hxxps://link-target[.]net/498735/centralhackdwfree

Analysis

max time kernel
297s
max time network
333s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2022, 14:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://link-target.net/498735/centralhackdwfree

Score

8^/10

discovery persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
4188	Buff Achievement Tracker - Installer.exe
4868	ChromeRecovery.exe
3644	OWinstaller.exe
2812	OverwolfSetup.exe
4680	OverwolfUpdater.exe
1780	OverwolfUpdater.exe
3500	OverwolfTSHelper.exe
2076	checkRedist.exe
4048	CentralHackDWFree - Linkvertise Downloader_XLhx-k1.exe
1456	CentralHackDWFree - Linkvertise Downloader_XLhx-k1.tmp
3920	saBSI.exe
5072	saBSI.exe
3160	installer.exe
3432	installer.exe

Registers COM server for autorun 1 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0957D9C-810B-4DE0-9C5E-48DB09C5B413}\LocalServer32	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0957D9C-810B-4DE0-9C5E-48DB09C5B413}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EDBC3E0-49BB-4E0D-860F-80037D14E735}\LocalServer32	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC7899F5-56C9-44F1-9611-080BFC180FD5}\LocalServer32	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC7899F5-56C9-44F1-9611-080BFC180FD5}\LocalServer32\ = "\"C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe\""	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA35375C-A06A-49AC-9136-31B6C102646B}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC7899F5-56C9-44F1-9611-080BFC180FD5}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EDBC3E0-49BB-4E0D-860F-80037D14E735}\LocalServer32\ = "\"C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe\""	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EDBC3E0-49BB-4E0D-860F-80037D14E735}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA35375C-A06A-49AC-9136-31B6C102646B}\LocalServer32	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA35375C-A06A-49AC-9136-31B6C102646B}\LocalServer32\ = "\"C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe\""	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0957D9C-810B-4DE0-9C5E-48DB09C5B413}\LocalServer32\ = "\"C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe\""	OverwolfTSHelper.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	OWinstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	CentralHackDWFree - Linkvertise Downloader_XLhx-k1.tmp

Loads dropped DLL 36 IoCs

pid	Process
4188	Buff Achievement Tracker - Installer.exe
4188	Buff Achievement Tracker - Installer.exe
4188	Buff Achievement Tracker - Installer.exe
4188	Buff Achievement Tracker - Installer.exe
4188	Buff Achievement Tracker - Installer.exe
4188	Buff Achievement Tracker - Installer.exe
4188	Buff Achievement Tracker - Installer.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
2812	OverwolfSetup.exe
2812	OverwolfSetup.exe
2812	OverwolfSetup.exe
2812	OverwolfSetup.exe
2812	OverwolfSetup.exe
2812	OverwolfSetup.exe
2812	OverwolfSetup.exe
2812	OverwolfSetup.exe
2812	OverwolfSetup.exe
2812	OverwolfSetup.exe
3500	OverwolfTSHelper.exe
2812	OverwolfSetup.exe
2812	OverwolfSetup.exe
2812	OverwolfSetup.exe
2812	OverwolfSetup.exe
2812	OverwolfSetup.exe
2812	OverwolfSetup.exe
1456	CentralHackDWFree - Linkvertise Downloader_XLhx-k1.tmp
1456	CentralHackDWFree - Linkvertise Downloader_XLhx-k1.tmp
1456	CentralHackDWFree - Linkvertise Downloader_XLhx-k1.tmp
1456	CentralHackDWFree - Linkvertise Downloader_XLhx-k1.tmp
400	regsvr32.exe
4356	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Overwolf = "C:\\Program Files (x86)\\Overwolf\\OverwolfLauncher.exe -overwolfsilent"	OWinstaller.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	DxDiag.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\tests\score\wa-score-toast-v.css	installer.exe
File created	C:\Program Files (x86)\Overwolf\0.204.0.1\Resources\builtin_extensions\cikmooajmbkmclnjlcphoekbdoloeaaoojimoflf\manifest.json	OverwolfSetup.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\anti-malware.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\oem_utils_wss.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\new-tab-overlay.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-pt-PT.js	installer.exe
File created	C:\Program Files (x86)\Overwolf\0.204.0.1\Licenses\DirectShowNet\license.txt	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.204.0.1\resources\default_extensions\support-widget.opk	OWinstaller.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\jquery-1.9.0.min.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\white_questionmark.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-oem-ss-toast-variants\template2\wa-oem-ss-toast-variants-t2.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-en-US.js	installer.exe
File created	C:\Program Files (x86)\Overwolf\0.204.0.1\libEGL.dll	OverwolfSetup.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\Temp1382005162\jslang\wa-res-install-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-options.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-en-US.js	installer.exe
File created	C:\Program Files (x86)\Overwolf\0.204.0.1\OpenMcdf.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.204.0.1\Resources\uninstaller\Files\images\logo-big.svg	OverwolfSetup.exe
File created	C:\Program Files\McAfee\Temp1382005162\logicmodule.cab	installer.exe
File created	C:\Program Files\McAfee\Temp1382005162\settingmanager.cab	installer.exe
File created	C:\Program Files\McAfee\Temp1382005162\wa_install_check2.png	installer.exe
File created	C:\Program Files\McAfee\Temp1382005162\jslang\wa-res-install-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wall_red.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\new-tab-overlay.js	installer.exe
File created	C:\Program Files (x86)\Overwolf\0.204.0.1\Overwolf.ExtensionsUpdate.dll	OverwolfSetup.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-nb-NO.js	installer.exe
File created	C:\Program Files (x86)\Overwolf\0.204.0.1\Resources\default_extensions\achievement-rewards.opk	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.204.0.1\Resources\default_extensions\teamspeak\wow_go_jenkins.opk	OverwolfSetup.exe
File created	C:\Program Files\McAfee\Temp1382005162\jslang\eula-fr-FR.txt	installer.exe
File created	C:\Program Files\McAfee\Temp1382005162\jslang\wa-res-shared-tr-TR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-en-US.js	installer.exe
File created	C:\Program Files (x86)\Overwolf\0.204.0.1\System.Text.Encodings.Web.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.204.0.1\Resources\builtin_extensions\mdelnbcocknmpmhnljfbkacgamflhbiihkoloocd\Icon.ico	OverwolfSetup.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\icn_mshield.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\tests\score\wa-score-toast.js	installer.exe
File created	C:\Program Files (x86)\Overwolf\0.204.0.1\Resources\builtin_extensions\gphodffjnplojfigjjffnbbpjpcpdpfiimfpfacl\Splash.png	OverwolfSetup.exe
File created	C:\Program Files\McAfee\WebAdvisor\servicehost.exe	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-fr-CA.js	installer.exe
File created	C:\Program Files (x86)\Overwolf\0.204.0.1\CoreAudioApi.dll	OverwolfSetup.exe
File created	C:\Program Files\McAfee\Temp1382005162\uimanager.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-ja-JP.js	installer.exe
File created	C:\Program Files (x86)\Overwolf\0.204.0.1\Sentry.dll	OverwolfSetup.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\tests\alt_triggers.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\nps\wa-nps-checklist.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\Temp1382005162\jslang\eula-ko-KR.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\mwb\wa-controller-mwb-checklist.js	installer.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4848	sc.exe
3416	sc.exe
2496	sc.exe
3344	sc.exe
632	sc.exe
2588	sc.exe
4628	sc.exe
3956	sc.exe
1464	sc.exe
5068	sc.exe
3936	sc.exe
1324	sc.exe
2128	sc.exe
3780	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DxDiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DxDiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DxDiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DxDiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DxDiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DxDiag.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CentralHackDWFree - Linkvertise Downloader_XLhx-k1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CentralHackDWFree - Linkvertise Downloader_XLhx-k1.tmp

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\DefaultIcon	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA35375C-A06A-49AC-9136-31B6C102646B}\LocalServer32	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EDBC3E0-49BB-4E0D-860F-80037D14E735}\ = "TSServerInfo Class"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F3219881-CE98-4C8C-A472-280BD9A7D247}	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\ = "open"	OverwolfSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\open\command\ = "\"C:\\Program Files (x86)\\Overwolf\\\\OverwolfLauncher.exe\" -install-opk %1"	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA35375C-A06A-49AC-9136-31B6C102646B}\Programmable	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0957D9C-810B-4DE0-9C5E-48DB09C5B413}\LocalServer32	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBDBC573-E9B2-41EC-867D-172ADEBC9554}\TypeLib	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.opk	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3961296B-2DFE-45BD-8752-AB5FF712CC96}	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2891029575-1462575-1165213807-1000\{9BB9706D-EB29-4777-89D0-638E96A84804}	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\open\command	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\edit	OverwolfSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3961296B-2DFE-45BD-8752-AB5FF712CC96}\TypeLib\Version = "1.0"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3961296B-2DFE-45BD-8752-AB5FF712CC96}\TypeLib	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	DxDiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2891029575-1462575-1165213807-1000\{FCBE448C-CE87-4183-980E-B3E278B1D24F}	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBDBC573-E9B2-41EC-867D-172ADEBC9554}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBABE429-FE8E-4E35-97CF-9D3ED707696A}	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBABE429-FE8E-4E35-97CF-9D3ED707696A}\ = "ITSWapper"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0957D9C-810B-4DE0-9C5E-48DB09C5B413}\ = "TSWapper Class"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EDBC3E0-49BB-4E0D-860F-80037D14E735}\TypeLib	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC7899F5-56C9-44F1-9611-080BFC180FD5}\Version	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0957D9C-810B-4DE0-9C5E-48DB09C5B413}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{37AE4F6C-9435-4E72-8C72-8A619C8C469B}\TypeLib	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{37AE4F6C-9435-4E72-8C72-8A619C8C469B}\TypeLib\ = "{F3219881-CE98-4C8C-A472-280BD9A7D247}"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81A2F1FA-CAA8-4393-B70F-6F245AF97DC1}\TypeLib	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBABE429-FE8E-4E35-97CF-9D3ED707696A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EDBC3E0-49BB-4E0D-860F-80037D14E735}\LocalServer32\ = "\"C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe\""	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F3219881-CE98-4C8C-A472-280BD9A7D247}\1.0\FLAGS\ = "0"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F3219881-CE98-4C8C-A472-280BD9A7D247}\1.0\0	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3961296B-2DFE-45BD-8752-AB5FF712CC96}\ = "IClientListResult"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3961296B-2DFE-45BD-8752-AB5FF712CC96}\ProxyStubClsid32	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3961296B-2DFE-45BD-8752-AB5FF712CC96}\ProxyStubClsid32	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC7899F5-56C9-44F1-9611-080BFC180FD5}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0957D9C-810B-4DE0-9C5E-48DB09C5B413}\TypeLib	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBDBC573-E9B2-41EC-867D-172ADEBC9554}\TypeLib\Version = "1.0"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3961296B-2DFE-45BD-8752-AB5FF712CC96}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\ = "OPK_File"	OverwolfSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC7899F5-56C9-44F1-9611-080BFC180FD5}\Version\ = "1.0"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\open	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC7899F5-56C9-44F1-9611-080BFC180FD5}\TypeLib	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA35375C-A06A-49AC-9136-31B6C102646B}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F3219881-CE98-4C8C-A472-280BD9A7D247}\1.0\FLAGS	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{37AE4F6C-9435-4E72-8C72-8A619C8C469B}\ProxyStubClsid32	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{37AE4F6C-9435-4E72-8C72-8A619C8C469B}\ = "ITSServerInfo"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBABE429-FE8E-4E35-97CF-9D3ED707696A}\TypeLib\ = "{F3219881-CE98-4C8C-A472-280BD9A7D247}"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBABE429-FE8E-4E35-97CF-9D3ED707696A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3961296B-2DFE-45BD-8752-AB5FF712CC96}	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBABE429-FE8E-4E35-97CF-9D3ED707696A}\ = "ITSWapper"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBDBC573-E9B2-41EC-867D-172ADEBC9554}\ProxyStubClsid32	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBDBC573-E9B2-41EC-867D-172ADEBC9554}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBDBC573-E9B2-41EC-867D-172ADEBC9554}\TypeLib	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	DxDiag.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	319	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
316	chrome.exe
316	chrome.exe
5056	chrome.exe
5056	chrome.exe
1900	chrome.exe
1900	chrome.exe
1440	chrome.exe
1440	chrome.exe
2400	chrome.exe
2400	chrome.exe
1644	chrome.exe
1644	chrome.exe
4912	chrome.exe
4912	chrome.exe
4320	chrome.exe
4320	chrome.exe
1524	chrome.exe
1524	chrome.exe
4060	chrome.exe
4060	chrome.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
4500	DxDiag.exe
4500	DxDiag.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
1448	msedge.exe
1448	msedge.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: 33	4332	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4332	AUDIODG.EXE
Token: SeDebugPrivilege	3644	OWinstaller.exe
Token: SeDebugPrivilege	4680	OverwolfUpdater.exe
Token: SeDebugPrivilege	1780	OverwolfUpdater.exe
Token: SeSecurityPrivilege	3344	sc.exe
Token: SeSecurityPrivilege	3936	sc.exe
Token: SeSecurityPrivilege	3936	sc.exe
Token: SeSecurityPrivilege	632	sc.exe
Token: SeSecurityPrivilege	4848	sc.exe
Token: SeSecurityPrivilege	4848	sc.exe
Token: SeSecurityPrivilege	1324	sc.exe
Token: SeSecurityPrivilege	2588	sc.exe
Token: SeSecurityPrivilege	2588	sc.exe
Token: SeSecurityPrivilege	4628	sc.exe
Token: SeSecurityPrivilege	3416	sc.exe
Token: SeSecurityPrivilege	3416	sc.exe
Token: SeSecurityPrivilege	1464	sc.exe
Token: SeSecurityPrivilege	2128	sc.exe
Token: SeSecurityPrivilege	2128	sc.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
1456	CentralHackDWFree - Linkvertise Downloader_XLhx-k1.tmp
1448	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe
5056	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3644	OWinstaller.exe
3644	OWinstaller.exe
3644	OWinstaller.exe
4500	DxDiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4964	5056	chrome.exe	82
PID 5056 wrote to memory of 4964	5056	chrome.exe	82
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 5092	5056	chrome.exe	85
PID 5056 wrote to memory of 316	5056	chrome.exe	86
PID 5056 wrote to memory of 316	5056	chrome.exe	86
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87
PID 5056 wrote to memory of 3624	5056	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://link-target.net/498735/centralhackdwfree
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbaaab4f50,0x7ffbaaab4f60,0x7ffbaaab4f70
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1624 /prefetch:2
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2304 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4436 /prefetch:8
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2644 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6272 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6364 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  PID:1916
- C:\Users\Admin\Downloads\Buff Achievement Tracker - Installer.exe
  "C:\Users\Admin\Downloads\Buff Achievement Tracker - Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\OWinstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\OWinstaller.exe" Sel=1&Partner=3762&Extension=caboggillkkpgkiokbjmgldfkedbfnpkgadakcdl&Name=Buff%20Achievement%20Tracker&Thanks=https%3A%2F%2Fbuff.game%2Fthank-you-page%2F&UtmSource=Buff_Affiliate&UtmMedium=Buff_affiliate&UtmCampaign=Buff_3762&UtmContent=Buff_affiliateID6471&Referer=linkvertise.com -partnerCustomizationLevel 0 -exepath C:\Users\Admin\Downloads\Buff Achievement Tracker - Installer.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3644
  - - C:\Windows\SysWOW64\DxDiag.exe
      "C:\Windows\System32\DxDiag.exe" /tC:\Users\Admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txt
      4⤵
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4500
  - - C:\ProgramData\Overwolf\Setup\0.204.0.1\OverwolfSetup.exe
      "C:\ProgramData\Overwolf\Setup\0.204.0.1\OverwolfSetup.exe" /S "/TargetDir=C:\Program Files (x86)\Overwolf\" -ignoredotnet
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Modifies registry class
      PID:2812
    - - C:\Program Files (x86)\Common Files\Overwolf\OverwolfUpdater.exe
        
        "C:\Program Files (x86)\Common Files\Overwolf\OverwolfUpdater.exe" /UpdateFWRules "C:\Program Files (x86)\Overwolf\\0.204.0.1\OverwolfBrowser.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
    - - C:\Program Files (x86)\Common Files\Overwolf\OverwolfUpdater.exe
        
        "C:\Program Files (x86)\Common Files\Overwolf\OverwolfUpdater.exe" /Register
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" sdshow OverwolfUpdater
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:3344
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" sdset OverwolfUpdater D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-18)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" sdshow OverwolfUpdater
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" sdset OverwolfUpdater D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;SY)(A;;RPWPCR;;;S-1-5-19)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" sdshow OverwolfUpdater
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" sdset OverwolfUpdater D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;SY)(A;;RPWPCR;;;LS)(A;;RPWPCR;;;S-1-5-20)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" sdshow OverwolfUpdater
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" sdset OverwolfUpdater D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;SY)(A;;RPWPCR;;;LS)(A;;RPWPCR;;;NS)(A;;RPWPCR;;;S-1-5-21-2891029575-1462575-1165213807-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" sdshow OverwolfUpdater
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" sdset OverwolfUpdater D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;SY)(A;;RPWPCR;;;LS)(A;;RPWPCR;;;NS)(A;;RPWPCR;;;S-1-5-21-2891029575-1462575-1165213807-1000)(A;;RPWPCR;;;S-1-1-0)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Program Files (x86)\Common Files\Overwolf\Teamspeak\OverwolfTSHelper.exe
        
        "C:\Program Files (x86)\Common Files\Overwolf\Teamspeak\OverwolfTSHelper.exe" /RegServer
        5⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:3500
    - - C:\ProgramData\Overwolf\Setup\checkRedist.exe
        
        "C:\ProgramData\Overwolf\Setup\checkRedist.exe"
        5⤵
        Executes dropped EXE
        
        PID:2076
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://buff.game/thank-you-page/?muid=d24bf890-474f-45c7-85bd-e55e32905294&extensionId=caboggillkkpgkiokbjmgldfkedbfnpkgadakcdl"
      4⤵
      PID:4032
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbaaab4f50,0x7ffbaaab4f60,0x7ffbaaab4f70
        5⤵
        
        PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1144 /prefetch:2
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2456 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2736 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1304 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3764 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7116 /prefetch:8
  2⤵
  PID:2260
- C:\Users\Admin\Downloads\CentralHackDWFree - Linkvertise Downloader_XLhx-k1.exe
  "C:\Users\Admin\Downloads\CentralHackDWFree - Linkvertise Downloader_XLhx-k1.exe"
  2⤵
  - Executes dropped EXE
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\is-77BOJ.tmp\CentralHackDWFree - Linkvertise Downloader_XLhx-k1.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-77BOJ.tmp\CentralHackDWFree - Linkvertise Downloader_XLhx-k1.tmp" /SL5="$80202,3528441,1235456,C:\Users\Admin\Downloads\CentralHackDWFree - Linkvertise Downloader_XLhx-k1.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of FindShellTrayWindow
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\is-PR9R1.tmp\prod0_extract\saBSI.exe
      "C:\Users\Admin\AppData\Local\Temp\is-PR9R1.tmp\prod0_extract\saBSI.exe" /affid 91088 PaidDistribution=true
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:3920
    - - C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
        
        "C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe" /install /affid 91088 PaidDistribution=true saBsiVersion=4.1.1.663 /no_self_update
        5⤵
        Executes dropped EXE
        
        PID:5072
      - C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
        
        "C:\ProgramData\McAfee\WebAdvisor\saBSI\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3160
        
        C:\Program Files\McAfee\Temp1382005162\installer.exe
        
        "C:\Program Files\McAfee\Temp1382005162\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3432
        
        C:\Windows\SYSTEM32\sc.exe
        
        sc.exe create "McAfee WebAdvisor" binPath= "\"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe\"" start= auto DisplayName= "McAfee WebAdvisor"
        8⤵
        Launches sc.exe
        
        PID:2496
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        8⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        9⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:400
        
        C:\Windows\SYSTEM32\sc.exe
        
        sc.exe description "McAfee WebAdvisor" "McAfee WebAdvisor Service"
        8⤵
        Launches sc.exe
        
        PID:5068
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
        8⤵
        Registers COM server for autorun
        Loads dropped DLL
        
        PID:4356
        
        C:\Windows\SYSTEM32\sc.exe
        
        sc.exe failure "McAfee WebAdvisor" reset= 3600 actions= restart/1/restart/1000/restart/3000/restart/30000/restart/1800000//0
        8⤵
        Launches sc.exe
        
        PID:3780
        
        C:\Windows\SYSTEM32\sc.exe
        
        sc.exe start "McAfee WebAdvisor"
        8⤵
        Launches sc.exe
        
        PID:3956
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
        8⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
        9⤵
        
        PID:5172
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
        8⤵
        
        PID:5256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/djhgehdzmge58ig/installer.exe/file
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:1448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbc14346f8,0x7ffbc1434708,0x7ffbc1434718
        5⤵
        
        PID:4432
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1552 /prefetch:2
        5⤵
        
        PID:3436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2808 /prefetch:3
        5⤵
        
        PID:2184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
        5⤵
        
        PID:3544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
        5⤵
        
        PID:1896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
        5⤵
        
        PID:1360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4976 /prefetch:8
        5⤵
        
        PID:2688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5508 /prefetch:8
        5⤵
        
        PID:2496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
        5⤵
        
        PID:1528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
        5⤵
        
        PID:5788
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
        5⤵
        
        PID:5828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
        5⤵
        
        PID:5952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
        5⤵
        
        PID:6036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5040 /prefetch:8
        5⤵
        
        PID:5740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
        5⤵
        
        PID:3012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
        5⤵
        
        PID:4048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7180 /prefetch:8
        5⤵
        
        PID:5584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        5⤵
        
        PID:5392
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff785a05460,0x7ff785a05470,0x7ff785a05480
        6⤵
        
        PID:1324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7180 /prefetch:8
        5⤵
        
        PID:5612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
        5⤵
        
        PID:4832
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
        5⤵
        
        PID:808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1723777351883771627,1857617836464544641,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
        5⤵
        
        PID:6080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6880 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:5844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3180 /prefetch:8
  2⤵
  PID:5168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,10509199129774443431,6341422646673505450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:5808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3592

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x4c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
PID:3956
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3956_1061903490\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3956_1061903490\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={3afb6242-be9f-45a2-9643-cbc5cae4350a} --system
  2⤵
  - Executes dropped EXE
  PID:4868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3668

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
PID:5224
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  PID:5668
- C:\Program Files\McAfee\WebAdvisor\updater.exe
  "C:\Program Files\McAfee\WebAdvisor\updater.exe"
  2⤵
  PID:5304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )
    3⤵
    PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"
    3⤵
    PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3956_1061903490\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\InstallerCache\OWResources.dll

Filesize
154KB

MD5
d6e5dcbd7fe4ca0a5325e19f693f2d44

SHA1
e0b98ba285ac20c4a8e6f909f71ef035dd3ac5ec

SHA256
800d521ed6052f383dd44588c96b1a1d04f6eba6ef3b6d336b94cf20f13f3242

SHA512
17d476f0495673e2efdae1f08a267d9b2250ade47aa8bfb8074fb23e561eac3c490614d25573909e26956de5de2aa7563d846d5709a38baa38aa0e2542f032df

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\InstallerCache\OWResources.dll

Filesize
154KB

MD5
d6e5dcbd7fe4ca0a5325e19f693f2d44

SHA1
e0b98ba285ac20c4a8e6f909f71ef035dd3ac5ec

SHA256
800d521ed6052f383dd44588c96b1a1d04f6eba6ef3b6d336b94cf20f13f3242

SHA512
17d476f0495673e2efdae1f08a267d9b2250ade47aa8bfb8074fb23e561eac3c490614d25573909e26956de5de2aa7563d846d5709a38baa38aa0e2542f032df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\OWInstaller.exe

Filesize
2.0MB

MD5
8c13fd37033434c34db446763a109f66

SHA1
ac005287cda93b77bd426e373a92b69337c266be

SHA256
24fff37a8402ec8ba27392aae5fbc6ac3ac702b07e2bac0e5831cabe9fa65874

SHA512
8f868508599228c64b3a4e1c745224693ec50db6ff3d2316db06c9272d59e4bbb8348b0171e47df1127a344644dbe717eaa9e3ea0fad5f5e35ec7473e02abf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\OWInstaller.exe

Filesize
2.0MB

MD5
8c13fd37033434c34db446763a109f66

SHA1
ac005287cda93b77bd426e373a92b69337c266be

SHA256
24fff37a8402ec8ba27392aae5fbc6ac3ac702b07e2bac0e5831cabe9fa65874

SHA512
8f868508599228c64b3a4e1c745224693ec50db6ff3d2316db06c9272d59e4bbb8348b0171e47df1127a344644dbe717eaa9e3ea0fad5f5e35ec7473e02abf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\OWInstaller.exe

Filesize
2.0MB

MD5
8c13fd37033434c34db446763a109f66

SHA1
ac005287cda93b77bd426e373a92b69337c266be

SHA256
24fff37a8402ec8ba27392aae5fbc6ac3ac702b07e2bac0e5831cabe9fa65874

SHA512
8f868508599228c64b3a4e1c745224693ec50db6ff3d2316db06c9272d59e4bbb8348b0171e47df1127a344644dbe717eaa9e3ea0fad5f5e35ec7473e02abf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\OWinstaller.exe

Filesize
2.0MB

MD5
8c13fd37033434c34db446763a109f66

SHA1
ac005287cda93b77bd426e373a92b69337c266be

SHA256
24fff37a8402ec8ba27392aae5fbc6ac3ac702b07e2bac0e5831cabe9fa65874

SHA512
8f868508599228c64b3a4e1c745224693ec50db6ff3d2316db06c9272d59e4bbb8348b0171e47df1127a344644dbe717eaa9e3ea0fad5f5e35ec7473e02abf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\OWinstaller.exe.config

Filesize
189B

MD5
23b26f7834b8105adb29e49ba1772187

SHA1
ad713058b10c5fca6b7b5365ef87d6963fcd9a28

SHA256
cd0f2bde9fdf115328b14c6ce4f75326f9f07e37feda0d57d4f628dadc9c7619

SHA512
bf0fa5b5a9ed33bbc5d736cf39f0c65136c7e4abbe7fb862f62189c394a94e6ea1a30b8bb7ce543f47e698cabe47e4e4102b0cfc39a5ebe6c1040a7f2780b2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\System.dll

Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\UserInfo.dll

Filesize
4KB

MD5
9301577ff4d229347fe33259b43ef3b2

SHA1
5e39eb4f99920005a4b2303c8089d77f589c133d

SHA256
090c4bc8dc534e97b3877bd5115eb58b3e181495f29f231479f540bab5c01edc

SHA512
77dc7a1dedaeb1fb2ccefaba0a526b8d40ea64b9b37af53c056b9428159b67d552e5e3861cbffc2149ec646fdfe9ce94f4fdca51703f79c93e5f45c085e52c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\app\images\icon.ico

Filesize
10KB

MD5
b48ea7b5eab0cb7d27b0441ffee2eba2

SHA1
2d457a40e376b73dc332c74b3a1b9af920b06a4e

SHA256
ab6c2f416a0a8f5a23d43c7d1e58c00fab46c039ab29192b80c90633e2746b2e

SHA512
94f1e3e6e616d184b757b35f4d68619da3127c1ae387947c8436988de58f70f08aa299f5c42cb087c5761c9df92703889b44f88d4d96aac004ca696190af46c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\app\index.html

Filesize
18KB

MD5
7d3e8c3819dd12273bf0581a1293e4e8

SHA1
54a512400d91aa6b0364e800f21ec20ffee00d46

SHA256
e0a21b254c77b39af6b9cd3208a8e9231f819dfe880864115ef571f3dbf367b5

SHA512
3b00c7afb31f1f4619bbb51430a6ebd2cf0d90af8d7f9128da265da5e487b26fa3d8115f84380e793f0977a2c1bd1c8aaa9b450e878772d51d342f0016c33193

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\app\js\block_inputs.js

Filesize
789B

MD5
b5b52c92b90f4283a761cb8a40860c75

SHA1
7212e7e566795017e179e7b9c9bf223b0cdb9ec2

SHA256
f8dbd6793b35f7a26806f4dabad157aaafdf6d66fad094b50c77d60f223fd544

SHA512
16ad53ede5424ca1384e3caea25225589e9eec9e80e2d845948802db90fad222f709a7b651cd7601a34ba67a0627433f25764638fd542cbd4612871308e7b353

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\app\js\libs\cmp.bundle.js

Filesize
296KB

MD5
ab770f93a2c6d70141f50911b9729a44

SHA1
dd1d856b0c2c67ae6d560c8badc6e95bb059d6b0

SHA256
0b37387945988a371be4df3f11bebba378b65e55e08b3ac189851dbbdceb1bca

SHA512
938c28c59116725983786d0240d1d4da207be93bd524a2fbe44ecdefaa844049e6e2288dbb46b950b7c7cdf6705622f0b50c6e1a42896806ff667998d6cbf95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\app\js\libs\jquery-1.10.2.min.js

Filesize
90KB

MD5
44e3f0db3e4ab6fedc5758c05cf27591

SHA1
2d408aa1d35661019c95adcc60b78c0727ed25b4

SHA256
bc44d3631ffef1df7960e359f02002d3ada45ee05205c2cf1edd85da2f518144

SHA512
4d4844e53e686fc59a52e86588f328dca3ed6fdad7195c58942a98c51755a24981b903ee7c7b27785375eaad5a7d9501cf74b999674b79f214e66103bad9efdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\app\js\models\notifications.js

Filesize
4KB

MD5
b8cad3acaaf40f86cd1eb532bbad2aa6

SHA1
b61ff160f12ca67b566c5507d8b2fbb87ddf111f

SHA256
9c88fab11d73469a264c46d43c49f311f710620f9e894fb090ba92a88c799cda

SHA512
209675a5512efc89dffef8726165888f4ca03d3dedc25f89b638f05545a8b116dbd155bee9e18a8174e25b6f65051de68fdb8a6409a588c750c3a40b46434db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\app\js\utils\analytics.js

Filesize
3KB

MD5
af4738feeab76df9fadc3c8c05f927d7

SHA1
ec1f6b7d5f37db9352d9a9ce85747061217e8d69

SHA256
b01b5abae728dd4d2c06176a4ab136d4a2f3e7e32c9f142079fda43e34d0886d

SHA512
8e4af89a5bbad1f2da40090163ca12f60b953cfd8d665fbc419b24f23138ed3fc542583d5981b9b8a8fd5767406048edc804ec537797af4738b68da629d3c31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\app\js\utils\commands.js

Filesize
10KB

MD5
12cad0db62c6f41a5648c63b22364a52

SHA1
423188d0a4af7e28a9f7ce3e77962995fe96287d

SHA256
e4370ad60b8dcd58977bb970fb0df8ce0308456df62e22ec2e0a3f7615b79d50

SHA512
6492051cbfb56688ef7768d29c8172da7ef3b0dcc97eb63c1ac71afcf0c4a34108a38af3268ed2fa203411b4ccfe3ea427a9e2ad1c3c97317f7bf7da27606bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\app\js\utils\cookies.js

Filesize
1KB

MD5
6c60e675f8c8c68c0174b644d3a63a2a

SHA1
3635a3fe07ccc4a6f33a986ddb690522d0611abb

SHA256
9d3cb3822e20d6f5157faa02dc69bdaef44576c3fb5523e00aa152107ce30287

SHA512
1dc9ec7b139bcf37107ecd673c01e4fcc606332ea1645a4a1b4e5d95f817d4c99d5964cd3d941a6a526689341d9623b17b4efc002cdf4c73404299d52b1be452

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\app\js\utils\modal-events-delegate.js

Filesize
1KB

MD5
117e4fdbdb0ecf211c8bd909efd337d1

SHA1
9f8684d856b7c95bdffb139217dfd89f41373187

SHA256
267661f932a2ea78d8c7a98cc03d1b18d7cb8132deb84636772ecd1fcfbe4857

SHA512
f474ee20b59d3d0c11f9f6aee6b6e2b66f7025beaec9841f88455e60533dc96cb4e27910be0dae92b0028c5578932b7f459fdb91d594ad010f72a3b3af6addb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\app\js\utils\strings-loader.js

Filesize
5KB

MD5
9c94eb933d8a43dd3825e67a7e30c980

SHA1
7ec7b16af6f399219209ba5967d377040486a11b

SHA256
96445709fde2613af50f4b8908296d4bfccdccb2d9db9febc34a9bf4dcc70ecf

SHA512
a662a299e31633f71a9b9675970359430fdac06dcc284fd7ce92919f244c7f921639f97a42356e993a95865e6c9f198dcba82c126f82065bf2009a31ec9b02f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\app\js\utils\utils.js

Filesize
118B

MD5
a0952ebeab701c05c75710c33d725e7e

SHA1
1da8a2e889f1213d481ae3cd5571670c01e64adc

SHA256
b4f0c48cbfeaf8141fd44b12031e3f0410cb0cdc313888ffdb14fdf1d2341246

SHA512
5e5ae616d3fded7d2bf47a326242c4477ca3119fb52897bfb41de0be230ccbd6c3da2c00268b3973e9bf7b4f2886aba64fd9719b448662e4130ee66d87913389

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\app\js\windows\cri\template.js

Filesize
1KB

MD5
28decc051786aa95f9eaa105e501c1ad

SHA1
fc48b98afa8381691f3fc9e8fbcfd3b44d7cbbf2

SHA256
251a2a256702e0311d74880d94f1dad12faa50522fe574f8cb773347f578f193

SHA512
d64fd779d00fe3cfb90e7793e0174fc604426fb30b7dfcdf624fcf936fd86c505c30537067179fce2244731b45ae24eebd4d0955f007ff12945dbd5426871263

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\app\js\windows\modal\modal-controller.js

Filesize
2KB

MD5
9c272c11afef285c424048a8abaf2d97

SHA1
e3591fd231fbc2bcf9d2140c3aeb91cf25ad24da

SHA256
cd2eb723bf313ac36456dca71e537b6ea8d7aef37367d10f57b759b02fc076ca

SHA512
e1062949981665acab11b23c599f955b3dc740994d29b32bdeeaf22be8ec6cbcd43bce55562ea25ecdae3e18cbfb02c98954ca754cbace252c3885ff3620ee9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\app\manifest.json

Filesize
691B

MD5
bb3b751bcade0f31505d05e826690d3e

SHA1
3c8eef7d8c15198edeb329d0e80d9f01b29462c1

SHA256
5694061ffe8d1ed9bb308b0a02bdbe5b639ca61460369145051763b4f186fdc9

SHA512
dde9b0d5b98e5c101c4e3931eaadc8f8be941d3c976b9192992ea2fdcbc23b38d3b35b55667115f3e457e36198f6ddb16a1c62d87d0b2456e6d2c45824f9faab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\uac.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\uac.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb2278.tmp\utils.dll

Filesize
55KB

MD5
aad3f2ecc74ddf65e84dcb62cf6a77cd

SHA1
1e153e0f4d7258cae75847dba32d0321864cf089

SHA256
1cc004fcce92824fa27565b31299b532733c976671ac6cf5dbd1e0465c0e47e8

SHA512
8e44b86c92c890d303448e25f091f1864946126343ee4665440de0dbeed1c89ff05e4f3f47d530781aa4db4a0d805b41899b57706b8eddfc95cfa64c073c26e2

Download Submit
C:\Users\Admin\Downloads\Buff Achievement Tracker - Installer.exe

Filesize
1.3MB

MD5
71bd8e46c51e2594d42fdb1742e1ed49

SHA1
31aff85a4c7bda2eedb81410e4acd3a0d1aed6fa

SHA256
0b9d2fb9e70cb5771a0f802e124fd8b6059b2d41d2fb7bac3287215b89ae8efb

SHA512
5b0e30556f64315e189c355b1ee6e18e144e35fb9f2f8010b396a750d047ce8951084398e747796243d1f4e48d133f7642c7180e9548c122c097c40dd000f0a1

Download Submit
C:\Users\Admin\Downloads\Buff Achievement Tracker - Installer.exe

Filesize
1.3MB

MD5
71bd8e46c51e2594d42fdb1742e1ed49

SHA1
31aff85a4c7bda2eedb81410e4acd3a0d1aed6fa

SHA256
0b9d2fb9e70cb5771a0f802e124fd8b6059b2d41d2fb7bac3287215b89ae8efb

SHA512
5b0e30556f64315e189c355b1ee6e18e144e35fb9f2f8010b396a750d047ce8951084398e747796243d1f4e48d133f7642c7180e9548c122c097c40dd000f0a1

Download Submit
memory/1456-216-0x0000000003A00000-0x0000000003A0F000-memory.dmp

Filesize
60KB

Download
memory/1780-198-0x000000001C2B0000-0x000000001C2C2000-memory.dmp

Filesize
72KB

Download
memory/1780-199-0x000000001CD00000-0x000000001CD3C000-memory.dmp

Filesize
240KB

Download
memory/1780-210-0x00007FFBA6A50000-0x00007FFBA7511000-memory.dmp

Filesize
10.8MB

Download
memory/1780-197-0x00007FFBA6A50000-0x00007FFBA7511000-memory.dmp

Filesize
10.8MB

Download
memory/2812-187-0x00000000046A1000-0x00000000046B1000-memory.dmp

Filesize
64KB

Download
memory/2812-185-0x00000000046A1000-0x00000000046A5000-memory.dmp

Filesize
16KB

Download
memory/2812-184-0x0000000003090000-0x000000000309C000-memory.dmp

Filesize
48KB

Download
memory/3432-265-0x00007FF6D7B60000-0x00007FF6D7B70000-memory.dmp

Filesize
64KB

Download
memory/3432-283-0x00007FF6D7B60000-0x00007FF6D7B70000-memory.dmp

Filesize
64KB

Download
memory/3432-284-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-286-0x00007FF6D7B60000-0x00007FF6D7B70000-memory.dmp

Filesize
64KB

Download
memory/3432-287-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-289-0x00007FF6D7B60000-0x00007FF6D7B70000-memory.dmp

Filesize
64KB

Download
memory/3432-281-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-274-0x00007FF724630000-0x00007FF724640000-memory.dmp

Filesize
64KB

Download
memory/3432-277-0x00007FF6D7B60000-0x00007FF6D7B70000-memory.dmp

Filesize
64KB

Download
memory/3432-280-0x00007FF6D7B60000-0x00007FF6D7B70000-memory.dmp

Filesize
64KB

Download
memory/3432-278-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-275-0x00007FF6D7B60000-0x00007FF6D7B70000-memory.dmp

Filesize
64KB

Download
memory/3432-271-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-273-0x00007FF6D7B60000-0x00007FF6D7B70000-memory.dmp

Filesize
64KB

Download
memory/3432-272-0x00007FF6D7B60000-0x00007FF6D7B70000-memory.dmp

Filesize
64KB

Download
memory/3432-257-0x00007FF731F00000-0x00007FF731F10000-memory.dmp

Filesize
64KB

Download
memory/3432-258-0x00007FF6D7B60000-0x00007FF6D7B70000-memory.dmp

Filesize
64KB

Download
memory/3432-270-0x00007FF6D7B60000-0x00007FF6D7B70000-memory.dmp

Filesize
64KB

Download
memory/3432-226-0x00007FF73ACF0000-0x00007FF73AD00000-memory.dmp

Filesize
64KB

Download
memory/3432-259-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-229-0x00007FF73ACF0000-0x00007FF73AD00000-memory.dmp

Filesize
64KB

Download
memory/3432-228-0x00007FF73ACF0000-0x00007FF73AD00000-memory.dmp

Filesize
64KB

Download
memory/3432-231-0x00007FF73ACF0000-0x00007FF73AD00000-memory.dmp

Filesize
64KB

Download
memory/3432-230-0x00007FF73ACF0000-0x00007FF73AD00000-memory.dmp

Filesize
64KB

Download
memory/3432-235-0x00007FF6D7B60000-0x00007FF6D7B70000-memory.dmp

Filesize
64KB

Download
memory/3432-236-0x00007FF731F00000-0x00007FF731F10000-memory.dmp

Filesize
64KB

Download
memory/3432-264-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-238-0x00007FF724630000-0x00007FF724640000-memory.dmp

Filesize
64KB

Download
memory/3432-234-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-232-0x00007FF724630000-0x00007FF724640000-memory.dmp

Filesize
64KB

Download
memory/3432-268-0x00007FF6D7B60000-0x00007FF6D7B70000-memory.dmp

Filesize
64KB

Download
memory/3432-239-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-241-0x00007FF724630000-0x00007FF724640000-memory.dmp

Filesize
64KB

Download
memory/3432-249-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-248-0x00007FF6F0370000-0x00007FF6F0380000-memory.dmp

Filesize
64KB

Download
memory/3432-247-0x00007FF6D7B60000-0x00007FF6D7B70000-memory.dmp

Filesize
64KB

Download
memory/3432-246-0x00007FF731F00000-0x00007FF731F10000-memory.dmp

Filesize
64KB

Download
memory/3432-242-0x00007FF6D7B60000-0x00007FF6D7B70000-memory.dmp

Filesize
64KB

Download
memory/3432-253-0x00007FF731F00000-0x00007FF731F10000-memory.dmp

Filesize
64KB

Download
memory/3432-254-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-252-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-269-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-245-0x00007FF6F0370000-0x00007FF6F0380000-memory.dmp

Filesize
64KB

Download
memory/3432-244-0x00007FF731F00000-0x00007FF731F10000-memory.dmp

Filesize
64KB

Download
memory/3432-243-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-240-0x00007FF731F00000-0x00007FF731F10000-memory.dmp

Filesize
64KB

Download
memory/3432-267-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-256-0x00007FF6F0370000-0x00007FF6F0380000-memory.dmp

Filesize
64KB

Download
memory/3432-266-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-263-0x00007FF73C130000-0x00007FF73C140000-memory.dmp

Filesize
64KB

Download
memory/3432-262-0x00007FF6D7B60000-0x00007FF6D7B70000-memory.dmp

Filesize
64KB

Download
memory/3432-261-0x00007FF6F0370000-0x00007FF6F0380000-memory.dmp

Filesize
64KB

Download
memory/3644-165-0x00000000078D0000-0x00000000078DA000-memory.dmp

Filesize
40KB

Download
memory/3644-163-0x0000000006CE0000-0x0000000006D0E000-memory.dmp

Filesize
184KB

Download
memory/3644-154-0x00000000058E0000-0x0000000005E84000-memory.dmp

Filesize
5.6MB

Download
memory/3644-180-0x000000000BA70000-0x000000000C216000-memory.dmp

Filesize
7.6MB

Download
memory/3644-181-0x000000000FDF0000-0x000000000FE21000-memory.dmp

Filesize
196KB

Download
memory/3644-155-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/3644-153-0x0000000000780000-0x000000000098C000-memory.dmp

Filesize
2.0MB

Download
memory/3644-159-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/3644-158-0x00000000063C0000-0x00000000068EC000-memory.dmp

Filesize
5.2MB

Download
memory/4048-212-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/4048-215-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/4048-221-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/4188-141-0x0000000002891000-0x0000000002894000-memory.dmp

Filesize
12KB

Download
memory/4188-144-0x0000000002AF1000-0x0000000002AF5000-memory.dmp

Filesize
16KB

Download
memory/4680-191-0x00007FFBA6A50000-0x00007FFBA7511000-memory.dmp

Filesize
10.8MB

Download
memory/4680-189-0x0000000000290000-0x0000000000508000-memory.dmp

Filesize
2.5MB

Download
memory/4680-190-0x00007FFBA6A50000-0x00007FFBA7511000-memory.dmp

Filesize
10.8MB

Download