1f5d87d2c996b5e6dcfac2ebfe3f24a70817fada79ca3e16c8eee8f3497c2bfb

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Obsidium64Setup.msi
Size

15.9MB
MD5

b22bf4d75aea2ec6a0868f197b20f128
SHA1

925d722642fdbf2b7b9d70fefbd25efb3005531d
SHA256

1f5d87d2c996b5e6dcfac2ebfe3f24a70817fada79ca3e16c8eee8f3497c2bfb
SHA512

5feebff9e884af8f65e824bf4f52126c01d63154dbc44027a61b5e4510328bb1329883b6316f4e920fe27c017e69add48d921e536a4f5945348d41187901b574
SSDEEP

393216:laoik24KCni1T2NK7/39AHUGN+wIbfae8xAlxCvhSYo6:laGwCYT2Ur3uh+wIz9CvhK6

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	980	msiexec.exe
8	980	msiexec.exe
10	980	msiexec.exe
12	980	msiexec.exe
14	980	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
644	Obsidium.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Obsidium Software\Obsidium x64\lang\german.lng	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\msdia140.dll	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium64x.inc	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium64_lic_end.inc	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Linux\README	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\C++ Wrapper\Obsi.cpp	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Delphi XE2\CmdLine Example\cmdline.dpr	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\obsi_example\obsi_example\stdafx.cpp	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\lang\czech.lng	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\obsi_server.exe	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\obsidium64.lib	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\C#\API\Obsidium64.cs	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\C#\Keygen\ObsidiumKeygen64.cs	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium_lic_end.pas	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Sample Projects\sample_long.opf	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\EULA.txt	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\obsidium64.h	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium64_enc_start.inc	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium_vm_start.pas	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Tools\ObsPatchDump.exe	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\obsi_example\obsi_example\targetver.h	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\lang\russian.lng	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\obsidium64.def	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium.pas	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Linux\php\test-generate.php	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Linux\php\test-verify.php	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\NetworkLicensingSample\NetworkLicensingSample\stdafx.cpp	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\obsi_example\obsi_example\stdafx.h	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Linux\php\obsidium_keygen.inc.php	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Tools\display_systemid.exe	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Tools\display_usbid.exe	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\lang\chinese.lng	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\lang\indonesian.lng	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\keygen64.lib	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\obsidiumlib.obj	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Linux\keygen_short.php	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\keygen64.dll	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\lang\spanish.lng	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\lang\TranslationTool.exe	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Obsidium.exe	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Delphi XE2\CmdLine Example\cmdline.dproj	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\PureBasic\Example.pb	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Sample Projects\sample_short.opf	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Obsidium.chm	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\obsidium64.dll	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium_vm_end.pas	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\lang\dutch.lng	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\NetworkLicensingSample\NetworkLicensingSample.sln	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\NetworkLicensingSample\NetworkLicensingSample\targetver.h	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\obsi_example\obsi_example.sln	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\obsidium.h	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium64_enc_end.inc	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium64_lic_start.inc	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium_enc_end.pas	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\VB .NET\Obsidium64.vb	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Visual C++\NetworkLicensingSample\NetworkLicensingSample\stdafx.h	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\keygen64.h	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium_enc_start.pas	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium_lic_start.pas	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\PureBasic\obsidium.pbi	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Delphi\API\obsidium64_vm_start.inc	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Linux\keygen_short_test.html	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\SDK\Linux\keyver_long.php	msiexec.exe
File created	C:\Program Files\Obsidium Software\Obsidium x64\Examples\Sample Projects\readme.txt	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e584169.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4273.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{A4571EB0-1C0C-40D8-BAA7-22266CEA6F4C}\ProductIcon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{A4571EB0-1C0C-40D8-BAA7-22266CEA6F4C}\ProductIcon.exe	msiexec.exe
File created	C:\Windows\Installer\e584169.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A4571EB0-1C0C-40D8-BAA7-22266CEA6F4C}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4468.tmp	msiexec.exe
File created	C:\Windows\Installer\e58416b.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
644	Obsidium.exe
2280	obsi_server.exe

Loads dropped DLL 2 IoCs

pid	Process
5044	MsiExec.exe
3824	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
980	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obsidium.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\Version = "17235973"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BE1754AC0C18D04AB7A2262C6AEF6C4\fLanguages = "fApplication"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\ProductIcon = "C:\\Windows\\Installer\\{A4571EB0-1C0C-40D8-BAA7-22266CEA6F4C}\\ProductIcon.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.opf	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.Application\shell\open\command	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.opf\OpenWithProgIds\Obsidium64.opf	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BE1754AC0C18D04AB7A2262C6AEF6C4\fApplication	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BE1754AC0C18D04AB7A2262C6AEF6C4\fTools = "fApplication"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F9071113441C1C54E9B66905EC0F4C96\0BE1754AC0C18D04AB7A2262C6AEF6C4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.Application\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.Application\DefaultIcon\ = "C:\\Program Files\\Obsidium Software\\Obsidium x64\\Obsidium.exe,0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\SourceList\PackageName = "Obsidium64Setup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.Application\shell\open\command\ = "\"C:\\Program Files\\Obsidium Software\\Obsidium x64\\Obsidium.exe\" \"%L\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf\DefaultIcon\ = "C:\\Program Files\\Obsidium Software\\Obsidium x64\\Obsidium.exe,0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.Application\ = "Obsidium x64"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.Application\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf\shell\open\command\ = "\"C:\\Program Files\\Obsidium Software\\Obsidium x64\\Obsidium.exe\" \"%L\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.opf\OpenWithProgIds	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BE1754AC0C18D04AB7A2262C6AEF6C4\fExamples = "fApplication"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf\ = "Obsidium Project File"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BE1754AC0C18D04AB7A2262C6AEF6C4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\ProductName = "Obsidium x64"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.Application	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.Application\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F9071113441C1C54E9B66905EC0F4C96	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BE1754AC0C18D04AB7A2262C6AEF6C4\fSDK = "fApplication"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\PackageCode = "36451512CBB3AFF479D99984F25401D8"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BE1754AC0C18D04AB7A2262C6AEF6C4\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Obsidium64.opf\shell\open\ = "Open with Obsidium x64"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1488	msiexec.exe
1488	msiexec.exe
644	Obsidium.exe
644	Obsidium.exe
2280	obsi_server.exe
2280	obsi_server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	980	msiexec.exe
Token: SeIncreaseQuotaPrivilege	980	msiexec.exe
Token: SeSecurityPrivilege	1488	msiexec.exe
Token: SeCreateTokenPrivilege	980	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	980	msiexec.exe
Token: SeLockMemoryPrivilege	980	msiexec.exe
Token: SeIncreaseQuotaPrivilege	980	msiexec.exe
Token: SeMachineAccountPrivilege	980	msiexec.exe
Token: SeTcbPrivilege	980	msiexec.exe
Token: SeSecurityPrivilege	980	msiexec.exe
Token: SeTakeOwnershipPrivilege	980	msiexec.exe
Token: SeLoadDriverPrivilege	980	msiexec.exe
Token: SeSystemProfilePrivilege	980	msiexec.exe
Token: SeSystemtimePrivilege	980	msiexec.exe
Token: SeProfSingleProcessPrivilege	980	msiexec.exe
Token: SeIncBasePriorityPrivilege	980	msiexec.exe
Token: SeCreatePagefilePrivilege	980	msiexec.exe
Token: SeCreatePermanentPrivilege	980	msiexec.exe
Token: SeBackupPrivilege	980	msiexec.exe
Token: SeRestorePrivilege	980	msiexec.exe
Token: SeShutdownPrivilege	980	msiexec.exe
Token: SeDebugPrivilege	980	msiexec.exe
Token: SeAuditPrivilege	980	msiexec.exe
Token: SeSystemEnvironmentPrivilege	980	msiexec.exe
Token: SeChangeNotifyPrivilege	980	msiexec.exe
Token: SeRemoteShutdownPrivilege	980	msiexec.exe
Token: SeUndockPrivilege	980	msiexec.exe
Token: SeSyncAgentPrivilege	980	msiexec.exe
Token: SeEnableDelegationPrivilege	980	msiexec.exe
Token: SeManageVolumePrivilege	980	msiexec.exe
Token: SeImpersonatePrivilege	980	msiexec.exe
Token: SeCreateGlobalPrivilege	980	msiexec.exe
Token: SeBackupPrivilege	1608	vssvc.exe
Token: SeRestorePrivilege	1608	vssvc.exe
Token: SeAuditPrivilege	1608	vssvc.exe
Token: SeBackupPrivilege	1488	msiexec.exe
Token: SeRestorePrivilege	1488	msiexec.exe
Token: SeRestorePrivilege	1488	msiexec.exe
Token: SeTakeOwnershipPrivilege	1488	msiexec.exe
Token: SeRestorePrivilege	1488	msiexec.exe
Token: SeTakeOwnershipPrivilege	1488	msiexec.exe
Token: SeRestorePrivilege	1488	msiexec.exe
Token: SeTakeOwnershipPrivilege	1488	msiexec.exe
Token: SeRestorePrivilege	1488	msiexec.exe
Token: SeTakeOwnershipPrivilege	1488	msiexec.exe
Token: SeRestorePrivilege	1488	msiexec.exe
Token: SeTakeOwnershipPrivilege	1488	msiexec.exe
Token: SeRestorePrivilege	1488	msiexec.exe
Token: SeTakeOwnershipPrivilege	1488	msiexec.exe
Token: SeRestorePrivilege	1488	msiexec.exe
Token: SeTakeOwnershipPrivilege	1488	msiexec.exe
Token: SeRestorePrivilege	1488	msiexec.exe
Token: SeTakeOwnershipPrivilege	1488	msiexec.exe
Token: SeRestorePrivilege	1488	msiexec.exe
Token: SeTakeOwnershipPrivilege	1488	msiexec.exe
Token: SeRestorePrivilege	1488	msiexec.exe
Token: SeTakeOwnershipPrivilege	1488	msiexec.exe
Token: SeRestorePrivilege	1488	msiexec.exe
Token: SeTakeOwnershipPrivilege	1488	msiexec.exe
Token: SeRestorePrivilege	1488	msiexec.exe
Token: SeTakeOwnershipPrivilege	1488	msiexec.exe
Token: SeRestorePrivilege	1488	msiexec.exe
Token: SeTakeOwnershipPrivilege	1488	msiexec.exe
Token: SeRestorePrivilege	1488	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
980	msiexec.exe
980	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
644	Obsidium.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 3324	1488	msiexec.exe	101
PID 1488 wrote to memory of 3324	1488	msiexec.exe	101
PID 1488 wrote to memory of 5044	1488	msiexec.exe	103
PID 1488 wrote to memory of 5044	1488	msiexec.exe	103
PID 1488 wrote to memory of 3824	1488	msiexec.exe	105
PID 1488 wrote to memory of 3824	1488	msiexec.exe	105
PID 1488 wrote to memory of 3824	1488	msiexec.exe	105
PID 3824 wrote to memory of 644	3824	MsiExec.exe	106
PID 3824 wrote to memory of 644	3824	MsiExec.exe	106
PID 3824 wrote to memory of 644	3824	MsiExec.exe	106
PID 644 wrote to memory of 2280	644	Obsidium.exe	107
PID 644 wrote to memory of 2280	644	Obsidium.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Obsidium64Setup.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:980

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3324
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 48BFD5DE55B9B96A499E79BA8660BAD3
  2⤵
  - Loads dropped DLL
  PID:5044
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A1A91E6FFDA2FEF2657CA5639D7D08FD C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Program Files\Obsidium Software\Obsidium x64\Obsidium.exe
    "C:\Program Files\Obsidium Software\Obsidium x64\Obsidium.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Program Files\Obsidium Software\Obsidium x64\obsi_server.exe
      obsi_server.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58416a.rbs

Filesize
27KB

MD5
9a7eacb9bbdae9c61f9af3105a2239b8

SHA1
f381e9ccbf712a9431463923b2c4be8f905673c0

SHA256
f682c2ad651ddf3b5d9e35c94fc0766f2af0ac30d53e2e837b7e01b062b855da

SHA512
e5278210c81929deea79222e34aa4e60f91438ce8a0c18ab834bdbe40c06eae6b27f4f9e8fdc97d0f2d99daa02b1eecb8976b7bc6a2d42a75b05cdb6e012dd87

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\Obsidium.exe

Filesize
7.6MB

MD5
e90776ae67f5b47bef06ea117f80e938

SHA1
7cfb0399daaee2bb858a0540ee11a8a02f712145

SHA256
f9c91b609f46b72492dc9c7913dbb946e75ad2e1f732ac08674805dbb23e452b

SHA512
b92002e4212c8f7d2be8fa221deafdf033fd70f949fc5e3c6efeaa12dcc0510cc9a0746d97e819ead8583d5cf60867f3409930b85486fab20945a9e7da9f5df7

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\chinese.lng

Filesize
24KB

MD5
beb4d15b474409b03eb6e2543b2cce90

SHA1
37ecf1c340d645704c4f2422e3322e8c353ea92f

SHA256
7afd6daaf24255046ebe2aebc1760e54f7e40fd4413b533ee734a650842a2751

SHA512
59cc94524b220ed1077e7d68ec0f13e6661eace088fb8345c8f93b88080da45b8876bb59ee1aec81df64798b4c64b9d6d8b69277872e6ad5813dd1f23f7a6e37

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\czech.lng

Filesize
25KB

MD5
2a6c679181b7d911be07d04504c61908

SHA1
7df9e8437182b4b02cf1c94e3b1eeac215595005

SHA256
6d128d694abf960cec7189864e403f33739ba1bd928ba256bb6b682c6d2531b6

SHA512
b0ea586f24a1776a3a8e4e1f7c464d464d4181ce0a4ce47430c07f1b28ad60c988d637d45c31c83c2d278a254ba594f0aeb11748b3607f13a8a98e70fff3ae5e

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\dutch.lng

Filesize
20KB

MD5
296fe59f6b2d000bad11c4ebefa78632

SHA1
a33e93bce4fc485ff43eaaa5d1e538eeaa54c5f3

SHA256
38fb0e71a2572d7724c3904f003430ff61adc035ac2d717763460ac814129102

SHA512
be4999595cfc206e6d28f45bd679a6951aa01c9d71f38c48327c29ff29fc53d93eb5e816d3c4ede423626ca9581cd1a4975f50b8fe24b490362c73315215c713

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\english.lng

Filesize
29KB

MD5
53664359bc9322731d28f6cf67622840

SHA1
b648e099b5dea752b2b5a2a3002e54de233d77db

SHA256
5be38277b5cd3dc4737aad58eae9329dc952f223d3481370498ce220fff5504a

SHA512
f8fc07d9e892efa94ba737603237b55ce07f1e40786aa1bdfa8997e38abf822e8a26488477beaa21f55d64e8483cdd7de48ce4789cd5b1b863011f949b774a67

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\german.lng

Filesize
33KB

MD5
48e9b915ccd4ec5418aa6ce87a1ec80e

SHA1
43356ab28e77884a22cbfee6cc084cf618820e8c

SHA256
e2b639aff65e878faf9a29462fb8fc42e27a2169e4d4ce97e5ed2533dfa7aa27

SHA512
392e9a823d2299064a44bcafcd12a15e214bf650100d1dad823c2189f8121402a69ce9167837fc92666a4ad1ebaccf01bc10fe6a0053af2fa428075b7cf30cb2

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\indonesian.lng

Filesize
16KB

MD5
94f984833b6b374acac4dda7672334e3

SHA1
636e3f1ff4cee778c7f58214aaaf8682ba377acf

SHA256
f81ae3e06546df5f6099c8338a35d4d28bbb55b78a42e4c30761a4b032d65774

SHA512
88740048a7d236b9dfc5fcc501de95540605407ae9ec928c19fa4627b93cb0c2f1dee958c4ceb600095ef61662d875d77d71bedf71aa6a277e569b4b23232649

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\italian.lng

Filesize
20KB

MD5
5a3a7ce3f9a98f9c3c4bd46acbadef81

SHA1
dd2d0eca38d8ecefbc1b8345085b91779fd928b2

SHA256
51736fb1d60f3e23dcd788af97ca49d32800e346a9fe91a1d9140c467af2141d

SHA512
9c0148809d6abb6a6a226375b67910a86cb481dd0bf0b0879dc5440d70ad0b300c736ad65f150549883f1ee978224d7a2a89546f5407407052c366637f4b3270

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\russian.lng

Filesize
37KB

MD5
4a140bd38541c888572e00e2618a6d37

SHA1
c154178a0369f21ba4bb535a21de1cae5be831da

SHA256
ef0dae8d0c8a630173fe6740f3a2c7b7092b8ee46dc155c02034241aa17cced9

SHA512
d2ce3f43e167e7ac4b23d64c77a3d3414a843390fc31e3b2d60aa1465f6198912dbfc7e4bedcd4dfe72ec5c03fbe2bac242d1e89f4f31dc2a0c128f244e6ffd9

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\lang\spanish.lng

Filesize
17KB

MD5
4463aa5b6606b4190a6002e8a4fb6c05

SHA1
a4043ce9ba86923678d3fe707b83c1ca63b2b625

SHA256
7c369214c87a4795b7a1e2bf06a175dde42abb1027b3ba71480e13b1f5ba7bf6

SHA512
78a6104a53d99ebdd4eb13fcf053706fd6b1902d5e263f002d92e4a0c795e095ff446484c0583fd4f4149f67963b68d8f5ce0f2826b0492ad726db4b369253df

Download Submit
C:\Program Files\Obsidium Software\Obsidium x64\obsi_server.exe

Filesize
1.8MB

MD5
3ab3bb1e988a8de5ebf5c02fd750e8ec

SHA1
b610a2132330a1bf858dbe6eafd70db698fb71dd

SHA256
8f76a96e32548a79493d6b9cc4129b5d2fc2899b398b13c1915f0b37de13306c

SHA512
a2bac41541fae3a7352cd33edc4b99cd1ac08dc22771bc0866d7123a7175a79286650710816a8cb9382b30da25779b0b520f02d5a05ca5ee0e3364e6c515445b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
2KB

MD5
aaf2a85d011883480d54ea8194b4d950

SHA1
1387c53c2effc6209a1669a4ae2b969c2d4fb8f2

SHA256
568db501936a27458da92dea13193b61b871a89c761e945e4c0b4c4a4abe7d23

SHA512
6fd9e9642d4ac3d45f308922eab9ac6a2aa69f4a70d22bf88075745bb64124f1abcabf87a20eb4063044dfbac814a78c6afa0c3ffcef87fe145be3d5183013ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
01e7519cfc7a7f8078386dad88727fd0

SHA1
4d2f5c5d846490a87b0c4e2217e8413fff208b5d

SHA256
9236556c2e982a8ce635d68300a4855e5a008e29642f0571e9059ec60d5ef3c0

SHA512
6f211c5a89a366c8a34540cc0422c48c2899924164ed58773b5059fa60fd470ec908858d7ced887e02c6d295676a67dd7c4b71f39a7426512c68a7f484b3ceff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_F2C98D1910B19AD4CA5E3BEF129F1423

Filesize
510B

MD5
2147a2ddb1984314222cf960d0618b24

SHA1
7588d3527fd7ced412050049e6870f445b366f32

SHA256
bf1b2aa522f4454dd138d5cddf05ae0881ff2b93517d1db90d267b85e53c9a15

SHA512
57faf3266a26238caad03ab30fbc31c255d9ec72905695a326cab68765bb20d7e5f55a37febaf8a18eb6f9bcbda713d6dc4638aa6193040653f4d0d437c81ff9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
488B

MD5
48120e1716d86ce11f75c6a798dce381

SHA1
41a7fe7b929ba9208e76949068685a53bc2f0b9a

SHA256
83e091b0a324dc3c6160fc4ec7952464a6748b841a110ee7cd0157a4a7771b2e

SHA512
8cc7295ca4862dfd78556ab0e7c66e8a5453a1251084c6a745dd88fe64911dc3e816005eb54755fca42eb9fbaae9e3d4177c40c8764f020207741bd264ad1f9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
78660b0953771f0a3c77ac340da92ad0

SHA1
d65646e08dfc63c82ea546401de707383fced3ad

SHA256
3af2c845c789beb64f47ca5793e5ccb6f0efe7b5c2d1e08a6cb90420ddea69c0

SHA512
5d5753420967f3cf4b28a9480db20bfcf168bcb9b1253b7fc108984ec377dac269aece6cc1cf48b5fe5c8cef1f921b78c9de6730168e9e0e1291c971603e13b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_F2C98D1910B19AD4CA5E3BEF129F1423

Filesize
476B

MD5
ab90c0f0c597518ba08abca880b765e8

SHA1
8942e2c613ef1e05b1cae2d623a62ea6d78e77ef

SHA256
3b385e54c47ec308ff9d4f5a15b955c5b2db3a179b8bc98be5fcb5cf64b24302

SHA512
65eca69313b474cf666645b045e2b01de46182fd7bb66c1dfce7bb7f65b57e169e1c806fa3d022eda0cba45f4215b4af3a46ff4a8d091cd087b127637f6762c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4D50.tmp

Filesize
214KB

MD5
7228b731dab6dc982945a8ea5ebcfa72

SHA1
98bcf19711da328ff7debac3f7355d6bdb0710c2

SHA256
c1426415488d278cea90702e184a250b2cce7caadd318c352abf21af33598875

SHA512
2e12918098d550a3f58b3266cd0bde316c086156cf6eea6779077129c8adc77db36b6d100e20e30a22acf9bd554d7e2db8a553b64b6be33d86cf8337eb5d1689

Download Submit
C:\Users\Admin\AppData\Roaming\Obsidium x64\{FF579306-30D7FC15-0FA28901-B0E30DB0}.9917505916533944326

Filesize
896B

MD5
3809b8785a0648960e6b0384ef361bef

SHA1
706a5fd2a76ec49455e8f9148dcf1350f6461734

SHA256
fa18be1f3b40af630b83475674fd06f3dd5c64940a732a126ce10befacbd33de

SHA512
d47833a798e79083f313e4c1b58f01036f99f83c0145bf4de65502ac766a23e1b828ae0008fea748c32658af5633aa5dcde7590391a03abbfd1cbebcd3d7af24

Download Submit
C:\Windows\Installer\MSI4273.tmp

Filesize
269KB

MD5
8e3b20dac385a60b7c0121020af6b0c8

SHA1
e2a8ddc8fc6f51738dcb98f598e46e3f2246e951

SHA256
89e82153f768ac5102cecd36a01c560623766ead9a2a42a31a37fb9f73b01db3

SHA512
34a22a01863a08d89d15c86a2e1eb91f569521835beec9105fd02e042398da267a89269e74ad25f5145a00ab08105de2b4bc89364c7f7dcb50e26feedecba449

Download Submit
C:\Windows\Installer\e584169.msi

Filesize
15.9MB

MD5
b22bf4d75aea2ec6a0868f197b20f128

SHA1
925d722642fdbf2b7b9d70fefbd25efb3005531d

SHA256
1f5d87d2c996b5e6dcfac2ebfe3f24a70817fada79ca3e16c8eee8f3497c2bfb

SHA512
5feebff9e884af8f65e824bf4f52126c01d63154dbc44027a61b5e4510328bb1329883b6316f4e920fe27c017e69add48d921e536a4f5945348d41187901b574

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
b51b305aede0c65dacebaf6c5c862d29

SHA1
2ac56f8afec60bec6f5d1042a1c79d5454a4f9c3

SHA256
20f447905ea86e238aafa8e668acd0ba13e587a8ac05acfecaaf4d553349d65b

SHA512
390af8b6319b8d00e67f63e35fb35b780bea7ff996301c5ce5ae6f003cc9e1b668c1f2c7279a40d3f2cfb70418942d9239aab5419f1ecf3e7adb11cdc836e11a

Download Submit
\??\Volume{62c5c1e3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{203318b0-27ff-4ea9-a3ea-41f204cc67f3}_OnDiskSnapshotProp

Filesize
6KB

MD5
ac57e43afa15f1ab24bd46fecd7a7b07

SHA1
9267d76c1514fca1a1f7ee004bbe6cb481b47c8c

SHA256
aa2828563c889ab2ca5759d0790f2703ab24f1cceda3c6841e16a10c6097cd91

SHA512
f1220fe2ac9a2907089f8142cc5b486597c81ddcb00167094e51971d7a7fe51190ac5a0f9f6b3b7938d0d1dd4c05ef0d5efb3635e8ca23cefedf021889c346f1

Download Submit
memory/644-142-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-143-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-154-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-155-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-152-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-150-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-151-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-153-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-147-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-146-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-167-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-145-0x0000000003610000-0x00000000036FC000-memory.dmp

Filesize
944KB

Download
memory/644-157-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-144-0x00000000031C0000-0x00000000031C4000-memory.dmp

Filesize
16KB

Download
memory/644-168-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-169-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-170-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-156-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-215-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-213-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-141-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-211-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-209-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-207-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-176-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-196-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-205-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-200-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/644-202-0x0000000000400000-0x00000000016E9000-memory.dmp

Filesize
18.9MB

Download
memory/2280-198-0x00007FF76CE70000-0x00007FF76D25C000-memory.dmp

Filesize
3.9MB

Download
memory/2280-192-0x00000286F6170000-0x00000286F6172000-memory.dmp

Filesize
8KB

Download
memory/2280-182-0x00000286F6190000-0x00000286F6259000-memory.dmp

Filesize
804KB

Download
memory/2280-175-0x00007FF76CE70000-0x00007FF76D25C000-memory.dmp

Filesize
3.9MB

Download
memory/5044-36-0x000001CC45D20000-0x000001CC45D21000-memory.dmp

Filesize
4KB

Download
memory/5044-37-0x00007FFA79980000-0x00007FFA799C5000-memory.dmp

Filesize
276KB

Download