hxxp://ezfn[.]dev

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://ezfn.dev

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	OWinstaller.exe

Executes dropped EXE 2 IoCs

pid	Process
3236	Buff Achievement Tracker - Installer.exe
4784	OWinstaller.exe

Loads dropped DLL 11 IoCs

pid	Process
3236	Buff Achievement Tracker - Installer.exe
3236	Buff Achievement Tracker - Installer.exe
3236	Buff Achievement Tracker - Installer.exe
3236	Buff Achievement Tracker - Installer.exe
3236	Buff Achievement Tracker - Installer.exe
3236	Buff Achievement Tracker - Installer.exe
3236	Buff Achievement Tracker - Installer.exe
4784	OWinstaller.exe
4784	OWinstaller.exe
4784	OWinstaller.exe
4784	OWinstaller.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\System32\\dxdiagn.dll"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	DxDiag.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\System32\\dxdiagn.dll"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	DxDiag.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 944840.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2100	msedge.exe
2100	msedge.exe
1560	msedge.exe
1560	msedge.exe
2932	identity_helper.exe
2932	identity_helper.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1300	msedge.exe
1300	msedge.exe
4784	OWinstaller.exe
4784	OWinstaller.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	OWinstaller.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 5036	1560	msedge.exe	86
PID 1560 wrote to memory of 5036	1560	msedge.exe	86
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 3200	1560	msedge.exe	88
PID 1560 wrote to memory of 2100	1560	msedge.exe	87
PID 1560 wrote to memory of 2100	1560	msedge.exe	87
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89
PID 1560 wrote to memory of 4392	1560	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ezfn.dev
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbaeca46f8,0x7ffbaeca4708,0x7ffbaeca4718
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:2
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6752 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6740 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1048 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5436 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3100 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6336 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6340 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8148300195023722995,6939575153503468684,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6092 /prefetch:8
  2⤵
  PID:1940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3400

C:\Users\Admin\Downloads\Buff Achievement Tracker - Installer.exe
"C:\Users\Admin\Downloads\Buff Achievement Tracker - Installer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3236
- C:\Users\Admin\AppData\Local\Temp\nskB415.tmp\OWinstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\nskB415.tmp\OWinstaller.exe" Sel=1&Partner=3762&Extension=caboggillkkpgkiokbjmgldfkedbfnpkgadakcdl&Name=Buff%20Achievement%20Tracker&Thanks=https%3A%2F%2Fbuff.game%2Fthank-you-page%2F&Referer=www.buff.game&Browser=microsoftedge -partnerCustomizationLevel 0 --app-name="Buff" -exepath C:\Users\Admin\Downloads\Buff Achievement Tracker - Installer.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- - C:\Windows\System32\DxDiag.exe
    "C:\Windows\System32\DxDiag.exe" /tC:\Users\Admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txt
    3⤵
    - Registers COM server for autorun
    - Modifies registry class
    PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36bb45cb1262fcfcab1e3e7960784eaa

SHA1
ab0e15841b027632c9e1b0a47d3dec42162fc637

SHA256
7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae

SHA512
02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e3dc6a82a2cb341f7c9feeaf53f466f

SHA1
915decb72e1f86e14114f14ac9bfd9ba198fdfce

SHA256
a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

SHA512
0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6fcb69591656951dc32d199fa09ac86c

SHA1
747f8ae1709a8f40a190888e902a740b272a6612

SHA256
8241a8c619d7badfc051f3f683cee41f7603c52c0a426a88000ae9e70882166f

SHA512
db6aa3492465e7223bb37f5600034b9ebe05917af43d0fccaf3599487f7f85933a769e124200c5162ab3d8b512de4bb67d9c238b17d99253ee1e50d99b95a33f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
ba76743d7ca37f18238f329314845026

SHA1
95c5158f7186fcc79da9e6893d213aa67129d5a9

SHA256
45b7edb9edfbd3e24d2027cd5f50ffcda299884a991ed27b6863360fcb07cd8f

SHA512
47fa27b8c5e04d07bdafa6a742f168744bb9c38fc02c49437193c01f91f1b76a7838b4035cb891dcffa5bc5b8b50a7fdbf2ddd28473a55680e59b97b30d43b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
cff43aafa3f975f72f65ad9525f9d28a

SHA1
9105aa621e4d280d01ef3805598ea6ccf55e9f2c

SHA256
f0e2c6458a6a1fb4184735f7467a42dae625c9aeae81e1f772f1b0d75d9df7db

SHA512
c8521854fe4dacc33c8e58a0747df8c539b85d70fd1b68dee3d13c48fd242db2d1eae87474666ca506296250057f06ec82b13424f381846fa25f6537a0ffcda3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
c9ebc935ab0330c085e04bc73dde97ba

SHA1
345a966030796f0303f52f2dd28be35bd17fc596

SHA256
b9c1e8c5250a145b2e13ac07052f8020ea9cc4def09210d441bab407bfb6ee8b

SHA512
7e56e57d28c0232fc0cb6021d0965e798834c9d1790d1699f595c4870aaf9a3dd51441797b390aadbf845324a396741f6fbf9d10bc3f6be31443376febbb5f05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
380ad790e34846bbd2814aa62cfca959

SHA1
68c3ade0d420f10db8394e8c284c044db13c2ba5

SHA256
535f990d962a0952f83d6365d7c91d51147edec6818ab02373486c9e21ee847c

SHA512
a9d50117b5e41d45bf4f9ccad391d46d2237b460fc7161cfe5259fa68a57f1f7fa9f10450d5dd0b11148d2bf0304642b4a603ef59275ceeac4a86963080f046a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
df9f982f681213b1394c42e7a99961e2

SHA1
4650fcc9389f154405209cbdd1ad8daff9ba1b78

SHA256
11ec91d9f84df6a10fa4312b9604e91029fd3642fd3e3ed7b414bfbb11da3c70

SHA512
dfda610ba82aca395bcdc7693b51883377b4926cd40f52a32ade47cce917756607319662993ed1c02db27ff7620129bf7a82f071229c576c59796a1800379c26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
55baf536081654565760da222852fe6d

SHA1
ceb7458154caf00fc0c7fbed3528ab7e5f427d0a

SHA256
242c4114ce1cd658c66f3610b5a8b4eff4c244ba37fc45a7ea6351f75f235a04

SHA512
03c3c41aca8831698533c778bba8498643c8843a912d3f120ef6ad402b5c8b652f06970843cd5232ea2bbee33dc69a325c910e4892887f85bb3edaf8e6c2f509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
28aaaecdc180cefd66a37c8e15ebdc84

SHA1
0aaf81b241662b838cd24b72e1b956b144b2fa53

SHA256
dea50d901cbc5d60e4e7c90f277ab4dd1e80d39904705828f5237a2f96db75e3

SHA512
8f01f33d9a8fe9aab8049c52210eb92ce84bd365c89cbe3d2d300ae0bf2eae25f4abb8ed872b07a95f55661b074960e1650e97d9bdeacf8729b349c5c3301f4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
e92f119a4a575e46e08b1d7dedcd6a1e

SHA1
5b54e66137d4d1c57b1b947c2a70fe3f81040884

SHA256
b1988d549adad858d77437213aabaa9c8423a53131913848513d47a673a1fb09

SHA512
6ffb130fd8ef85879faf3510ddd3991e14080ff1d577d724c6c728c8873903e60be074e110d3da93ffe369c10d78e7f0fb5804e6ed2837c85d30b38a4a97b057

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
a6354788c37db5c51a7a8cc597296fa1

SHA1
aca9f3d6e998cf9d3fe438e570afea360299fe9c

SHA256
84eaed52e44127150eaa8ce3b612a008e459314e4bdb7f5b47620722d8b0fbda

SHA512
0f977417bde96a6efc36d5f894ec58e5459d938175fb8983cef380a99db45f1e044342d11d6477f52a962a8af37261ed4f9a944ea644ce99b5bf98040a4acbb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
cec5bafe0957f1ba5e476a2aec56b14c

SHA1
2c2983026c79c55da475696a66c4a864addee782

SHA256
2337ce3b401d51c9a81e4e22ee447ec481c0e7bc418c9fff09bfcecf5bddd298

SHA512
4fa4d97933b04e2c3a48c1c46128ab54739cdcb6ee6bbeb4509aa45abb14005422ed2e36f3ce9729f1f0408ce49c28e68a4b959845cc4b09428ef98d516b92d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
946c490185bb0e776199d340d2ab88a6

SHA1
2f66558fde0aaef62c910dd6758a1ad49c0114e4

SHA256
da81560bc4f3a09665dfb35cb2f2679077df0b2c6997436103c49694591c669b

SHA512
60f65d6b8e0ffe58f12aceaef3ef2a1abd8144528911617940767736dc86540da1da00ca9debb6c9ab852faef1b95ce1ae95630387cc0ad30b14373e3dfaa6c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7bd829baa56590bba29557a14006c9b6

SHA1
b702f2eb26c88747664d1dd2139d617c2f1efde3

SHA256
f877fbf96551cd9ec06115108b80c3e383730d8efdf6bebcc26b3643a4b8a0e1

SHA512
96fcd1c2e36399d99d7ce3bd71dc4994d820dd3aaac058a2a23d75730d95fa4b561fc4cb5d858e126af414d8c0dc21d47e2728617996625c1303257ad1783151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ebe504638d0d4714411a1d9eb3dd2831

SHA1
9d3f62503519bf8532f6084cf0bd53f143a4456d

SHA256
2bda55f1257bc9de415ac60b03f247061130a8b41874c7200f8465b180b30e5c

SHA512
6133197c8b5af79a388caffce22c2b771c803b4b5cfee17b2cd7f43e856776a584f0df6003f19d73e4b99cc9633165bf0095faba2fdc55e1cef8dbaf5066289f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1b6afa5cd36f4a1d19bbe44c4febb2fb

SHA1
67448b7114f771376ccd27ee14ece4462d776a21

SHA256
625e01ab3f8524db7047b6a1aac4351ba6a2123dc2eb3e541dc23e50c15ed7d2

SHA512
f1f2ab39269c4c2beeed40285adc8aff3f1bdf164500f0e7e5aeb23550fccd9afce82790476c9eeecdba9f2325fc842633aa990a311d51e70e5cad47a5a08dc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3a3c841bac881b78012a402ac8986c44

SHA1
4b1adbde7d147d8b82f1b5ce76f3c4888cf1290b

SHA256
67eee82b20d836b3ac861972a48c8c2c7f8800b32514cec9fde8a0b429c24f10

SHA512
09ca76a23ae0111702bc0d3735af86fa2f5b38899115707e7253a317f7cc9755a068cb21f96aa516318bba45e48479b8db117dc02bf292553fec3740a16e3dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
69183a0149cc72a2b06a800205f5742d

SHA1
b5481b1e9fac67016f69e98155539504351392da

SHA256
2d69257e8692d63bb792b7f6c51ecdb310ab75b09d9a74ee1e3146b02beb96c2

SHA512
98556f38d4371ec4b9e9572bef5d7c31ebbb919066cc4eda1b24fe51efb93f36786bf4807fc830bba86ae92c401e7f9a41b07debd662f13686f39f1e2c5707b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
30a388f619dc36805a39888efe8a3b02

SHA1
e1cefedda53a07945ec9729515d2e90aa8f82184

SHA256
4568a49da4723c901b2634b09d61ccc31eb6025854d6bab48c5eeca3d84dc9d1

SHA512
f75709a25aeec1dfb5b9ea40560a5613154bb19cfdd85987eed9ba9893b3d0de7d0c7086659c9dc06c8e6645d9bfdcb05c0d1840ec22e511ab574036e2ba8cd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e959e52837981e1f5bed00d03e42bc59

SHA1
24cd4ad586bb73a04cce2f3f5c5e1d74e939b739

SHA256
9616f9161209529c7254e3ca05c7f2f10fc6e4ac83840e39178332f6f1e21a7a

SHA512
71ce3ce5b183152424f8cd78ee2905e3190b62c2e678bad69ee6bdf824c1b09165e8f51d8ffd2f3a7fbc31bc3a7c85131224d4e3437a6cc77f8573623db59976

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\Settings\SettingsPageBasic.xml

Filesize
752B

MD5
2f5d9a395c2e5afa7ce1413ba889ed6f

SHA1
bc91dd1fb5f91b6d36088c7b433fb3becde9a141

SHA256
3ea3b06bf1822bbcd3969089bdb5d9d612605fb869217aa3a1a126ecb5978bf9

SHA512
1a43084edacd451ebed88a465e90ecdc20c35960011276eb48b13002b04b5fa2e71890ab46260d5c9525236980a31c2fe80e9bf2af80f9ea050313bb93410d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB415.tmp\CommandLine.dll

Filesize
68KB

MD5
9d4f32c3352b55c790a5e8f84fc240d1

SHA1
8153aab9e9aabd663fbff310969ea71a4e6b4a75

SHA256
92ffe5d77dcc039b972c8810634af53470723f7cde0cf523aa2fb763c1302733

SHA512
3969dbdc043259537cf0a3e538484baed2f71d8a9070823954306e4e6e4353bf7195ea39bf92114d52ae9a2ec05475701d5989a99252550bee42cf2390ed5d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB415.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB415.tmp\Newtonsoft.Json.dll

Filesize
692KB

MD5
98cbb64f074dc600b23a2ee1a0f46448

SHA1
c5e5ec666eeb51ec15d69d27685fe50148893e34

SHA256
7b44639cbfbc8ddac8c7a3de8ffa97a7460bebb0d54e9ff2e1ccdc3a742c2b13

SHA512
eb9eabee5494f5eb1062a33cc605b66d051da6c6990860fe4fd20e5b137458277a636cf27c4f133012d7e0efaa5feb6f48f1e2f342008482c951a6d61feec147

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB415.tmp\OWInstaller.exe

Filesize
298KB

MD5
d4e20428d9452039107fda7664e4a6de

SHA1
ce2a22ad5d16d034cea5fedca962863e2c9e5e49

SHA256
d4f35a7665eb33ad55143ed80e5f5c28ee08b38e39ab5b4c1458b3ec0ccd0a5a

SHA512
566d87e3d988448a2e8b662842dfa64ec6bc356cf7d585b584ff0c0f9f2e7e0e1e72902c9247d4196c5d97ec908f8d3e287bdee4768a83ad36cedd30c9ed30a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB415.tmp\OWinstaller.exe.config

Filesize
632B

MD5
82d22e4e19e27e306317513b9bfa70ff

SHA1
ff3c7dd06b7fff9c12b1beaf0ca32517710ac161

SHA256
272e4c5364193e73633caa3793e07509a349b79314ea01808b24fdb12c51b827

SHA512
b0fb708f6bcab923f5b381b7f03b3220793eff69559e895d7cf0e33781358ec2159f9c8276bf8ba81302feda8721327d43607868de5caaa9015d7bb82060a0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB415.tmp\OverWolf.Client.CommonUtils.dll

Filesize
645KB

MD5
4f15fc4110b434e0acdbdc0eb12f556c

SHA1
a7aed9172dc33ebf25b1d2d6f936faab142fb4be

SHA256
eeda9b734f93a155691c2266e6d520ce0053ef5f68a58dbe85edea9b4ea02476

SHA512
f5b84e3455f53efd7dfdd44132cc6dad4f2d8e86072884c07bd87edf6388d9bf8ebb6c989f5008ef0d6e563102bcbbee7d67a0f97e63d72aa60c3a3738725671

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB415.tmp\SharpRaven.dll

Filesize
80KB

MD5
152c32ff32fc64cfa678f84097340411

SHA1
69ffd617f0ee368fb4b9f562bd929e88c654a280

SHA256
31150f5ef648fee33489cbd0b57a09f8df4d012873e7a1e2e7d10040afd94102

SHA512
04584054efd36daada02b73c2f82f2d14a7f7c7c4833e110a1990b75f2dc55aa1f45ea13fe66985a2b5899326544cb57b8c26f0f4b0ab19591649c418ac322a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB415.tmp\System.dll

Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB415.tmp\UserInfo.dll

Filesize
4KB

MD5
9301577ff4d229347fe33259b43ef3b2

SHA1
5e39eb4f99920005a4b2303c8089d77f589c133d

SHA256
090c4bc8dc534e97b3877bd5115eb58b3e181495f29f231479f540bab5c01edc

SHA512
77dc7a1dedaeb1fb2ccefaba0a526b8d40ea64b9b37af53c056b9428159b67d552e5e3861cbffc2149ec646fdfe9ce94f4fdca51703f79c93e5f45c085e52c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB415.tmp\app\manifest.json

Filesize
691B

MD5
49e26ce8beab7c7823371257352db8ba

SHA1
aad41fdb2d269c69dc94af75e5334e42644aec8d

SHA256
2f38ac6f13bce5dcd9ad33d3ba32dfec2613b7d53831cc96f3d7e6e042dc2407

SHA512
da4a963c2ac8e0aea9c57bddf55d853bac1350673be15754e8df4c671991ed1c536991051aec09a2ce8a90ce7b9e5e977d4646370d10a10d9751e03fff1387ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB415.tmp\log4net.dll

Filesize
270KB

MD5
f15c8a9e2876568b3910189b2d493706

SHA1
32634db97e7c1705286cb1ac5ce20bc4e0ec17af

SHA256
ae9c8073c3357c490f5d1c64101362918357c568f6b9380a60b09a4a4c1ff309

SHA512
805cd0a70aba2f1cf66e557d51ad30d42b32fbafcfbc6685ec204bc69847619479f653f4f33a4e466055707880d982eb1574ddab8edfa3c641e51cda950e2a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB415.tmp\uac.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB415.tmp\utils.dll

Filesize
55KB

MD5
aad3f2ecc74ddf65e84dcb62cf6a77cd

SHA1
1e153e0f4d7258cae75847dba32d0321864cf089

SHA256
1cc004fcce92824fa27565b31299b532733c976671ac6cf5dbd1e0465c0e47e8

SHA512
8e44b86c92c890d303448e25f091f1864946126343ee4665440de0dbeed1c89ff05e4f3f47d530781aa4db4a0d805b41899b57706b8eddfc95cfa64c073c26e2

Download Submit
C:\Users\Admin\Downloads\Buff Achievement Tracker - Installer.exe

Filesize
2.0MB

MD5
4261ced963c5bd8d1e92db2ea0ce4518

SHA1
5f7491cf7fac7fb669127ef2816b004a8d4e04d4

SHA256
312090592a4e02e9b15caf6839dd1f2b6245980712ea4949477ae00bd78f18e9

SHA512
a0c67a4daeeefa956fa00c6ff4d07e00ca052a6bbec75606a6d2ea3e1d618bcd1b724659a9077991aa760612a0c6624619e0e6096b76f29bedf2abce0f145da1

Download Submit
memory/4784-660-0x00007FFBAA5E0000-0x00007FFBAB0A1000-memory.dmp

Filesize
10.8MB

Download
memory/4784-664-0x000001EFEC2D0000-0x000001EFEC316000-memory.dmp

Filesize
280KB

Download
memory/4784-662-0x000001EFEBA60000-0x000001EFEBA70000-memory.dmp

Filesize
64KB

Download
memory/4784-661-0x000001EFEC910000-0x000001EFECE38000-memory.dmp

Filesize
5.2MB

Download
memory/4784-668-0x000001EFEC2A0000-0x000001EFEC2B8000-memory.dmp

Filesize
96KB

Download
memory/4784-653-0x000001EFE9E20000-0x000001EFE9E6C000-memory.dmp

Filesize
304KB

Download
memory/4784-677-0x000001EFEC820000-0x000001EFEC8D0000-memory.dmp

Filesize
704KB

Download
memory/4784-659-0x000001EFEB9E0000-0x000001EFEB9F4000-memory.dmp

Filesize
80KB

Download
memory/4784-657-0x000001EFEC330000-0x000001EFEC3D4000-memory.dmp

Filesize
656KB

Download
memory/4784-704-0x000001EFEC8D0000-0x000001EFEC8F2000-memory.dmp

Filesize
136KB

Download
memory/4784-707-0x000001EFEBA60000-0x000001EFEBA70000-memory.dmp

Filesize
64KB

Download
memory/4784-708-0x000001EFEBA60000-0x000001EFEBA70000-memory.dmp

Filesize
64KB

Download