffd53e48c8dac5464

SHA1
2b414599087be6503e483f21c2ad3539041cbc56

SHA256
a3d92deb754a484c76a30155da0bba76e6e8e3661d4cbed8ae904a9fd1c61760

SHA512
aafeeb3dfceb83f7d486b0ea38d29c1389e311c4e8f183eb3b967a2ef113566b2d35f46f413eafc01c54d6f107d87c87e60f89cf36063b170889822b4f0cf18d

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\obs-browser\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
6d290c0951b05168d0a640f6279add42

SHA1
75f7c2d67403909e7df71447a140cb5b130aa702

SHA256
1d4681192bcc45567618b6c685722ebba6a2a265bc374c4fc1cb74a40fcff8f8

SHA512
7b190e3e935f7ff8773bbe290cfe261341a808284b29dfe127fc4653dac71b4cdc94e47f59245b1cabb2ab7c3f6f2d0fb2267391015c267326e38052308e65ac

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\obs-browser\Code Cache\js\index-dir\the-real-index~RFe59aabd.TMP

Filesize
48B

MD5
900ce94df2c867c0e70723ffd014e2a3

SHA1
3f7a59b1b9ea4a4756d33a16d6dbf21e954a5c06

SHA256
76bc5140ff3a0148dec3bb7085dd8edb2faa08c073d50b2e979eed3680832acd

SHA512
0d42ec19c173539ba3944e86272d2c9a3f422871fbd512d1c2f708dd71bb320af812ebbb5334ab7ae5a1f377fefd3733739139159d1029f42e4e96ea1f02683d

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\obs-browser\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\obs-browser\Network\Network Persistent State

Filesize
1KB

MD5
90b38a7c48adadbbc756e52e1ce3f69b

SHA1
45be462cb8e59572b3d6696a7692b658a67cc7f2

SHA256
849f3757409001d5da08d4c46957d5a3001436e77ce880d39a3e54097fad6c76

SHA512
f7a08cbb8d19ad8b9da6f9c1f1e0a52a1559a41aa436d803d6485121a4ad34c42f48d9385eea593c9516895595458369f0df4fea5484f555cb899ac0019892e8

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\obs-browser\Network\Network Persistent State~RFe59fe4c.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\obs-browser\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\rtmp-services\package.json

Filesize
251B

MD5
e4a7bae7fd4734b7f75ec5ed456364f1

SHA1
8795c376becc835c3b831ed417a446d8cfb0d12c

SHA256
29901621e14894c3681e0c9acd035e5f75e80f300e423d4309fa49368df58858

SHA512
f09191b24712bc37a2354f3e3e02153e42e8b74d9e3bee7a3dfb9f154ea9e6c807a9db7961fdbe0b9509fba20b40740dacd982d26d9fd1ac48374e3fb87da9db

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\rtmp-services\services.json

Filesize
101KB

MD5
f19ee49d2a80f2d186e793099b547043

SHA1
1b2a305dbf52858ca9953c36b0a7e362959d7381

SHA256
d2642f3d603c27c82f71524449edba83f444b58df29152244aff6a2c77c59e8b

SHA512
931ebca922a2019f2a09e5f4e5b36a545e57f127447fea55bab103b0ce3096e304f7ce34238fc89be7a33d4eec25a79a7800381523abe9e717300248a55eec43

Download Submit
C:\Windows\System32\msvcp140.dll

Filesize
561KB

MD5
72f3d84384e888bf0d38852eb863026b

SHA1
8e6a0257591eb913ae7d0e975c56306b3f680b3f

SHA256
a4c2229bdc2a2a630acdc095b4d86008e5c3e3bc7773174354f3da4f5beb9cde

SHA512
6d53634bc51bd383358e0d55988d70aee6ed3897bc6ae5e0d2413bed27ecff4c8092020682cd089859023b02d9a1858ac42e64d59c38ba90fbaf89b656c539a6

Download Submit
C:\Windows\System32\vcruntime140.dll

Filesize
117KB

MD5
caf9edded91c1f6c0022b278c16679aa

SHA1
4812da5eb86a93fb0adc5bb60a4980ee8b0ad33a

SHA256
02c6aa0e6e624411a9f19b0360a7865ab15908e26024510e5c38a9c08362c35a

SHA512
32ac84642a9656609c45a6b649b222829be572b5fdeb6d5d93acea203e02816cf6c06063334470e8106871bdc9f2f3c7f0d1d3e554da1832ba1490f644e18362

Download Submit
C:\Windows\System32\vcruntime140_1.dll

Filesize
48KB

MD5
2bd576cbc5cb712935eb1b10e4d312f5

SHA1
dfa7a46012483837f47d8c870973a2dea786d9ff

SHA256
7dd9aa02e271c68ca6d5f18d651d23a15d7259715af43326578f7dde27f37637

SHA512
abbd3eb628d5b7809f49ae08e2436af3d1b69f8a38de71ede3d0cb6e771c7758e35986a0dc0743b763ad91fd8190084ee5a5fbe1ac6159eb03690ccc14c64542

Download Submit
C:\Windows\Temp\{0F428FB6-13F8-4989-8D8E-050F69D98E6F}\.cr\VC_redist.x64.exe

Filesize
635KB

MD5
ae0540106cfd901b091d3d241e5cb4b0

SHA1
97f93b6e00a5069155a52aa5551e381b6b4221eb

SHA256
8cd998a0318f07a27f78b75edb19479f44273590e300629eff237d47643c496c

SHA512
29bb486bfdd541ba6aed7a2543ff0eb66865af737a8fb79484fb77cb412c3b357c71c16addf232c759d3c20c5e18128df43c68d1cba23f1c363fd9e0b7188177

Download Submit
C:\Windows\Temp\{7B5A39E9-FB61-4058-A5B2-C0C33020C8B1}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{7B5A39E9-FB61-4058-A5B2-C0C33020C8B1}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{7B5A39E9-FB61-4058-A5B2-C0C33020C8B1}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
d5a3fd8ad806f66d33d652d5913a95b3

SHA1
7b1bb6cdbe700acc2434dc52c40cdd96a6462a17

SHA256
cc001c20f85e16015e0d23eb0c3a9bc3c3cdcc1adda53f88ac77dd29705ba01a

SHA512
594d710133f44049546c62c3c89614415ad776c24f3ada0a8d1724e6daf27f941eba43a05a096d90cdf51ad51c02462edd6308e2aa393cb8325fde256ed77037

Download Submit
C:\Windows\Temp\{7B5A39E9-FB61-4058-A5B2-C0C33020C8B1}\cab5046A8AB272BF37297BB7928664C9503

Filesize
962KB

MD5
8eccd85b6c4273a28a54b0687feb6a96

SHA1
be791128af5713d407df2f7436ea8de1a80ca725

SHA256
8fafd6d0754ee53125902df1b67ef2db86eb7af4c097522f2fb58443501fecdd

SHA512
9fdcb359a5748d0d920e1e12cf31de42fa224840fd11e5878f7caff7c4495b4facacf1a58cdaf0caadd0d9a3af871870b755245d2c1af33f07f3229b85101da0

Download Submit
C:\Windows\Temp\{7B5A39E9-FB61-4058-A5B2-C0C33020C8B1}\vcRuntimeAdditional_x64

Filesize
188KB

MD5
5fc68510b7425822a9d0928567ffbd1b

SHA1
f506d97ceac3c435ce6bafda7c47d9a35fc57714

SHA256
7489cdde6a0c8aadb3253f22c460c2dc8099ba677f42d46b277f7040327c9b28

SHA512
4dd4d99ace30eb1add9ae225f159f68636d42d1899acb50f616717f05045e402a2bbb76e4d86569a08ae74bb161b3911a73910fcc7044429da34159cf6b9f473

Download Submit
C:\Windows\Temp\{7B5A39E9-FB61-4058-A5B2-C0C33020C8B1}\vcRuntimeMinimum_x64

Filesize
188KB

MD5
0d00edf7e9ad7cfa74f32a524a54f117

SHA1
eea03c0439475a8e4e8e9a9b271faaa554539e18

SHA256
e55a6c147daab01c66aed5e6be0c990bbed0cb78f1c0898373713343ef8556cd

SHA512
0b6730fa8d484466a1ee2a9594572fa40fb8eea4ec70b5d67f5910436ee1d07c80a029cf1f8e488a251439ac1121fd0a76a726836e4cb72dd0fe531ce9692f6a

Download Submit
memory/1532-2315-0x0000000000ED0000-0x0000000000F47000-memory.dmp

Filesize
476KB

Download
memory/1924-2278-0x0000000000ED0000-0x0000000000F47000-memory.dmp

Filesize
476KB

Download
memory/2556-6418-0x00007FF7DCC10000-0x00007FF7DD0DD000-memory.dmp

Filesize
4.8MB

Download
memory/2556-6419-0x00007FFEE4A50000-0x00007FFEE4A60000-memory.dmp

Filesize
64KB

Download
memory/2556-6417-0x00007FFF01380000-0x00007FFF019A0000-memory.dmp

Filesize
6.1MB

Download
memory/2556-6416-0x00007FF7DCC10000-0x00007FF7DD0DD000-memory.dmp

Filesize
4.8MB

Download
memory/2964-2316-0x0000000000ED0000-0x0000000000F47000-memory.dmp

Filesize
476KB

Download