1f5d87d2c996b5e6dcfac2ebfe3f24a70817fada79ca3e16c8eee8f3497c2bfb

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Obsidium64Setup.msi
Size

15.9MB
MD5

b22bf4d75aea2ec6a0868f197b20f128
SHA1

925d722642fdbf2b7b9d70fefbd25efb3005531d
SHA256

1f5d87d2c996b5e6dcfac2ebfe3f24a70817fada79ca3e16c8eee8f3497c2bfb
SHA512

5feebff9e884af8f65e824bf4f52126c01d63154dbc44027a61b5e4510328bb1329883b6316f4e920fe27c017e69add48d921e536a4f5945348d41187901b574
SSDEEP

393216:laoik24KCni1T2NK7/39AHUGN+wIbfae8xAlxCvhSYo6:laGwCYT2Ur3uh+wIz9CvhK6

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
3	772	msiexec.exe
5	772	msiexec.exe
7	772	msiexec.exe
9	772	msiexec.exe
11	772	msiexec.exe
16	2576	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1320	Obsidium.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Linux\README	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium_vm_start.pas	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\C++ Wrapper\Obsi.h	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\NetworkLicensingSample\NetworkLicensingSample\NetworkLicensingSample.vcxproj.filters	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\obsi_example\obsi_example\obsi_example.vcproj	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium64x.inc	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Linux\keyver_long.php	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Delphi XE2\CmdLine Example\cmdline.dproj	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\NetworkLicensingSample\NetworkLicensingSample\stdafx.cpp	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Tools\display_usbid.exe	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\lang\spanish.lng	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\msdia140.dll	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Linux\php\obsidium_keygen.inc.php	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Sample Projects\sample_short.opf	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\obsidium64.lib	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Linux\keygen_short_test.html	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Tools\readme.txt	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\C#\Keygen\ObsidiumKeygen64.cs	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Sample Projects\sample_long.opf	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\obsi_example\obsi_example.sln	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\obsi_example\obsi_example\stdafx.cpp	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\lang\english.lng	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\lang\TranslationTool.exe	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium64_enc_start.inc	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\C++ Wrapper\Obsi.cpp	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Delphi XE2\CmdLine Example\cmdline.dpr	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\PureBasic\Example.pb	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\NetworkLicensingSample\NetworkLicensingSample.sln	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\keygen64.dll	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium_enc_end.pas	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Sample Projects\readme.txt	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\lang\german.lng	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\lang\indonesian.lng	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\obsidium.h	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium64_lic_start.inc	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Linux\keygen_short.php	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\PureBasic\obsidium.pbi	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\VB .NET\Obsidium64.vb	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium64_enc_end.inc	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\keygen64.h	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\obsidium64.a	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\obsidium64.def	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium64_vm_end.inc	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\lang\czech.lng	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\obsi_server.exe	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\obsi_cmd.exe	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\obsidium64.dll	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium_lic_end.pas	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Linux\php\test-generate.php	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\obsi_example\obsi_example\obsi_example.cpp	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\lang\russian.lng	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Obsidium.exe	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium.pas	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium64_vm_start.inc	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium_lic_start.pas	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium_vm_end.pas	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\NetworkLicensingSample\NetworkLicensingSample\targetver.h	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\obsi_example\obsi_example\stdafx.h	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\obsidium64.h	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\NetworkLicensingSample\NetworkLicensingSample\NetworkLicensingSample.cpp	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\NetworkLicensingSample\NetworkLicensingSample\NetworkLicensingSample.vcxproj	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\NetworkLicensingSample\NetworkLicensingSample\stdafx.h	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\obsi_example\obsi_example\targetver.h	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\lang\dutch.lng	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f773faf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42F8.tmp	msiexec.exe
File created	C:\Windows\Installer\f773fb0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f773fb0.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f773faf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4624.tmp	msiexec.exe
File created	C:\Windows\Installer\{A4571EB0-1C0C-40D8-BAA7-22266CEA6F4C}\ProductIcon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{A4571EB0-1C0C-40D8-BAA7-22266CEA6F4C}\ProductIcon.exe	msiexec.exe
File created	C:\Windows\Installer\f773fb2.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1320	Obsidium.exe
828	obsi_server.exe

Loads dropped DLL 4 IoCs

pid	Process
1972	MsiExec.exe
2620	MsiExec.exe
2620	MsiExec.exe
1320	Obsidium.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
772	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obsidium.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.Application\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.Application\DefaultIcon\ = "C:\\Program Files\\Obsidium Software\\Obsidium x64\\Obsidium.exe,0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F9071113441C1C54E9B66905EC0F4C96\0BE1754AC0C18D04AB7A2262C6AEF6C4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.Application\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.opf	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BE1754AC0C18D04AB7A2262C6AEF6C4\fLanguages = "fApplication"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BE1754AC0C18D04AB7A2262C6AEF6C4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\PackageCode = "36451512CBB3AFF479D99984F25401D8"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\SourceList\PackageName = "Obsidium64Setup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BE1754AC0C18D04AB7A2262C6AEF6C4\fSDK = "fApplication"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BE1754AC0C18D04AB7A2262C6AEF6C4\fExamples = "fApplication"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BE1754AC0C18D04AB7A2262C6AEF6C4\fTools = "fApplication"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.Application	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.Application\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf\DefaultIcon	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.opf\OpenWithProgIds\Obsidium64.opf	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf\shell\open\ = "Open with Obsidium x64"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BE1754AC0C18D04AB7A2262C6AEF6C4\fApplication	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.Application\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.Application\shell\open\command\ = "\"C:\\Program Files\\Obsidium Software\\Obsidium x64\\Obsidium.exe\" \"%L\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\Version = "17235973"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\ProductIcon = "C:\\Windows\\Installer\\{A4571EB0-1C0C-40D8-BAA7-22266CEA6F4C}\\ProductIcon.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.opf\OpenWithProgIds	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\ProductName = "Obsidium x64"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F9071113441C1C54E9B66905EC0F4C96	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.Application\ = "Obsidium x64"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf\ = "Obsidium Project File"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf\DefaultIcon\ = "C:\\Program Files\\Obsidium Software\\Obsidium x64\\Obsidium.exe,0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf\shell\open\command\ = "\"C:\\Program Files\\Obsidium Software\\Obsidium x64\\Obsidium.exe\" \"%L\""	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2576	msiexec.exe
2576	msiexec.exe
1320	Obsidium.exe
828	obsi_server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	772	msiexec.exe
Token: SeRestorePrivilege	2576	msiexec.exe
Token: SeTakeOwnershipPrivilege	2576	msiexec.exe
Token: SeSecurityPrivilege	2576	msiexec.exe
Token: SeCreateTokenPrivilege	772	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	772	msiexec.exe
Token: SeLockMemoryPrivilege	772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	772	msiexec.exe
Token: SeMachineAccountPrivilege	772	msiexec.exe
Token: SeTcbPrivilege	772	msiexec.exe
Token: SeSecurityPrivilege	772	msiexec.exe
Token: SeTakeOwnershipPrivilege	772	msiexec.exe
Token: SeLoadDriverPrivilege	772	msiexec.exe
Token: SeSystemProfilePrivilege	772	msiexec.exe
Token: SeSystemtimePrivilege	772	msiexec.exe
Token: SeProfSingleProcessPrivilege	772	msiexec.exe
Token: SeIncBasePriorityPrivilege	772	msiexec.exe
Token: SeCreatePagefilePrivilege	772	msiexec.exe
Token: SeCreatePermanentPrivilege	772	msiexec.exe
Token: SeBackupPrivilege	772	msiexec.exe
Token: SeRestorePrivilege	772	msiexec.exe
Token: SeShutdownPrivilege	772	msiexec.exe
Token: SeDebugPrivilege	772	msiexec.exe
Token: SeAuditPrivilege	772	msiexec.exe
Token: SeSystemEnvironmentPrivilege	772	msiexec.exe
Token: SeChangeNotifyPrivilege	772	msiexec.exe
Token: SeRemoteShutdownPrivilege	772	msiexec.exe
Token: SeUndockPrivilege	772	msiexec.exe
Token: SeSyncAgentPrivilege	772	msiexec.exe
Token: SeEnableDelegationPrivilege	772	msiexec.exe
Token: SeManageVolumePrivilege	772	msiexec.exe
Token: SeImpersonatePrivilege	772	msiexec.exe
Token: SeCreateGlobalPrivilege	772	msiexec.exe
Token: SeBackupPrivilege	1440	vssvc.exe
Token: SeRestorePrivilege	1440	vssvc.exe
Token: SeAuditPrivilege	1440	vssvc.exe
Token: SeBackupPrivilege	2576	msiexec.exe
Token: SeRestorePrivilege	2576	msiexec.exe
Token: SeRestorePrivilege	2248	DrvInst.exe
Token: SeRestorePrivilege	2248	DrvInst.exe
Token: SeRestorePrivilege	2248	DrvInst.exe
Token: SeRestorePrivilege	2248	DrvInst.exe
Token: SeRestorePrivilege	2248	DrvInst.exe
Token: SeRestorePrivilege	2248	DrvInst.exe
Token: SeRestorePrivilege	2248	DrvInst.exe
Token: SeLoadDriverPrivilege	2248	DrvInst.exe
Token: SeLoadDriverPrivilege	2248	DrvInst.exe
Token: SeLoadDriverPrivilege	2248	DrvInst.exe
Token: SeRestorePrivilege	2576	msiexec.exe
Token: SeTakeOwnershipPrivilege	2576	msiexec.exe
Token: SeRestorePrivilege	2576	msiexec.exe
Token: SeTakeOwnershipPrivilege	2576	msiexec.exe
Token: SeRestorePrivilege	2576	msiexec.exe
Token: SeTakeOwnershipPrivilege	2576	msiexec.exe
Token: SeRestorePrivilege	2576	msiexec.exe
Token: SeTakeOwnershipPrivilege	2576	msiexec.exe
Token: SeRestorePrivilege	2576	msiexec.exe
Token: SeTakeOwnershipPrivilege	2576	msiexec.exe
Token: SeRestorePrivilege	2576	msiexec.exe
Token: SeTakeOwnershipPrivilege	2576	msiexec.exe
Token: SeRestorePrivilege	2576	msiexec.exe
Token: SeTakeOwnershipPrivilege	2576	msiexec.exe
Token: SeRestorePrivilege	2576	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
772	msiexec.exe
772	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1320	Obsidium.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 1972	2576	msiexec.exe	35
PID 2576 wrote to memory of 1972	2576	msiexec.exe	35
PID 2576 wrote to memory of 1972	2576	msiexec.exe	35
PID 2576 wrote to memory of 1972	2576	msiexec.exe	35
PID 2576 wrote to memory of 1972	2576	msiexec.exe	35
PID 2576 wrote to memory of 2620	2576	msiexec.exe	37
PID 2576 wrote to memory of 2620	2576	msiexec.exe	37
PID 2576 wrote to memory of 2620	2576	msiexec.exe	37
PID 2576 wrote to memory of 2620	2576	msiexec.exe	37
PID 2576 wrote to memory of 2620	2576	msiexec.exe	37
PID 2576 wrote to memory of 2620	2576	msiexec.exe	37
PID 2576 wrote to memory of 2620	2576	msiexec.exe	37
PID 2620 wrote to memory of 1320	2620	MsiExec.exe	38
PID 2620 wrote to memory of 1320	2620	MsiExec.exe	38
PID 2620 wrote to memory of 1320	2620	MsiExec.exe	38
PID 2620 wrote to memory of 1320	2620	MsiExec.exe	38
PID 1320 wrote to memory of 828	1320	Obsidium.exe	39
PID 1320 wrote to memory of 828	1320	Obsidium.exe	39
PID 1320 wrote to memory of 828	1320	Obsidium.exe	39
PID 1320 wrote to memory of 828	1320	Obsidium.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Obsidium64Setup.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:772

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 96A7B705B2D0C19924C0F396DBA15603
  2⤵
  - Loads dropped DLL
  PID:1972
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E9DDCE51B63C47869F24F5D1A14EC1A7 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Program Files\Obsidium Software\Obsidium x64\Obsidium.exe
    "C:\Program Files\Obsidium Software\Obsidium x64\Obsidium.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Program Files\Obsidium Software\Obsidium x64\obsi_server.exe
      obsi_server.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000490" "00000000000004D0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f773fb1.rbs

Filesize
26KB

MD5
235677e1335aa705e5c043538349c6cf

SHA1
a28a06dda06a637c5cd7c8ffdf7f03d0b2960b89

SHA256
bc0bffbfa3419e6693340a181051f303f7fe5e070ffdc4cb1e4861bd2c28cd89

SHA512
2d626412825c9382fdebe79ef02fda917ea7b987d0f5593fc01539cf67e55ab44dcab2b085bd4a6e7ae33fdaac2e2071224f4aea31992edebdc0925a72552379

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\Obsidium.exe

Filesize
7.6MB

MD5
e90776ae67f5b47bef06ea117f80e938

SHA1
7cfb0399daaee2bb858a0540ee11a8a02f712145

SHA256
f9c91b609f46b72492dc9c7913dbb946e75ad2e1f732ac08674805dbb23e452b

SHA512
b92002e4212c8f7d2be8fa221deafdf033fd70f949fc5e3c6efeaa12dcc0510cc9a0746d97e819ead8583d5cf60867f3409930b85486fab20945a9e7da9f5df7

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\chinese.lng

Filesize
24KB

MD5
beb4d15b474409b03eb6e2543b2cce90

SHA1
37ecf1c340d645704c4f2422e3322e8c353ea92f

SHA256
7afd6daaf24255046ebe2aebc1760e54f7e40fd4413b533ee734a650842a2751

SHA512
59cc94524b220ed1077e7d68ec0f13e6661eace088fb8345c8f93b88080da45b8876bb59ee1aec81df64798b4c64b9d6d8b69277872e6ad5813dd1f23f7a6e37

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\czech.lng

Filesize
25KB

MD5
2a6c679181b7d911be07d04504c61908

SHA1
7df9e8437182b4b02cf1c94e3b1eeac215595005

SHA256
6d128d694abf960cec7189864e403f33739ba1bd928ba256bb6b682c6d2531b6

SHA512
b0ea586f24a1776a3a8e4e1f7c464d464d4181ce0a4ce47430c07f1b28ad60c988d637d45c31c83c2d278a254ba594f0aeb11748b3607f13a8a98e70fff3ae5e

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\dutch.lng

Filesize
20KB

MD5
296fe59f6b2d000bad11c4ebefa78632

SHA1
a33e93bce4fc485ff43eaaa5d1e538eeaa54c5f3

SHA256
38fb0e71a2572d7724c3904f003430ff61adc035ac2d717763460ac814129102

SHA512
be4999595cfc206e6d28f45bd679a6951aa01c9d71f38c48327c29ff29fc53d93eb5e816d3c4ede423626ca9581cd1a4975f50b8fe24b490362c73315215c713

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\english.lng

Filesize
29KB

MD5
53664359bc9322731d28f6cf67622840

SHA1
b648e099b5dea752b2b5a2a3002e54de233d77db

SHA256
5be38277b5cd3dc4737aad58eae9329dc952f223d3481370498ce220fff5504a

SHA512
f8fc07d9e892efa94ba737603237b55ce07f1e40786aa1bdfa8997e38abf822e8a26488477beaa21f55d64e8483cdd7de48ce4789cd5b1b863011f949b774a67

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\german.lng

Filesize
33KB

MD5
48e9b915ccd4ec5418aa6ce87a1ec80e

SHA1
43356ab28e77884a22cbfee6cc084cf618820e8c

SHA256
e2b639aff65e878faf9a29462fb8fc42e27a2169e4d4ce97e5ed2533dfa7aa27

SHA512
392e9a823d2299064a44bcafcd12a15e214bf650100d1dad823c2189f8121402a69ce9167837fc92666a4ad1ebaccf01bc10fe6a0053af2fa428075b7cf30cb2

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\indonesian.lng

Filesize
16KB

MD5
94f984833b6b374acac4dda7672334e3

SHA1
636e3f1ff4cee778c7f58214aaaf8682ba377acf

SHA256
f81ae3e06546df5f6099c8338a35d4d28bbb55b78a42e4c30761a4b032d65774

SHA512
88740048a7d236b9dfc5fcc501de95540605407ae9ec928c19fa4627b93cb0c2f1dee958c4ceb600095ef61662d875d77d71bedf71aa6a277e569b4b23232649

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\italian.lng

Filesize
20KB

MD5
5a3a7ce3f9a98f9c3c4bd46acbadef81

SHA1
dd2d0eca38d8ecefbc1b8345085b91779fd928b2

SHA256
51736fb1d60f3e23dcd788af97ca49d32800e346a9fe91a1d9140c467af2141d

SHA512
9c0148809d6abb6a6a226375b67910a86cb481dd0bf0b0879dc5440d70ad0b300c736ad65f150549883f1ee978224d7a2a89546f5407407052c366637f4b3270

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\russian.lng

Filesize
37KB

MD5
4a140bd38541c888572e00e2618a6d37

SHA1
c154178a0369f21ba4bb535a21de1cae5be831da

SHA256
ef0dae8d0c8a630173fe6740f3a2c7b7092b8ee46dc155c02034241aa17cced9

SHA512
d2ce3f43e167e7ac4b23d64c77a3d3414a843390fc31e3b2d60aa1465f6198912dbfc7e4bedcd4dfe72ec5c03fbe2bac242d1e89f4f31dc2a0c128f244e6ffd9

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\spanish.lng

Filesize
17KB

MD5
4463aa5b6606b4190a6002e8a4fb6c05

SHA1
a4043ce9ba86923678d3fe707b83c1ca63b2b625

SHA256
7c369214c87a4795b7a1e2bf06a175dde42abb1027b3ba71480e13b1f5ba7bf6

SHA512
78a6104a53d99ebdd4eb13fcf053706fd6b1902d5e263f002d92e4a0c795e095ff446484c0583fd4f4149f67963b68d8f5ce0f2826b0492ad726db4b369253df

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\obsi_server.exe

Filesize
1.8MB

MD5
3ab3bb1e988a8de5ebf5c02fd750e8ec

SHA1
b610a2132330a1bf858dbe6eafd70db698fb71dd

SHA256
8f76a96e32548a79493d6b9cc4129b5d2fc2899b398b13c1915f0b37de13306c

SHA512
a2bac41541fae3a7352cd33edc4b99cd1ac08dc22771bc0866d7123a7175a79286650710816a8cb9382b30da25779b0b520f02d5a05ca5ee0e3364e6c515445b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
2KB

MD5
aaf2a85d011883480d54ea8194b4d950

SHA1
1387c53c2effc6209a1669a4ae2b969c2d4fb8f2

SHA256
568db501936a27458da92dea13193b61b871a89c761e945e4c0b4c4a4abe7d23

SHA512
6fd9e9642d4ac3d45f308922eab9ac6a2aa69f4a70d22bf88075745bb64124f1abcabf87a20eb4063044dfbac814a78c6afa0c3ffcef87fe145be3d5183013ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
01e7519cfc7a7f8078386dad88727fd0

SHA1
4d2f5c5d846490a87b0c4e2217e8413fff208b5d

SHA256
9236556c2e982a8ce635d68300a4855e5a008e29642f0571e9059ec60d5ef3c0

SHA512
6f211c5a89a366c8a34540cc0422c48c2899924164ed58773b5059fa60fd470ec908858d7ced887e02c6d295676a67dd7c4b71f39a7426512c68a7f484b3ceff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_F2C98D1910B19AD4CA5E3BEF129F1423

Filesize
510B

MD5
2147a2ddb1984314222cf960d0618b24

SHA1
7588d3527fd7ced412050049e6870f445b366f32

SHA256
bf1b2aa522f4454dd138d5cddf05ae0881ff2b93517d1db90d267b85e53c9a15

SHA512
57faf3266a26238caad03ab30fbc31c255d9ec72905695a326cab68765bb20d7e5f55a37febaf8a18eb6f9bcbda713d6dc4638aa6193040653f4d0d437c81ff9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Filesize
1KB

MD5
78f2fcaa601f2fb4ebc937ba532e7549

SHA1
ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

SHA256
552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

SHA512
bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
488B

MD5
07571fec0353aaab2ee1dd7d1ad7f1eb

SHA1
e871364ec261ac4f6b68beaa56f6dfce1bf8bcf5

SHA256
1ba6b4b626135e5704c7fdaa45e0c0a2e101acb9c74b9e72d019ced3668ec202

SHA512
deddcb647f95849faee3e00ed7451d3e690c78163df47e2e3b61de39f43472da4b013b9bb89729890a642b5bd50d46a34f9b409cd9963e1a48389c49303ef5bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a79f9cf692578ee567db637ae3c3da25

SHA1
251ab49ba26165a4c9aa351be3801246cbeffcfc

SHA256
bf2d2fd4bbb89bd7fc4b76562dfd96fc3c45de83f51e207ef990367281361a69

SHA512
0ad306430fc758c8ad7011b1886b9a4972c95371fb66bb79a0ae5975937e6e9c4968e2df0fae9456038bb0b4d3f0b439a06a4217853debc54dd8cfc26082969d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
90478a0c2e96a5acd062a4abd5c757fa

SHA1
de462763645895e7e5f49d89e68eb313eb0922c3

SHA256
b332f923b11b79b5d6a992788885e49a3738128d0e59d0261f20b6dc80852fb9

SHA512
31447f84fc8e3ad3635d9989b8407c36447cb86a907c8d6fabd35786314d55113ebe1d0c977483815652ac8707c0554ed08d8af7aeba7bad66b5533ff7c8bf2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_F2C98D1910B19AD4CA5E3BEF129F1423

Filesize
476B

MD5
1c9f2977e94e2c6182bfdf2c0903f4ad

SHA1
e284f6aabbe24e0ba04a9d5400e09863529d56af

SHA256
8da3d1cb943c55446879337dcc0d7dae0a2d5d530b6348f8b10a786d18dd121d

SHA512
bf199aed86f41d1e61269b26419e96b841c2ad7c113c1f0c3f7ccf4d2dc65fa6fa0184ef008dddb55c9e2217ea8b69f565c1b24c70e0c01211260a6bda680288

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Filesize
254B

MD5
47dc4519b87f9cabac6ca394242c197a

SHA1
641c58789a94f743f58f166225fe08af54a3641c

SHA256
d4dd2c127c5f120351f1dd277b76bd329171b0d8e73a11537934dfb874ccc874

SHA512
721de003800f060a0c97656c0eecd7751ea2d002fea466f70fc9d3218d275247539ec2735614f1e1f1cf36f2addd3ad9b6de41bbb58e4356cf12a0fab3cad952

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB453.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6011.tmp

Filesize
214KB

MD5
7228b731dab6dc982945a8ea5ebcfa72

SHA1
98bcf19711da328ff7debac3f7355d6bdb0710c2

SHA256
c1426415488d278cea90702e184a250b2cce7caadd318c352abf21af33598875

SHA512
2e12918098d550a3f58b3266cd0bde316c086156cf6eea6779077129c8adc77db36b6d100e20e30a22acf9bd554d7e2db8a553b64b6be33d86cf8337eb5d1689

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB476.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Obsidium x64\{FF579306-30D7FC15-0FA28901-B0E30DB0}.9917505916533944326

Filesize
896B

MD5
99b71a8f879b54aa2513a9398cd4cfbf

SHA1
95b67a7ece2a7864c7c64e148cb43e6e7ca12b25

SHA256
2f027b6b55c679d22a89a89efcd1fc5fb0d8c03e3b52e590cc0da0e9753618ad

SHA512
ce5c68c56e7f1cd720688cc3c6610fad5ae4f0a1d3d3d5971d55c54fdb1939f5396cd1fdfd11650052575588725f3969b69ba2b1d9924425390d8d8103d2c3fc

Download Submit
C:\Windows\Installer\MSI42F8.tmp

Filesize
269KB

MD5
8e3b20dac385a60b7c0121020af6b0c8

SHA1
e2a8ddc8fc6f51738dcb98f598e46e3f2246e951

SHA256
89e82153f768ac5102cecd36a01c560623766ead9a2a42a31a37fb9f73b01db3

SHA512
34a22a01863a08d89d15c86a2e1eb91f569521835beec9105fd02e042398da267a89269e74ad25f5145a00ab08105de2b4bc89364c7f7dcb50e26feedecba449

Download Submit
C:\Windows\Installer\f773faf.msi

Filesize
15.9MB

MD5
b22bf4d75aea2ec6a0868f197b20f128

SHA1
925d722642fdbf2b7b9d70fefbd25efb3005531d

SHA256
1f5d87d2c996b5e6dcfac2ebfe3f24a70817fada79ca3e16c8eee8f3497c2bfb

SHA512
5feebff9e884af8f65e824bf4f52126c01d63154dbc44027a61b5e4510328bb1329883b6316f4e920fe27c017e69add48d921e536a4f5945348d41187901b574

Download Submit
memory/828-342-0x0000000001D50000-0x0000000001E19000-memory.dmp

Filesize
804KB

Download
memory/828-356-0x000000013FBF0000-0x000000013FFDC000-memory.dmp

Filesize
3.9MB

Download
memory/828-352-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/828-344-0x000000013FBF0000-0x000000013FFDC000-memory.dmp

Filesize
3.9MB

Download
memory/1320-306-0x0000000000230000-0x0000000000234000-memory.dmp

Filesize
16KB

Download
memory/1320-308-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-307-0x0000000000250000-0x000000000033C000-memory.dmp

Filesize
944KB

Download
memory/1320-304-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-305-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-303-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-330-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-314-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-343-0x0000000005880000-0x0000000005C6C000-memory.dmp

Filesize
3.9MB

Download
memory/1320-331-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-385-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-317-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-319-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-316-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-381-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-379-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-313-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-329-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-318-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-315-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-312-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-353-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-332-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-354-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-309-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-355-0x0000000005880000-0x0000000005C6C000-memory.dmp

Filesize
3.9MB

Download
memory/1320-360-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-362-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-364-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-374-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1320-376-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/1972-192-0x000007FEF6330000-0x000007FEF6375000-memory.dmp

Filesize
276KB

Download
memory/1972-197-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2620-302-0x00000000029F0000-0x0000000003CD9000-memory.dmp

Filesize
18.9MB

Download