hxxps://cdn[.]discordapp[.]com/attachments/976211725672153128/1091179886846156820/Buff_Achievement_Tracker_-_Installer_2[.]exe

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/976211725672153128/1091179886846156820/Buff_Achievement_Tracker_-_Installer_2.exe

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OWinstaller.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	OWinstaller.exe

Executes dropped EXE 7 IoCs

Processes:

Buff_Achievement_Tracker_-_Installer_2.exeOWinstaller.exeOverwolfSetup.exeOverwolfUpdater.exeOverwolfUpdater.exeOverwolfTSHelper.execheckRedist.exe

pid	process
2084	Buff_Achievement_Tracker_-_Installer_2.exe
2104	OWinstaller.exe
2808	OverwolfSetup.exe
2160	OverwolfUpdater.exe
2792	OverwolfUpdater.exe
4180	OverwolfTSHelper.exe
3316	checkRedist.exe

Loads dropped DLL 31 IoCs

Processes:

Buff_Achievement_Tracker_-_Installer_2.exeOWinstaller.exeOverwolfSetup.exeOverwolfTSHelper.exe

pid	process
2084	Buff_Achievement_Tracker_-_Installer_2.exe
2084	Buff_Achievement_Tracker_-_Installer_2.exe
2084	Buff_Achievement_Tracker_-_Installer_2.exe
2084	Buff_Achievement_Tracker_-_Installer_2.exe
2084	Buff_Achievement_Tracker_-_Installer_2.exe
2084	Buff_Achievement_Tracker_-_Installer_2.exe
2084	Buff_Achievement_Tracker_-_Installer_2.exe
2104	OWinstaller.exe
2104	OWinstaller.exe
2104	OWinstaller.exe
2104	OWinstaller.exe
2104	OWinstaller.exe
2808	OverwolfSetup.exe
2808	OverwolfSetup.exe
2808	OverwolfSetup.exe
2808	OverwolfSetup.exe
2808	OverwolfSetup.exe
2808	OverwolfSetup.exe
2808	OverwolfSetup.exe
2808	OverwolfSetup.exe
2808	OverwolfSetup.exe
2808	OverwolfSetup.exe
2808	OverwolfSetup.exe
2808	OverwolfSetup.exe
4180	OverwolfTSHelper.exe
2808	OverwolfSetup.exe
2808	OverwolfSetup.exe
2808	OverwolfSetup.exe
2808	OverwolfSetup.exe
2808	OverwolfSetup.exe
2808	OverwolfSetup.exe

Registers COM server for autorun 1 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

DxDiag.exeOverwolfTSHelper.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA35375C-A06A-49AC-9136-31B6C102646B}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EDBC3E0-49BB-4E0D-860F-80037D14E735}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EDBC3E0-49BB-4E0D-860F-80037D14E735}\LocalServer32	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC7899F5-56C9-44F1-9611-080BFC180FD5}\LocalServer32	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA35375C-A06A-49AC-9136-31B6C102646B}\LocalServer32\ = "\"C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe\""	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0957D9C-810B-4DE0-9C5E-48DB09C5B413}\LocalServer32\ = "\"C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe\""	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0957D9C-810B-4DE0-9C5E-48DB09C5B413}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC7899F5-56C9-44F1-9611-080BFC180FD5}\LocalServer32\ = "\"C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe\""	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA35375C-A06A-49AC-9136-31B6C102646B}\LocalServer32	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0957D9C-810B-4DE0-9C5E-48DB09C5B413}\LocalServer32	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EDBC3E0-49BB-4E0D-860F-80037D14E735}\LocalServer32\ = "\"C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe\""	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\System32\\dxdiagn.dll"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC7899F5-56C9-44F1-9611-080BFC180FD5}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe"	OverwolfTSHelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OWinstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Overwolf = "C:\\Program Files (x86)\\Overwolf\\OverwolfLauncher.exe -overwolfsilent"	OWinstaller.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 18 IoCs

Processes:

DxDiag.exe

description	ioc	process
File created	\??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	DxDiag.exe

Drops file in Program Files directory 64 IoCs

Processes:

OverwolfSetup.exeOWinstaller.exe

description	ioc	process
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\log4net.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\bin\api-ms-win-core-console-l1-1-0.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\bin\api-ms-win-crt-string-l1-1-0.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Licenses\Facebook_Devloper_Kit.license.txt	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\default_extensions\overwolf_remote_configurations.opk	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\builtin_extensions\ddldopbhkfcfooplfhjfcppflnfanaedbmkpkhni\Splash.png	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.221.0.4\D3DX9_43.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\OverwolfBenchmarking.exe	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Overwolf.Subscriptions.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Licenses\libpng-LICENSE.txt	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Licenses\openmcdf.license.txt	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\builtin_extensions\jnabojaampcpfclojlbildognlnebnhfhibiielh\Icon.png	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\uninstaller\Files\css\state-slides.css	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Backup\OWUninstaller.exe.bak	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\OverwolfCrashHandler.exe	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\win32\d3dx11_43.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\win32\D3DX9_43.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Locales\tr\OverWolf.Client.Core.resources.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\builtin_extensions\iighjfalpgednmflhnefmogncmaafgaddchbadgn\Icon.ico	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.221.0.4\win32\D3DCompiler_47.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\icudtl.dat	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\OverWolf.BL.Communication.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\builtin_extensions\emokficlajnchpkacabnhhjldoakmbdabppoeeme\manifest.json	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.221.0.4\OWAgent.dll	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.221.0.4\win32\D3DCompiler_43.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\uninstaller\Files\css\header.css	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\uninstaller\Files\js\finishedSlide.js	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\uninstaller\Files\js\progressSlide.js	OverwolfSetup.exe
File created	C:\Program Files (x86)\Common Files\Overwolf\ow-obs\inject-helper32.exe	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Backup\OverwolfUpdater.exe.bak	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\websocket-sharp.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\OWUninstallMenu.exe	OverwolfSetup.exe
File created	C:\Program Files (x86)\Common Files\Overwolf\Teamspeak\OverwolfTSHelperPS.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\System.Buffers.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\bin\api-ms-win-core-handle-l1-1-0.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\builtin_extensions\hpdhmnlhpopmgnelabncfdcdjmheadngeamapkhd\Icon.ico	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\builtin_extensions\lbelkhgffoedffcamifhhgglceiibjdddpbbgcnj\manifest.json	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\uninstaller\Files\assets\svg\sprite.svg	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\OverwolfLauncher.exe	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.221.0.4\resources\default_extensions\game-events-provider.opk	OWinstaller.exe
File created	C:\Program Files (x86)\Common Files\Overwolf\Teamspeak\teamspeak_control.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\bin\api-ms-win-core-processenvironment-l1-1-0.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\bin\api-ms-win-core-string-l1-1-0.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\Audio\Pop_Cropped_-3db.wav	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\System.ValueTuple.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Sentry.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Licenses\WPF_Toolkit.license.txt	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Locales\ja\OverWolf.Client.Core.resources.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\builtin_extensions\faaocmciajgmffjehabepkbpagpcfchnabibcnof\Splash.png	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\builtin_extensions\jgbnfkaeklillfmfafgkodhlcnfdgkmjmjngaaof\Splash.png	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\builtin_extensions\jnabojaampcpfclojlbildognlnebnhfhibiielh\manifest.json	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.221.0.4\ow-graphics-vulkan.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\leveldb.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\OverwolfBrowser.exe.config	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\OverWolf.Kernel32.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\xinput9_1_0.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\System.Text.Encodings.Web.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\default_extensions\teamspeak\cs_to_go.opk	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\builtin_extensions\gphodffjnplojfigjjffnbbpjpcpdpfiimfpfacl\Icon.png	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\builtin_extensions\lnhebboianabbebhnpoodokcdcnmikacoeijpjfe\Splash.png	OverwolfSetup.exe
File created	C:\Program Files (x86)\Common Files\Overwolf\Teamspeak\OverwolfTSHelper.exe	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\Resources\OverwolfLauncherProxy.exe	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.221.0.4\win32\OWExplorerLauncher.dll	OverwolfSetup.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3612 sc.exe
3768 sc.exe
4312 sc.exe
3836 sc.exe
2944 sc.exe
4896 sc.exe
4864 sc.exe
2324 sc.exe
3484 sc.exe
3356 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3612	sc.exe
3768	sc.exe
4312	sc.exe
3836	sc.exe
2944	sc.exe
4896	sc.exe
4864	sc.exe
2324	sc.exe
3484	sc.exe
3356	sc.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

DxDiag.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DxDiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DxDiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DxDiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DxDiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DxDiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DxDiag.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 575ec7859e45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31024158"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2657272318"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31024158"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "387066008"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{5672D0FA-5D60-4EE3-9A47-3AC4BC7F5EA1}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2657272318"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C93D947A-D011-11ED-B7D7-42C2EBB090FB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

OverwolfTSHelper.exeDxDiag.exeOverwolfSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA35375C-A06A-49AC-9136-31B6C102646B}\Version\ = "1.0"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0957D9C-810B-4DE0-9C5E-48DB09C5B413}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBDBC573-E9B2-41EC-867D-172ADEBC9554}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81A2F1FA-CAA8-4393-B70F-6F245AF97DC1}\ = "ITSClientInfo"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\open	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\edit	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{37AE4F6C-9435-4E72-8C72-8A619C8C469B}\ProxyStubClsid32	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{37AE4F6C-9435-4E72-8C72-8A619C8C469B}\ProxyStubClsid32	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81A2F1FA-CAA8-4393-B70F-6F245AF97DC1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBABE429-FE8E-4E35-97CF-9D3ED707696A}\ = "ITSWapper"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC7899F5-56C9-44F1-9611-080BFC180FD5}\Programmable	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0957D9C-810B-4DE0-9C5E-48DB09C5B413}\LocalServer32\ = "\"C:\\Program Files (x86)\\Common Files\\Overwolf\\Teamspeak\\OverwolfTSHelper.exe\""	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EDBC3E0-49BB-4E0D-860F-80037D14E735}	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F3219881-CE98-4C8C-A472-280BD9A7D247}	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F3219881-CE98-4C8C-A472-280BD9A7D247}\1.0\ = "OverwolfTSHelperLib"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{37AE4F6C-9435-4E72-8C72-8A619C8C469B}	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC7899F5-56C9-44F1-9611-080BFC180FD5}\ = "TSClientInfo Class"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EDBC3E0-49BB-4E0D-860F-80037D14E735}\TypeLib\ = "{F3219881-CE98-4C8C-A472-280BD9A7D247}"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F3219881-CE98-4C8C-A472-280BD9A7D247}\1.0\FLAGS	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBABE429-FE8E-4E35-97CF-9D3ED707696A}\TypeLib\ = "{F3219881-CE98-4C8C-A472-280BD9A7D247}"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBABE429-FE8E-4E35-97CF-9D3ED707696A}\ProxyStubClsid32	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBABE429-FE8E-4E35-97CF-9D3ED707696A}\TypeLib\ = "{F3219881-CE98-4C8C-A472-280BD9A7D247}"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	DxDiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1013461898-3711306144-4198452673-1000\{157EC1D9-6C36-4D17-AD4E-5E1901924244}	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81A2F1FA-CAA8-4393-B70F-6F245AF97DC1}\TypeLib	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3961296B-2DFE-45BD-8752-AB5FF712CC96}	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3961296B-2DFE-45BD-8752-AB5FF712CC96}\TypeLib\ = "{F3219881-CE98-4C8C-A472-280BD9A7D247}"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\ = "OPK_File"	OverwolfSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\edit\command\ = "\"C:\\Program Files (x86)\\Overwolf\\\\OverwolfLauncher.exe\" -install-opk %1"	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B0957D9C-810B-4DE0-9C5E-48DB09C5B413}\Version	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{37AE4F6C-9435-4E72-8C72-8A619C8C469B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EDBC3E0-49BB-4E0D-860F-80037D14E735}\TypeLib	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F3219881-CE98-4C8C-A472-280BD9A7D247}\1.0\HELPDIR	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3961296B-2DFE-45BD-8752-AB5FF712CC96}\TypeLib	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.opk\ = "OPK_File"	OverwolfSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F3219881-CE98-4C8C-A472-280BD9A7D247}\1.0\FLAGS\ = "0"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBDBC573-E9B2-41EC-867D-172ADEBC9554}\ProxyStubClsid32	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81A2F1FA-CAA8-4393-B70F-6F245AF97DC1}\ProxyStubClsid32	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3961296B-2DFE-45BD-8752-AB5FF712CC96}	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBABE429-FE8E-4E35-97CF-9D3ED707696A}\TypeLib	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\edit\command	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC7899F5-56C9-44F1-9611-080BFC180FD5}	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBDBC573-E9B2-41EC-867D-172ADEBC9554}	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC7899F5-56C9-44F1-9611-080BFC180FD5}\LocalServer32	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81A2F1FA-CAA8-4393-B70F-6F245AF97DC1}\TypeLib\Version = "1.0"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5EDBC3E0-49BB-4E0D-860F-80037D14E735}\Version\ = "1.0"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBDBC573-E9B2-41EC-867D-172ADEBC9554}\TypeLib\ = "{F3219881-CE98-4C8C-A472-280BD9A7D247}"	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBABE429-FE8E-4E35-97CF-9D3ED707696A}\TypeLib\Version = "1.0"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.opk	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA35375C-A06A-49AC-9136-31B6C102646B}\TypeLib	OverwolfTSHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBDBC573-E9B2-41EC-867D-172ADEBC9554}\TypeLib\Version = "1.0"	OverwolfTSHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBDBC573-E9B2-41EC-867D-172ADEBC9554}\TypeLib	OverwolfTSHelper.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

OverwolfUpdater.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OverwolfUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OverwolfUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OverwolfUpdater.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

OWinstaller.exeDxDiag.exeOverwolfUpdater.exeOverwolfUpdater.exe

pid	process
2104	OWinstaller.exe
2104	OWinstaller.exe
2104	OWinstaller.exe
2632	DxDiag.exe
2632	DxDiag.exe
2104	OWinstaller.exe
2104	OWinstaller.exe
2160	OverwolfUpdater.exe
2160	OverwolfUpdater.exe
2792	OverwolfUpdater.exe
2792	OverwolfUpdater.exe
2104	OWinstaller.exe
2104	OWinstaller.exe
2104	OWinstaller.exe
2104	OWinstaller.exe
2104	OWinstaller.exe
2104	OWinstaller.exe
2104	OWinstaller.exe
2104	OWinstaller.exe
2104	OWinstaller.exe
2104	OWinstaller.exe
2104	OWinstaller.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

OWinstaller.exeOverwolfUpdater.exeOverwolfUpdater.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

description	pid	process
Token: SeDebugPrivilege	2104	OWinstaller.exe
Token: SeShutdownPrivilege	2104	OWinstaller.exe
Token: SeCreatePagefilePrivilege	2104	OWinstaller.exe
Token: SeShutdownPrivilege	2104	OWinstaller.exe
Token: SeCreatePagefilePrivilege	2104	OWinstaller.exe
Token: SeShutdownPrivilege	2104	OWinstaller.exe
Token: SeCreatePagefilePrivilege	2104	OWinstaller.exe
Token: SeSecurityPrivilege	2104	OWinstaller.exe
Token: SeDebugPrivilege	2160	OverwolfUpdater.exe
Token: SeDebugPrivilege	2792	OverwolfUpdater.exe
Token: SeSecurityPrivilege	3768	sc.exe
Token: SeSecurityPrivilege	3768	sc.exe
Token: SeSecurityPrivilege	4312	sc.exe
Token: SeSecurityPrivilege	4312	sc.exe
Token: SeSecurityPrivilege	2324	sc.exe
Token: SeSecurityPrivilege	2324	sc.exe
Token: SeSecurityPrivilege	3484	sc.exe
Token: SeSecurityPrivilege	3484	sc.exe
Token: SeSecurityPrivilege	3836	sc.exe
Token: SeSecurityPrivilege	3836	sc.exe
Token: SeSecurityPrivilege	3612	sc.exe
Token: SeSecurityPrivilege	3612	sc.exe
Token: SeSecurityPrivilege	3356	sc.exe
Token: SeSecurityPrivilege	3356	sc.exe
Token: SeSecurityPrivilege	2944	sc.exe
Token: SeSecurityPrivilege	2944	sc.exe
Token: SeSecurityPrivilege	4896	sc.exe
Token: SeSecurityPrivilege	4896	sc.exe
Token: SeSecurityPrivilege	4864	sc.exe
Token: SeSecurityPrivilege	4864	sc.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeOWinstaller.exe

pid process

748 iexplore.exe
748 iexplore.exe
2104 OWinstaller.exe
748 iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEOWinstaller.exeDxDiag.exeIEXPLORE.EXE

pid	process
748	iexplore.exe
748	iexplore.exe
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2104	OWinstaller.exe
2104	OWinstaller.exe
2104	OWinstaller.exe
2632	DxDiag.exe
748	iexplore.exe
748	iexplore.exe
372	IEXPLORE.EXE
372	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

iexplore.exeBuff_Achievement_Tracker_-_Installer_2.exeOWinstaller.exeOverwolfSetup.exeOverwolfUpdater.exe

description	pid	process	target process
PID 748 wrote to memory of 2788	748	iexplore.exe	IEXPLORE.EXE
PID 748 wrote to memory of 2788	748	iexplore.exe	IEXPLORE.EXE
PID 748 wrote to memory of 2788	748	iexplore.exe	IEXPLORE.EXE
PID 748 wrote to memory of 2084	748	iexplore.exe	Buff_Achievement_Tracker_-_Installer_2.exe
PID 748 wrote to memory of 2084	748	iexplore.exe	Buff_Achievement_Tracker_-_Installer_2.exe
PID 748 wrote to memory of 2084	748	iexplore.exe	Buff_Achievement_Tracker_-_Installer_2.exe
PID 2084 wrote to memory of 2104	2084	Buff_Achievement_Tracker_-_Installer_2.exe	OWinstaller.exe
PID 2084 wrote to memory of 2104	2084	Buff_Achievement_Tracker_-_Installer_2.exe	OWinstaller.exe
PID 2104 wrote to memory of 2632	2104	OWinstaller.exe	DxDiag.exe
PID 2104 wrote to memory of 2632	2104	OWinstaller.exe	DxDiag.exe
PID 2104 wrote to memory of 2808	2104	OWinstaller.exe	OverwolfSetup.exe
PID 2104 wrote to memory of 2808	2104	OWinstaller.exe	OverwolfSetup.exe
PID 2104 wrote to memory of 2808	2104	OWinstaller.exe	OverwolfSetup.exe
PID 2808 wrote to memory of 2160	2808	OverwolfSetup.exe	OverwolfUpdater.exe
PID 2808 wrote to memory of 2160	2808	OverwolfSetup.exe	OverwolfUpdater.exe
PID 2808 wrote to memory of 2792	2808	OverwolfSetup.exe	OverwolfUpdater.exe
PID 2808 wrote to memory of 2792	2808	OverwolfSetup.exe	OverwolfUpdater.exe
PID 2808 wrote to memory of 4180	2808	OverwolfSetup.exe	OverwolfTSHelper.exe
PID 2808 wrote to memory of 4180	2808	OverwolfSetup.exe	OverwolfTSHelper.exe
PID 2808 wrote to memory of 3316	2808	OverwolfSetup.exe	checkRedist.exe
PID 2808 wrote to memory of 3316	2808	OverwolfSetup.exe	checkRedist.exe
PID 2792 wrote to memory of 3768	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 3768	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 4312	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 4312	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 2324	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 2324	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 3484	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 3484	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 3836	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 3836	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 3612	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 3612	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 3356	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 3356	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 2944	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 2944	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 4896	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 4896	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 4864	2792	OverwolfUpdater.exe	sc.exe
PID 2792 wrote to memory of 4864	2792	OverwolfUpdater.exe	sc.exe
PID 2104 wrote to memory of 2356	2104	OWinstaller.exe	IEXPLORE.EXE
PID 2104 wrote to memory of 2356	2104	OWinstaller.exe	IEXPLORE.EXE
PID 748 wrote to memory of 372	748	iexplore.exe	IEXPLORE.EXE
PID 748 wrote to memory of 372	748	iexplore.exe	IEXPLORE.EXE
PID 748 wrote to memory of 372	748	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://cdn.discordapp.com/attachments/976211725672153128/1091179886846156820/Buff_Achievement_Tracker_-_Installer_2.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:748 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2788

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\Buff_Achievement_Tracker_-_Installer_2.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\Buff_Achievement_Tracker_-_Installer_2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084

C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\OWinstaller.exe
"C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\OWinstaller.exe" Sel=1&Partner=3762&Extension=caboggillkkpgkiokbjmgldfkedbfnpkgadakcdl&Name=Buff%20Achievement%20Tracker&Thanks=https%3A%2F%2Fbuff.game%2Fthank-you-page%2F&UtmSource=Buff_Affiliate&UtmMedium=Everflow&UtmCampaign=ev_offer-14&UtmContent=9&Referer=www.buff.game&Browser=opera -partnerCustomizationLevel 0 --app-name="Buff" -exepath C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\Buff_Achievement_Tracker_-_Installer_2.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\System32\DxDiag.exe
"C:\Windows\System32\DxDiag.exe" /tC:\Users\Admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txt
4⤵
- Registers COM server for autorun
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2632

C:\ProgramData\Overwolf\Setup\0.221.0.4\OverwolfSetup.exe
"C:\ProgramData\Overwolf\Setup\0.221.0.4\OverwolfSetup.exe" /S "/TargetDir=C:\Program Files (x86)\Overwolf\" -ignoredotnet
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808

C:\Program Files (x86)\Common Files\Overwolf\OverwolfUpdater.exe
"C:\Program Files (x86)\Common Files\Overwolf\OverwolfUpdater.exe" /UpdateFWRules "C:\Program Files (x86)\Overwolf\\0.221.0.4\OverwolfBrowser.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Program Files (x86)\Common Files\Overwolf\OverwolfUpdater.exe
"C:\Program Files (x86)\Common Files\Overwolf\OverwolfUpdater.exe" /Register
5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SYSTEM32\sc.exe
"sc" sdshow OverwolfUpdater
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\SYSTEM32\sc.exe
"sc" sdset OverwolfUpdater D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-18)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\SYSTEM32\sc.exe
"sc" sdshow OverwolfUpdater
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\SYSTEM32\sc.exe
"sc" sdset OverwolfUpdater D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;SY)(A;;RPWPCR;;;S-1-5-19)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\SYSTEM32\sc.exe
"sc" sdshow OverwolfUpdater
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\SYSTEM32\sc.exe
"sc" sdset OverwolfUpdater D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;SY)(A;;RPWPCR;;;LS)(A;;RPWPCR;;;S-1-5-20)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\SYSTEM32\sc.exe
"sc" sdshow OverwolfUpdater
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\SYSTEM32\sc.exe
"sc" sdset OverwolfUpdater D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;SY)(A;;RPWPCR;;;LS)(A;;RPWPCR;;;NS)(A;;RPWPCR;;;S-1-5-21-1013461898-3711306144-4198452673-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\SYSTEM32\sc.exe
"sc" sdshow OverwolfUpdater
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\SYSTEM32\sc.exe
"sc" sdset OverwolfUpdater D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;SY)(A;;RPWPCR;;;LS)(A;;RPWPCR;;;NS)(A;;RPWPCR;;;S-1-5-21-1013461898-3711306144-4198452673-1000)(A;;RPWPCR;;;S-1-1-0)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Program Files (x86)\Common Files\Overwolf\Teamspeak\OverwolfTSHelper.exe
"C:\Program Files (x86)\Common Files\Overwolf\Teamspeak\OverwolfTSHelper.exe" /RegServer
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4180

C:\ProgramData\Overwolf\Setup\checkRedist.exe
"C:\ProgramData\Overwolf\Setup\checkRedist.exe"
5⤵
- Executes dropped EXE
PID:3316

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" "https://buff.game/thank-you-page/?muid=378e8bf1-7517-4d84-8459-4934a33614da&extensionId=caboggillkkpgkiokbjmgldfkedbfnpkgadakcdl"
4⤵
- Modifies Internet Explorer settings
PID:2356

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:748 CREDAT:17414 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Overwolf\OverwolfUpdater.InstallLog
Filesize
478B

MD5
232d0b283498db143089d81700586544

SHA1
e702ee7d4629fd8ab5fe4f7832e18354499d6d62

SHA256
c00148fb7e3bd17b4f29223f36e9163939de688a478233b5478e3539801f0815

SHA512
dc61c66e085c174da5479c20cbd96da79c009130a41f251e9b0423867c0b5eb246932bac13978c53c0a597aa5ee1b385115d94ea485056e4df751110ec79df47

Download Submit
C:\Program Files (x86)\Common Files\Overwolf\OverwolfUpdater.InstallLog
Filesize
792B

MD5
06a1d19de62ed0d2650a74124c686498

SHA1
4e1a825d5136eac37fb8af252d0361a910d0706f

SHA256
ba63fe276348f949b32ae9e0d6e8265f5c764d035bf02db2504c2e9d30f7fae0

SHA512
64b8a5f2ac0fa8f579a0436c8db329235f17907b99a98d3b438dc5f121a3067f6825f90dacec0ce4420422fe8a28624e1d0f58d1cbd68692c4bae50f629e3a32

Download Submit
C:\ProgramData\Overwolf\Setup\0.221.0.4\OverwolfSetup.exe
Filesize
274.1MB

MD5
6421411b6212bc9475442ee4dffd0ec4

SHA1
c5f97fd58b6ce5929dd5fdb8c52093413ffdeb8d

SHA256
5ec509a894d302abdcd6bf0f5490cbd764799df2f7783ad44f9aa6d6b52c9136

SHA512
94392b582536ec313bf131bf6faac872304cfbea1967816899810076d1b9c02cefd2a7ffb9eff38bedee6108209975bef8e84255ccb2704de815fd9c84efc731

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
bdbbd793778777706223b00a4ea24ed0

SHA1
bf09527cebe8906bfe6aa1e885bc9fb1b3ec54e4

SHA256
8b1034038298faf34d3f580c1ded7212f40d146de7e62cff20826c8b53f80c36

SHA512
7397d981e28bee91dd0e08c3a38444d8524204118548e8db810f5a277cbb08c20a64350063cf36ee4a943edba249f1d0ed350d4cfbc0671461cf27c2534c1f13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
297c7f94b45c69d1247169834c5b2ad3

SHA1
cf32458e616eacec01ebcff0602cf3bd7bf20567

SHA256
270adb44d198fd90b6ecf6af0eabaf68eac640bebd19d2fde38144119e21650e

SHA512
632882c8332e9af02771b0ce524f98c6152f731a15084faffaae30b94fc4c0238134b619581faac0002bd01d9e51dd3a8df58e46aff9739debce8bb8d640ca93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verE42B.tmp
Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\Buff_Achievement_Tracker_-_Installer_2.exe
Filesize
2.0MB

MD5
2a9beb97d8e9134d8c4f100ece555439

SHA1
eed1cb42da2a9eb25f29eff85af543738467c244

SHA256
b50f93fac9553f4619f754fef712fb04233f2635e1b0bd3d293359c6718ef706

SHA512
014d6f06af83ec5e9368467dd61a53d6cd2bb6e1c7e77b812ff6cb1a198da5e360363df079e78a50dfe051a408fd26d17063ce54a0244d3768c8a1a44c00e47f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\Buff_Achievement_Tracker_-_Installer_2.exe.bjcd591.partial
Filesize
2.0MB

MD5
2a9beb97d8e9134d8c4f100ece555439

SHA1
eed1cb42da2a9eb25f29eff85af543738467c244

SHA256
b50f93fac9553f4619f754fef712fb04233f2635e1b0bd3d293359c6718ef706

SHA512
014d6f06af83ec5e9368467dd61a53d6cd2bb6e1c7e77b812ff6cb1a198da5e360363df079e78a50dfe051a408fd26d17063ce54a0244d3768c8a1a44c00e47f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\progress[1].css
Filesize
702B

MD5
1d66bac6d892d75acd1ca5fe4fd39974

SHA1
7ab518b9fe084077e1e0f0537ee266a84cde7c53

SHA256
be69261940925377fede26433a0431e2fc1521f107525f68fbc3af3ff2818044

SHA512
26e59e6f378d3f22f939a08796311f78dca44958e03c4f6a724e61374571561aa50bbbb58c866bcb5441aa0114e33b9e67d538b65c7e7de16d5afdfedfa403bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\reset[1].css
Filesize
427B

MD5
d29f1cfab4739a8757e86b90ee9a745f

SHA1
9f36d9336ed6a90beca34bfc7d5cee28adc3aa44

SHA256
a5d4254113dc8ec027bc30da0df9dde7c39583b024660fccca1e949d1db70f90

SHA512
56ce5d8cee435b2d9a1b9626e8ffdb449b5e1813d24468dc5808f31271d5b8adb9fa143f17743a48f5c081f67325e08ae8c881ae1acdf8dec4c3cea36fc2fa4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9YACFB9R\block_inputs[1].js
Filesize
281B

MD5
78958110509900367e8bd8f6fe554e70

SHA1
7559eccda81669fee7a06b4ec54a22a672d8c64c

SHA256
b2a763b225eee36970d4525500d538ed2efb00cfb2fed01b13ccc4d98beeab57

SHA512
7662859b3b5cd3713293118c101d6afa0017924ac49e731f8b80b9fa938021257b4fe04befd6b810c10cd4420fe5c611ef4167b7d4d028593abf59d588dbb0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9YACFB9R\style[1].css
Filesize
1KB

MD5
bde238bc90d90deecbdfebadafbac483

SHA1
b406e2a9766130621a3ba8f23bc6f302164b915d

SHA256
06fa8be623a7a52f8a45976fae5209b9d539b1e849755d50de9a3d2de0b9881b

SHA512
126eab9624db7093b7000abf3f01f6923ad243a5dfa4a7cba016164f540d2e0ea8480a8e9ce0e037120872a84c2f38da2a929713b85dda00888f185085790681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKFP9JBL\fonts[1].css
Filesize
2KB

MD5
2778c70161bb0aec49f4207e1430bf63

SHA1
7d74122bf734778e2cf11f41836420003bd02b24

SHA256
086aa3af6429d74fcf04ec1f5e870145cc6309a6c4c0c22c2d46f3560d7d587d

SHA512
73c1d980ddaf682340cb98d5dfd4a34e0d29e9a41035295ea76f104ef659881bd783e1bb38b40281edb588616d8a59d4433fa015a0f4aa5c398f5b65e614288c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKFP9JBL\jquery-1.10.2.min[1].js
Filesize
90KB

MD5
f5181545817b45e967869df84ad33f49

SHA1
4464b91f3536b736543eb49e04e6ff2cefeb5e33

SHA256
a881c47a88411a1c65c5107537c9253d4d4db16b57db5cf0201bee1a9f2f30b2

SHA512
1a7d57e96179b10e4024c337a9ef276d28738673cc495f6a9ad677c568ee08d5be62b1040a63cb31cd8353c8dbea3ecdb468e1afab6d69088e8d14cd48322ebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\Buff_Achievement_Tracker_-_Installer_2[1].exe
Filesize
2.0MB

MD5
2a9beb97d8e9134d8c4f100ece555439

SHA1
eed1cb42da2a9eb25f29eff85af543738467c244

SHA256
b50f93fac9553f4619f754fef712fb04233f2635e1b0bd3d293359c6718ef706

SHA512
014d6f06af83ec5e9368467dd61a53d6cd2bb6e1c7e77b812ff6cb1a198da5e360363df079e78a50dfe051a408fd26d17063ce54a0244d3768c8a1a44c00e47f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\AppShortcutIcons\caboggillkkpgkiokbjmgldfkedbfnpkgadakcdl.ico
Filesize
3KB

MD5
cb40470c55476c8882871a63df6393e8

SHA1
4129db65881022ec877d1f2993fb7e763afb60aa

SHA256
b2289c0afc3644e53b117877fde66b66192c025adbca614d4c37ea557feb1d68

SHA512
eec21c3f84aa5b3f9faf11414a87beb209e84f59c08042475ec6989487127e294bde3b1afde35010446e271f7eeab0baead4c5db3e7db53a9dae5f53af84f5f5

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\Log\InstallerTrace_2023-03-31_22-17_2104.log
Filesize
5KB

MD5
54ab1bea5b6eb7fb4e4e40e5fea3f227

SHA1
6f78014f96c56531b8e478d401af2ab1778f0cf7

SHA256
9979fef2b00ccb51bfbfb6e91f14dc6e1227ac949230aeec75b7098d5f9a87c1

SHA512
a05b40f1c28a5ae84ee8b1e9a873f436fac33e560cb7aab8959ebfccf826aa0f9388da38d5f1ea74d2ca892df311391575d1b5ea8532548f4028d610cbb5fa9b

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\Settings\SettingsPageBasic.xml
Filesize
752B

MD5
b0c894b15c0e0bb1efe2b3a512ec5124

SHA1
4ccec2e7b3df78b553ba1c33608576d8f9a83523

SHA256
9c21fe3c3ba3a2f6dbe61c527077078b4e7d3105ac9b2a775411e34aa952a5da

SHA512
80f2b11d108f7140973c809bf1e7f46c9161e93d1773ec43268fe22fb715fbb80ec3c67ff60b6da0641d2f3f592e78165884728e41788cba171c2139204cdf4b

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\Settings\SettingsPageBasic.xml
Filesize
752B

MD5
b0c894b15c0e0bb1efe2b3a512ec5124

SHA1
4ccec2e7b3df78b553ba1c33608576d8f9a83523

SHA256
9c21fe3c3ba3a2f6dbe61c527077078b4e7d3105ac9b2a775411e34aa952a5da

SHA512
80f2b11d108f7140973c809bf1e7f46c9161e93d1773ec43268fe22fb715fbb80ec3c67ff60b6da0641d2f3f592e78165884728e41788cba171c2139204cdf4b

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\temp\410941ac-53ec-4b1d-ae64-95229926ed7d\manifest.json
Filesize
14KB

MD5
0d28fc52719ecad810d7cd85d9d2f330

SHA1
cbe75e5e2b78f760b9052f161f88075ea84bb15e

SHA256
0635a839a1b2dfefcc3bdf44cd864faf6067543810e3cbaeb500751cdf05806b

SHA512
b836c7536ba4a62b68ca5ec510e65e5ceba994f1d77be53504795efca658dce1ebb820bd1a5e022cc09d7f2d8227a8084d67da0a2b142b5f55e7004a1cae56ae

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\temp\410941ac-53ec-4b1d-ae64-95229926ed7d\static\css\debugWindow.4f824990.chunk.css
Filesize
62KB

MD5
ac0bb00e158184c8931d1ff94c402d0a

SHA1
84375cf44127ba3daac49fb810907d49a3ca540a

SHA256
316497b9dce764e34b128935ba2987515cf9d13b8bc3cd181e531ef8a9aca2c4

SHA512
309332ed8fb2768bcfb97733255d935a2bf1bde9239224e31b8623e9f948df0c78c570560cfca47d15d3cd0bfb25a9f54ba726cd93a72fd5f6155c44beb562ab

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\temp\410941ac-53ec-4b1d-ae64-95229926ed7d\static\css\unsupportedGameSummary.857598ca.chunk.css
Filesize
346KB

MD5
9248b19c93a1fcd783a686bd0b6acabf

SHA1
4a1171438c75da4ffc4453b97a849050fb1fe1ca

SHA256
c845eccd23258955f0a9f9487cd22fdd3887e7364e0051c141a1bc467ce91045

SHA512
1ecea8ea4a2391dbe8c41c6022ff6f39c2fdd868f6966c3ee6fc8b6815b0e888e67729389c07f3bcd721adc44eef4ae359e21e0a39c0ddafaaca5e86ba288d32

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\temp\410941ac-53ec-4b1d-ae64-95229926ed7d\static\css\unsupportedSecondMonitor.be876e7d.chunk.css
Filesize
312KB

MD5
450b2104b7fd64088d5f6bd7a76fc3b7

SHA1
0bcb0f3525550880925c229ba69f1d6defa958cc

SHA256
b2341e67425b1dc2622daa91c37ad6845ad55346b9b85bfae47bb6db00d56b4f

SHA512
dc858bb5f79d6c1be86a21d9197a2c60ee41759628c01ab9fb0b9fb98afc20bda78f425db6dfa9e5626b7f6bdace8fc639d6a6dbc802166c2d008e5e29e3734e

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\temp\410941ac-53ec-4b1d-ae64-95229926ed7d\static\js\debugWindow.1163a8e9.chunk.js.LICENSE.txt
Filesize
1KB

MD5
eed8d496c4bc3bb96add3b4239d9e634

SHA1
7b4fcd6ba564472284a260054f847357aa3e0dd3

SHA256
74f90ffa3abc32edea312fe91d5a9acfaeea8d33a038a5e3b7498ac57955727a

SHA512
e84d8644d8e6e20b04bb02f2c1c88359ffd8dbd77c65ea9adea691cf5e31a75e1398e712a5c24e02cef67dcdf2eb927df8633c6fcec917767dd872ec0116bf94

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\temp\410941ac-53ec-4b1d-ae64-95229926ed7d\static\media\DE.fdeaf79e.svg
Filesize
262B

MD5
fdeaf79eb993f54e6d2408df5c99b915

SHA1
6e2e55c8b1a61b9ef51cca48e49920c00fe8dbba

SHA256
6f325793e7a47e1472bc3ec47114ed5854e47e0e80e9df1a0cf30014bacb6210

SHA512
94a3d54191f717036045a74f15ccc2a78ed39359fefe3b1bc06c91209fe03722b9fd9c03549bb7526aa5abb47d028ed8f579fc8df1c7ab6d97ef7ecff9d2d838

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd415A.tmp\INetC.dll
Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd415A.tmp\System.dll
Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd415A.tmp\UserInfo.dll
Filesize
4KB

MD5
9301577ff4d229347fe33259b43ef3b2

SHA1
5e39eb4f99920005a4b2303c8089d77f589c133d

SHA256
090c4bc8dc534e97b3877bd5115eb58b3e181495f29f231479f540bab5c01edc

SHA512
77dc7a1dedaeb1fb2ccefaba0a526b8d40ea64b9b37af53c056b9428159b67d552e5e3861cbffc2149ec646fdfe9ce94f4fdca51703f79c93e5f45c085e52c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd415A.tmp\nsExec.dll
Filesize
6KB

MD5
143e45d5929ba564ba0c3a0773be76e6

SHA1
c7e108ad681dd19afc646a43f7ce757388653f57

SHA256
8459feb67b7eb0caaaed607e0f36c8d4979abf1bad87e7f1c7c2b97c73174d6d

SHA512
1114403b9af202396ffe32610e1160313ff22c488f87b4a8f771d14fda02a954af7beacad5655143dafdf0af9a76b2a0d5c121ef57819e0567c367578482f003

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd415A.tmp\nsisunz.dll
Filesize
94KB

MD5
b6b206157dc73d830e8383e53d6dc901

SHA1
de73fa2a07e809b400f0970621f1d5ec576e3335

SHA256
be461d66c6f0dd1298b6b381c6abb492a264b3b94b4ab307c8714537113fb59f

SHA512
bdde2d15e01c733f51b6ae4c32ee7e02a00ebb50e14db096652ce030210b38c7e2192e3fbe847f5f3f86549537e8c3e1ad4c572bcd9f980588d81fe250921f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\CommandLine.dll
Filesize
75KB

MD5
adf121cb3885388a01dda99c44d31d6e

SHA1
f334a6e7f89c538f77e7e47ee43e98f330e2e6ea

SHA256
c27a9942d00180c45c8cab27718f15c22d9884b1f9c71819efc46ab7aaea2420

SHA512
acb28b6b26853d2fc96d3c68255fa485e16dfac2e2b8e99e423dca4fdc22bddac0f2be70967f8bbaf4e64e17f2d3325f3ef21373423b32e961fda45ac5ae6279

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\INetC.dll
Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\INetC.dll
Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\Newtonsoft.Json.dll
Filesize
692KB

MD5
98cbb64f074dc600b23a2ee1a0f46448

SHA1
c5e5ec666eeb51ec15d69d27685fe50148893e34

SHA256
7b44639cbfbc8ddac8c7a3de8ffa97a7460bebb0d54e9ff2e1ccdc3a742c2b13

SHA512
eb9eabee5494f5eb1062a33cc605b66d051da6c6990860fe4fd20e5b137458277a636cf27c4f133012d7e0efaa5feb6f48f1e2f342008482c951a6d61feec147

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\OWInstaller.exe
Filesize
331KB

MD5
213793f7b7f4a0b39361614dd7233c5f

SHA1
9ce723ac3d4af62d5e432bd2462a7506d89b2521

SHA256
1cbbea422baa32f56d416bf566e48dbb5dab8be47aeb3c2cce2d11846993c73a

SHA512
aad4288025aa75278db22f0b332348bb4b5af1e5b3cdaef0a87cad34027e1996491aec5f1cef17923df2388bed79fe62c2c92ea6fe195386f302d2dbd48a45b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\OWInstaller.exe
Filesize
331KB

MD5
213793f7b7f4a0b39361614dd7233c5f

SHA1
9ce723ac3d4af62d5e432bd2462a7506d89b2521

SHA256
1cbbea422baa32f56d416bf566e48dbb5dab8be47aeb3c2cce2d11846993c73a

SHA512
aad4288025aa75278db22f0b332348bb4b5af1e5b3cdaef0a87cad34027e1996491aec5f1cef17923df2388bed79fe62c2c92ea6fe195386f302d2dbd48a45b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\OWInstaller.exe
Filesize
331KB

MD5
213793f7b7f4a0b39361614dd7233c5f

SHA1
9ce723ac3d4af62d5e432bd2462a7506d89b2521

SHA256
1cbbea422baa32f56d416bf566e48dbb5dab8be47aeb3c2cce2d11846993c73a

SHA512
aad4288025aa75278db22f0b332348bb4b5af1e5b3cdaef0a87cad34027e1996491aec5f1cef17923df2388bed79fe62c2c92ea6fe195386f302d2dbd48a45b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\OWinstaller.exe
Filesize
331KB

MD5
213793f7b7f4a0b39361614dd7233c5f

SHA1
9ce723ac3d4af62d5e432bd2462a7506d89b2521

SHA256
1cbbea422baa32f56d416bf566e48dbb5dab8be47aeb3c2cce2d11846993c73a

SHA512
aad4288025aa75278db22f0b332348bb4b5af1e5b3cdaef0a87cad34027e1996491aec5f1cef17923df2388bed79fe62c2c92ea6fe195386f302d2dbd48a45b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\OWinstaller.exe.config
Filesize
632B

MD5
82d22e4e19e27e306317513b9bfa70ff

SHA1
ff3c7dd06b7fff9c12b1beaf0ca32517710ac161

SHA256
272e4c5364193e73633caa3793e07509a349b79314ea01808b24fdb12c51b827

SHA512
b0fb708f6bcab923f5b381b7f03b3220793eff69559e895d7cf0e33781358ec2159f9c8276bf8ba81302feda8721327d43607868de5caaa9015d7bb82060a0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\OverWolf.Client.CommonUtils.dll
Filesize
582KB

MD5
834bb183a67bb6a5d853b98a2535cd76

SHA1
350ff425fa15cc48786402bee9204b21a056182c

SHA256
9e0672991890c468ba7425557d93118f3507fa7d38c2c9a36a1bbd805f964400

SHA512
d6564669946d1eb5b324aaf1153e359273a88edfbb13e7b50b7d573509d4180d0b1d1e8fc6e940d5160472802c3e52d3f348c187d9f829c90d8b04108efb6d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\OverWolf.Client.CommonUtils.dll
Filesize
582KB

MD5
834bb183a67bb6a5d853b98a2535cd76

SHA1
350ff425fa15cc48786402bee9204b21a056182c

SHA256
9e0672991890c468ba7425557d93118f3507fa7d38c2c9a36a1bbd805f964400

SHA512
d6564669946d1eb5b324aaf1153e359273a88edfbb13e7b50b7d573509d4180d0b1d1e8fc6e940d5160472802c3e52d3f348c187d9f829c90d8b04108efb6d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\OverWolf.Client.CommonUtils.dll
Filesize
582KB

MD5
834bb183a67bb6a5d853b98a2535cd76

SHA1
350ff425fa15cc48786402bee9204b21a056182c

SHA256
9e0672991890c468ba7425557d93118f3507fa7d38c2c9a36a1bbd805f964400

SHA512
d6564669946d1eb5b324aaf1153e359273a88edfbb13e7b50b7d573509d4180d0b1d1e8fc6e940d5160472802c3e52d3f348c187d9f829c90d8b04108efb6d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\SharpRaven.dll
Filesize
87KB

MD5
8d776dd9572e55947a6a171d84785b1e

SHA1
bb43ec0284065744fec47a9e668ee2adb1e064f9

SHA256
32df9c7d1727f999509c18d071373fed5e3f7bae16be3b3535b3e49caaba4ba9

SHA512
877ad27cc639b4551bea99e28a15f1175c2d46de912d5a8a9148afe39fe0826b18bba2d443caadd7c29e4424563d741493f73d1ae8fcc38dbcac9ddcd354aa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\System.dll
Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\UserInfo.dll
Filesize
4KB

MD5
9301577ff4d229347fe33259b43ef3b2

SHA1
5e39eb4f99920005a4b2303c8089d77f589c133d

SHA256
090c4bc8dc534e97b3877bd5115eb58b3e181495f29f231479f540bab5c01edc

SHA512
77dc7a1dedaeb1fb2ccefaba0a526b8d40ea64b9b37af53c056b9428159b67d552e5e3861cbffc2149ec646fdfe9ce94f4fdca51703f79c93e5f45c085e52c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\_locales\en\messages.json
Filesize
10KB

MD5
e404a0ea1ac8d53b2efb0fda7f1f2795

SHA1
ec38cee96fce134fe9b08b83133e2a40c484db43

SHA256
448ea9ebb9ef609b852d78976708cd3d3c91674de3e60766704ff2d066f0de53

SHA512
8d9e10f2ba26be6bdc0e54b8e650c3f21543358b645bc9342964d258e8a1ca558e08225f3aaab5a19ad411c34fdfccc932d2cc51c6b5ced43415ef32cb9339f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\assets\fonts\lato\LatoLatin-Regular.eot
Filesize
66KB

MD5
6cfad5881181ae658a6efdd68889a690

SHA1
5b54f6ccc20ed3a078fbdf94d7a68ac80002624d

SHA256
c6c970b103b3c3aa83f7a45172619a4451ea5f015f9f3ef4fd08c9a4aa895cbc

SHA512
ddd3d43540eb3d4eef48d0834136de1e7bf23a52f286d0a666cf57c7d685aadf1cea6d37c88f9d7ce5ad6143d7c3213f54b16a11f616b7dce154bba50997bbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\images\bottom-arrow-hover.png
Filesize
294B

MD5
f5d76b21fcab6cc89fd0ebc1089c2c26

SHA1
160645c02dcfdcd4d6d6a8339557a62b80493e40

SHA256
3b8043e64994a53126afe1250b80fa2934196c3305bf93fd3e7a6963867a6eb9

SHA512
4c4fd737cd771e8e0c025295c598aeb4ffb2d20df10658f7cb992aa49b4817be5d291c0c6530b4e9aaa241ab76df3c52e01a40a505e7b60d1d968a96fd4de991

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\images\bottom-arrow.png
Filesize
279B

MD5
847fab99890ddd7460e758ad8d463ba9

SHA1
bdf8c1e45993ee33ee0bf9a2e43d6048df71cb8a

SHA256
46bfb08af2269108c681b78373c98e899b4234adce39394322c7dfd6d40dcdac

SHA512
0bd2075c61eafc2946a9431bd4fbbbb141f3743144782376874640e4aae1ee97a05844589661b3a0912b23dacdf57e0a667d8ffa8ccd0f4358e5802e653aef1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\images\close-hover.png
Filesize
399B

MD5
5b691eb1c6836563447358b108bc9f39

SHA1
14104e60754aa46034effcbdf21af44e13f3c4cb

SHA256
aaad22634eed5977eb3a690652f16f4efda3143dfb0c165cd391bd862de6eef0

SHA512
d239bba8ce1c22dcf6d8c830614c158290b1fd9f684f7eda86e959f5cfa86cc572fa01711e0d0850f48e13c654a9e69675d83148a3bf22f64de91f7a51eaa124

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\images\close-normal.png
Filesize
330B

MD5
1acb62ec3fa5a82347c330512f2259d6

SHA1
c81389f19687e791bc4ada896620b17471371c04

SHA256
e8bd82cb680ae552f587a3f0bdc1df18fc7624dffec501840cc508d327baeec3

SHA512
a6693f68c41f8a7c137f3129403b14144329c132b99956ff2c1cc5317b046eaec70aef82c7c05b9220c3c3a7f2a417718fb65bbbe486250c05191778456f602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\images\icon.ico
Filesize
5KB

MD5
4e6c2a6f9e3cadcb50aa0009577a6b9f

SHA1
569d5bee57d9fc49a39d01a12956a6fcd2f4a6c0

SHA256
cc2706120a13f24a64723024e7764410e10f6d370b982ba7695e3389e6ef2348

SHA512
11c73d1be5ae0793c8370b7a61dce89e6c2e00096db4d15fff2a64f684d6374f11141eaf3bc3807850184e630ed8351f17469386b07b7666caa053bf10f59a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\images\minimize-hover.png
Filesize
171B

MD5
f4b8851b9ef5a55b0d45392baceb31fb

SHA1
03a87a04dc75579a8568543d40db963b6e9f4051

SHA256
d84b877f7a2d601b1d71cf878b33ff78c94c2d144a0f4d72436a7dcf64e712c2

SHA512
a849659d4ba4e40b924108cd567a58f4b1569afc5c7517a10c26fd6d64422fa61812683292da1c3b19dbe91c63aacd5cd1c5b342ccce98b6815e94b55767ce4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\images\minimize-normal.png
Filesize
150B

MD5
1bcfd10e50ab56ac335a463ec19b8d33

SHA1
b5054dd1cdd714a6771bc11e43291df361a16ccc

SHA256
aa2b021cd0dd9563705503dad48866eac926c7ace608ff8d00f755afc509f39b

SHA512
7257c401db826ed1f4a549b1b899d0fb4a5bcc3c599ced49b07a64fc308b08fb208dc378a32d9c3cd193b4d603ae76f82bb297334998ca6abb790081a5467edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\images\welcome-logo.png
Filesize
995B

MD5
860785e1633b7a170ec443f4d36551c7

SHA1
f5a3401fdb22bffabbaae7f912f93cddbb7ea148

SHA256
2e3dced384fe419468973dcb074794b1444f48bce8f96217aa5e3a98c34e4c01

SHA512
217b2177b9f990ee27d1e169dca9f99da18e9bd41fc6d7a5ce7d01cf9e35a23f343763835424125b3fa73de196579054e56542e5885327c6922deeb34fd78e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\index.html
Filesize
18KB

MD5
d367bf95bb13abbb839927ef76618253

SHA1
95b95767ec022a74f4c9a6b74895557439817ac9

SHA256
a7db7133613735b6b5c96d4ee3eb8a1630ee783dd41a81260f2461a66c3728d8

SHA512
98fa35e39b3dc54d410c7b4af0efe31845e195473843d2ce0e25ad4b892784a2fba6a9e99964b47a4c3c1d49bc9e839c210a73c7cc788643ef36abe8a1966952

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\app.js
Filesize
21KB

MD5
7c15ecdc0a6c4894af1ebf28e32aed6f

SHA1
db55a0d8935fb49b9be45da4bb4ee88a5277b7db

SHA256
5e67c50e827ad0e651d58646ffeae6a22d6c048e34e33b5e8f1fa98a21f40eab

SHA512
792a28a59330c60f8769d46eb32d1e0c0ff25b27b338288eb6c6e4c7278d3c4dacd44d58bf8c5006e4b8fa5dc313ee23581d0c33e2b0696632dafd7223893472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\block_inputs.js
Filesize
789B

MD5
b5b52c92b90f4283a761cb8a40860c75

SHA1
7212e7e566795017e179e7b9c9bf223b0cdb9ec2

SHA256
f8dbd6793b35f7a26806f4dabad157aaafdf6d66fad094b50c77d60f223fd544

SHA512
16ad53ede5424ca1384e3caea25225589e9eec9e80e2d845948802db90fad222f709a7b651cd7601a34ba67a0627433f25764638fd542cbd4612871308e7b353

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\libs\cmp.bundle.js
Filesize
296KB

MD5
c3dbbd4cfe15de60c8c3606ddf9c8784

SHA1
ef44afa8b6fb172b04aa62242b78d90b7ff34a3f

SHA256
a1d99c498fb84e20aeffcb22e7b473fa88e2909f2b9eacdc63d8e09aa56b5aec

SHA512
849a71028e2db8a14178c14c05de413d23282fa49b59befddbc5279d203f27e0d2b21ee9ef43d0aa15b2c81c17d42301d52760c894b9f7ee78ddad258f31a5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\libs\jquery-1.10.2.min.js
Filesize
90KB

MD5
44e3f0db3e4ab6fedc5758c05cf27591

SHA1
2d408aa1d35661019c95adcc60b78c0727ed25b4

SHA256
bc44d3631ffef1df7960e359f02002d3ada45ee05205c2cf1edd85da2f518144

SHA512
4d4844e53e686fc59a52e86588f328dca3ed6fdad7195c58942a98c51755a24981b903ee7c7b27785375eaad5a7d9501cf74b999674b79f214e66103bad9efdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\libs\mixpanel.js
Filesize
1KB

MD5
344e4265b3d4e1fecfd81c561293edab

SHA1
51dbcac23b839e64362d11763bbe64538ad80bb8

SHA256
88872b5b01a8d1dfee124333aba630ceb8535390130833dd2a312c461ac52217

SHA512
dcda17cb89861c4cd0be4b7cd93b58283cd1acc3c7a4a2176add3ea6403079c8567bcf88d878aa2e91e96c43b15a7ce668299c3d015c6dc4db5b15cddbe4ea7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\models\notifications.js
Filesize
4KB

MD5
a94dbd9bd18433d3bdc6c9efa61cba7e

SHA1
16260be72ae3101010b34b7f721edb72d0550dbf

SHA256
4eb5c8f6679df6f4a23455fe20230e1dac155324709dc8e5cb97b7ede46614bc

SHA512
6ea99466ad1252d203ba4c9a13baf6874b5603422676036aac9a03d4145529747e35b9819ce5fc35182fca78985daa4856c1d621be566b5e86e3e161135b6b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\utils\analytics.js
Filesize
3KB

MD5
00da91079bba7d8b219376f9a9b20961

SHA1
fcaeffa5cc73a667c8ef69442ba62964fddeba5a

SHA256
15f8b8bd605296723e1322465f220e173c750da0745bdf39ec400ab6215c28c7

SHA512
d906ae32a0e2d5b65a030ac6a20a95bdba63cb86ded7d48a6f9d809fe000631c309eb81a5445fa68b45e16f06fe5d282827c026208429297f78be1e7d9ed9961

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\utils\commands.js
Filesize
12KB

MD5
8077c868435c2ab49cc70683489d229b

SHA1
31dfe51f87ec33073b2209e60de7ecd647007c7b

SHA256
72947e14b9e17653b7557c7083a39e453d05f3ef529ddab77c6d6099a95cc881

SHA512
a9f0247a0e1242c02928567f5e9d71564af930446a2be9bcaf51b415a4d30e3a064b1bcaf2c7115a268b01597f2b57905f49f42bd1989398213c262abbafe2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\utils\cookies.js
Filesize
1KB

MD5
6c60e675f8c8c68c0174b644d3a63a2a

SHA1
3635a3fe07ccc4a6f33a986ddb690522d0611abb

SHA256
9d3cb3822e20d6f5157faa02dc69bdaef44576c3fb5523e00aa152107ce30287

SHA512
1dc9ec7b139bcf37107ecd673c01e4fcc606332ea1645a4a1b4e5d95f817d4c99d5964cd3d941a6a526689341d9623b17b4efc002cdf4c73404299d52b1be452

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\utils\modal-events-delegate.js
Filesize
1KB

MD5
117e4fdbdb0ecf211c8bd909efd337d1

SHA1
9f8684d856b7c95bdffb139217dfd89f41373187

SHA256
267661f932a2ea78d8c7a98cc03d1b18d7cb8132deb84636772ecd1fcfbe4857

SHA512
f474ee20b59d3d0c11f9f6aee6b6e2b66f7025beaec9841f88455e60533dc96cb4e27910be0dae92b0028c5578932b7f459fdb91d594ad010f72a3b3af6addb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\utils\strings-loader.js
Filesize
5KB

MD5
9c94eb933d8a43dd3825e67a7e30c980

SHA1
7ec7b16af6f399219209ba5967d377040486a11b

SHA256
96445709fde2613af50f4b8908296d4bfccdccb2d9db9febc34a9bf4dcc70ecf

SHA512
a662a299e31633f71a9b9675970359430fdac06dcc284fd7ce92919f244c7f921639f97a42356e993a95865e6c9f198dcba82c126f82065bf2009a31ec9b02f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\utils\utils.js
Filesize
118B

MD5
a0952ebeab701c05c75710c33d725e7e

SHA1
1da8a2e889f1213d481ae3cd5571670c01e64adc

SHA256
b4f0c48cbfeaf8141fd44b12031e3f0410cb0cdc313888ffdb14fdf1d2341246

SHA512
5e5ae616d3fded7d2bf47a326242c4477ca3119fb52897bfb41de0be230ccbd6c3da2c00268b3973e9bf7b4f2886aba64fd9719b448662e4130ee66d87913389

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\cri\cri-controller.js
Filesize
5KB

MD5
d222c95a2ef0b75ad6c96a3abe20fdc5

SHA1
641c39f92a169f0ca435ed12d2a4d276eb415642

SHA256
aafb56625ec30b24035baafff7bc20215e8ec7e4be4ea58a90aa5b46bdd14a6e

SHA512
e9e66abf6d95fc15a6ffe46cf85c3c9d3b80f3884ca4c8cbb5d2b024fa1dcc46a5e2f39041a4a120a8b8b881d07b3d70b18b552332180aa08c4a67577ea6242b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\cri\template.js
Filesize
1KB

MD5
76c1ef0cb437db144c2bed53a5a8a5d7

SHA1
aaab8fff649f8e46d1e9510018118ee9abe01498

SHA256
505d3c4de7d9cf8f0155b5b1a3c8792bc0ca2eda6781b441bd85455f144be22e

SHA512
822bf9feda91c89539d263c6c9053163e8dfa3c511195bc61a9b608b4687fb4048733323f03dd30a7ab661a4be4acf6c8d8ae7bb6723771122540a9551899c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\finish-with-recommended-app\finish-with-recommended-app-controller.js
Filesize
1KB

MD5
01878b1f0f27ba2af34f89c648f3e16f

SHA1
b45e04411d06052772b4645d1feb7a594b722067

SHA256
4c96454e5b0493676af666aa5716ba12209aa72fb30e8dbde8e85ab000a4350a

SHA512
5a7860c8df74ad9dd2eea3bd0927dbfa1fff1de7b9a093a6d727ecc2abb7139d721cbf76c55a7ade24ade5e08e6547321a62e3a1440eb202b7a8569305dfa782

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\finish-with-recommended-app\template.js
Filesize
681B

MD5
d1cb34b57cef7e28b9286454b197b712

SHA1
f3a964b319bab82d4eda07e126bbfd6dec35c349

SHA256
b61dfc304b46e8cd95d7b15bb93c6160b30523a1a093397a84fc8b8bed00ac42

SHA512
3a07de9c58134edbb7998f85e6d037a0cd066e32c4daa07594a949a7574f5693153bbcdb59739e1a92e847ab1128e2369fb30ba76a7b9cdfa9a37a409db691c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\finish\finish-controller.js
Filesize
2KB

MD5
cbdfd75bb47bda0ae536b3d45958b615

SHA1
9a69d440e1d8ba1976b2880964f7041c46e8bdf9

SHA256
b4221b80fbbc4ef93b3a1f668d8a3445353db9f3e1ec77c9b6520a7312ac46f9

SHA512
e78272fcd6af8656cd054c91b97508603792dcc75c4f7a123880671ff6ed126e03cd19ec13d005f655e8281a1e90f6b190be650ddf07522fa613a940148dd475

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\finish\template.js
Filesize
1KB

MD5
f092de7ea66d8e920b345f38537fa35d

SHA1
82d107a409f18878307ae0cefe24074db64937c4

SHA256
b05f111369e12ecb4cdc6526dd554061eb31097aa0de4bd126ddc185b69d922f

SHA512
14942c0122f216c07595cbaae498f9c4d37a2d0fd95f262c332502befdf4566c7a042c4d85702c1d82a111123dde677096195e9efeb1d74eb1dfd4df84d01a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\main\main-controller.js
Filesize
11KB

MD5
15b665a5c915004e1aa7e9e11a710f7e

SHA1
7821924e42bb19d60c572ff80bbaaa04d7aaeefb

SHA256
84dc33e2eb3118fc77a38b0ca53af42c53f6eb85cfb1e8737dbe39fa03515653

SHA512
dd47f7bac0dbaac714e6d2fc91b4c24756ca4acb70bdbc4b54cd5216552d6bb85ba2e1c3c8445c5fb40d116dfab6569945cd74730bb7c8f3cf46e8d08f8afa02

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\main\template.js
Filesize
3KB

MD5
a118c7724c208f12083240cafccfd10b

SHA1
f89c676a215b869626737862a08c9eb07d440211

SHA256
63a43bb08403972d0f4b0e381bd264af14e826e0035242bc1baa9a815956b8fc

SHA512
9fede79044ae5de7baf5bfba0d5a515ce462a25420026ff45bcf1751e57510023cb40df42d08e880114f62b38ddb218355d5357b725df32a41ae4e6a18414cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\modal\modal-controller.js
Filesize
2KB

MD5
995aa365976d4166ec6de5fe212b0255

SHA1
0d0e8c6aabfc8c967d5af224f66045314c0564b1

SHA256
cff5f7519eb05899df67ae1d79c9318ea344b068d95b565ae8dafacb70a1c52b

SHA512
71a51e34e92e2c478397e70ade9b33e39f4fb9a6da14f04a27997dfd9149978f4d90f0cb6d35e9ede116a2f6ed7f3c6f291383ef84d10994050893c1741f3de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\privacy\privacy-controller.js
Filesize
2KB

MD5
9caf44e466f9dc19ea102980da4ae5d5

SHA1
da7e0fa627f6f3d2d9f0ec091ba19aa81e66332f

SHA256
f0b55a937f0bdc60394c4259dc226562b552a6eaaac61950fa29400200f5380a

SHA512
e88b1e18b14e0abb6f625c4210196609f8f8c001dd3ff66b1807d66113df471468d6c8548bd1af1e1f5c25faf759517c4eb93108394ff1f9abc7b36a8b6ad11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\privacy\template.js
Filesize
655B

MD5
cf8d2c26520d7c84e560dfa79e31dcd3

SHA1
716f2ec17480d5cc9c145bc147833fbfc39d36f0

SHA256
95c459eae0edccdb94702aea603a097e461daa0e5f37dcd0e30de7df665433a8

SHA512
d466dcf7e86a4295857020feea281fc89f519f6bf1e79c3b5e1046d0745c9c9010377b1941e06c9a9b2c78a4173ed9909332d5d6c39b05f460e8a863086c895b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\progress\progress-1-controller.js
Filesize
2KB

MD5
4bc723bda9cc718301f2533ca3196768

SHA1
7f78b74746762fd5007ea3fbce45349bb0ef7901

SHA256
164bbdea64ca671a04b91747191227a89992a34159f1578a2cbf0e16398af1ec

SHA512
920f898d1592ae8d713410ac3fb43e9d490d567f2bb70b8f8d2958a0899fb8bf6a0a735db63a8eb3e1bf2cb02be70354a0f7b92d12584b1ecbde2d5ec19f9a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\progress\template.js
Filesize
242B

MD5
92b145e6649ba0add3dee9a69d3fa91e

SHA1
4db1a45392ec973cc8a7eecf3a30a9a7ecc7a64d

SHA256
a7128a08bca53dd919cab3e5cb4dab31ded7ae2dafc957209b9fdd23f3b944ab

SHA512
747a087dffdba5c92d9f4c8923615d388b9c4c79d3b71d3cb90487aa37c132290a4f5107eef3055c03eadcb9614e20d4655393dc9251fab7e0ee2438f0d95751

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\settings\settings-controller.js
Filesize
6KB

MD5
7c30acb5d090c141185bf36c991c44ec

SHA1
59c12294a10835566e6ababc81ca6f66c0cfa984

SHA256
8928a80ed2c782ac5538cf7b2b5cbac05b5b70e03abb2e9c44cdf3061cf2f6ef

SHA512
9af7605aec15b76147060b592834568c023618ee9f1b6f375649c1a8f342476775f0b7b1fed1b015362dc481b1065a657f9a4b0aa8ae186a381acf6aef894ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\settings\template.js
Filesize
2KB

MD5
aee08bbe8994d59ce5b0fd4611968394

SHA1
3533ee4e288625aefdf5b2cd2a17494e340fa097

SHA256
91bdc29c6bee6de168cec29912e46d8bfb53a2a7c3d5082e3933eff8db887ecf

SHA512
13462812b482f5bad79260ca1ae9f11db38d32c9ca01204f5b1fb5c512e11b963d070fc2c5ab88d40e0069144d9a96eec86990e4d05b3032085607dca3bc9b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\welcome\template.js
Filesize
1KB

MD5
17f54fca6723b983875d940d931e0afb

SHA1
01774cd5cea36bd74c80a708d6f77567e8091024

SHA256
42c546e9da748ef76fdab56b96fd511eb607617a9ba37b3dc420148b769d8acb

SHA512
401df9a54cd14c19227d91bd08b4775a7b437644b4ca0d1d636d3e07b04591f9c5516e80040ae6a79ba400457d15e3d80aa148a63de870a64664fc5a02f7a038

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\js\windows\welcome\welcome-controller.js
Filesize
2KB

MD5
6127f0a4ee214776271ea6fce1fb58e9

SHA1
378cd32ccf043889de731fce6d96b6c21632a165

SHA256
aa42af897b154c05a5a5bdf5c9420e698bc943cf1a6fcd830aae7c5b8317f654

SHA512
f2b35ced730fb95b64dd72be81345788d1fb66d38f26f2ddeb205cbecfc767703a12c455d2bb8ba1dbada1a409e123aaf020a822321b8ad80947e67c53e83a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\app\manifest.json
Filesize
691B

MD5
9a8c966ae7708debf9da18f12da2ca3b

SHA1
d3a8e5edeeb19c5eb2de4f96cf73015e4edbebaf

SHA256
8d6d8ec96554ce1eb7ee67fc5d4149c21f77986cf866dad28cda26ea5c878bc0

SHA512
f868d7e6f54b2211fe795a7fcd42daa06bac9c7002a4cb74009d49a6a7280a0856c1416f673ce7a0e8f46761a2e45a4ab8a96755e607bb5778d83ac5374deff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\log4net.dll
Filesize
270KB

MD5
f15c8a9e2876568b3910189b2d493706

SHA1
32634db97e7c1705286cb1ac5ce20bc4e0ec17af

SHA256
ae9c8073c3357c490f5d1c64101362918357c568f6b9380a60b09a4a4c1ff309

SHA512
805cd0a70aba2f1cf66e557d51ad30d42b32fbafcfbc6685ec204bc69847619479f653f4f33a4e466055707880d982eb1574ddab8edfa3c641e51cda950e2a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\uac.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\uac.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswF245.tmp\utils.dll
Filesize
55KB

MD5
aad3f2ecc74ddf65e84dcb62cf6a77cd

SHA1
1e153e0f4d7258cae75847dba32d0321864cf089

SHA256
1cc004fcce92824fa27565b31299b532733c976671ac6cf5dbd1e0465c0e47e8

SHA512
8e44b86c92c890d303448e25f091f1864946126343ee4665440de0dbeed1c89ff05e4f3f47d530781aa4db4a0d805b41899b57706b8eddfc95cfa64c073c26e2

Download Submit
memory/2104-307-0x0000021ABD7D0000-0x0000021ABD7E0000-memory.dmp

Filesize
64KB

Download
memory/2104-305-0x0000021AA2CB0000-0x0000021AA2CC4000-memory.dmp

Filesize
80KB

Download
memory/2104-489-0x0000021ABD7D0000-0x0000021ABD7E0000-memory.dmp

Filesize
64KB

Download
memory/2104-490-0x0000021ABD7D0000-0x0000021ABD7E0000-memory.dmp

Filesize
64KB

Download
memory/2104-378-0x0000021ABD7D0000-0x0000021ABD7E0000-memory.dmp

Filesize
64KB

Download
memory/2104-482-0x0000021ABD7D0000-0x0000021ABD7E0000-memory.dmp

Filesize
64KB

Download
memory/2104-309-0x0000021AA2D50000-0x0000021AA2D96000-memory.dmp

Filesize
280KB

Download
memory/2104-1125-0x0000021ABB050000-0x0000021ABB0CA000-memory.dmp

Filesize
488KB

Download
memory/2104-306-0x0000021ABDC40000-0x0000021ABE168000-memory.dmp

Filesize
5.2MB

Download
memory/2104-488-0x0000021ABD7D0000-0x0000021ABD7E0000-memory.dmp

Filesize
64KB

Download
memory/2104-390-0x00000222C1240000-0x00000222C19E6000-memory.dmp

Filesize
7.6MB

Download
memory/2104-353-0x0000021ABD7D0000-0x0000021ABD7E0000-memory.dmp

Filesize
64KB

Download
memory/2104-352-0x0000021ABD7D0000-0x0000021ABD7E0000-memory.dmp

Filesize
64KB

Download
memory/2104-349-0x0000021ABDBB0000-0x0000021ABDBD2000-memory.dmp

Filesize
136KB

Download
memory/2104-303-0x0000021AA2E10000-0x0000021AA2EA2000-memory.dmp

Filesize
584KB

Download
memory/2104-322-0x0000021ABE170000-0x0000021ABE220000-memory.dmp

Filesize
704KB

Download
memory/2104-299-0x0000021AA1030000-0x0000021AA1082000-memory.dmp

Filesize
328KB

Download
memory/2104-313-0x0000021AA2DA0000-0x0000021AA2DB8000-memory.dmp

Filesize
96KB

Download
memory/2160-1038-0x0000025B89E10000-0x0000025B8A096000-memory.dmp

Filesize
2.5MB

Download
memory/2160-1042-0x0000025BA5C60000-0x0000025BA5C70000-memory.dmp

Filesize
64KB

Download
memory/2632-476-0x000001731D720000-0x000001731D721000-memory.dmp

Filesize
4KB

Download
memory/2632-477-0x000001731D720000-0x000001731D721000-memory.dmp

Filesize
4KB

Download
memory/2632-466-0x000001731D720000-0x000001731D721000-memory.dmp

Filesize
4KB

Download
memory/2632-467-0x000001731D720000-0x000001731D721000-memory.dmp

Filesize
4KB

Download
memory/2632-480-0x000001731D720000-0x000001731D721000-memory.dmp

Filesize
4KB

Download
memory/2632-479-0x000001731D720000-0x000001731D721000-memory.dmp

Filesize
4KB

Download
memory/2632-478-0x000001731D720000-0x000001731D721000-memory.dmp

Filesize
4KB

Download
memory/2632-468-0x000001731D720000-0x000001731D721000-memory.dmp

Filesize
4KB

Download
memory/2632-473-0x000001731D720000-0x000001731D721000-memory.dmp

Filesize
4KB

Download
memory/2632-475-0x000001731D720000-0x000001731D721000-memory.dmp

Filesize
4KB

Download
memory/2792-1078-0x00000151439F0000-0x0000015143A00000-memory.dmp

Filesize
64KB

Download
memory/2792-1080-0x0000015143A40000-0x0000015143A7C000-memory.dmp

Filesize
240KB

Download
memory/2792-1079-0x00000151439B0000-0x00000151439C2000-memory.dmp

Filesize
72KB

Download
memory/2808-988-0x00000000046B0000-0x00000000046CD000-memory.dmp

Filesize
116KB

Download