bf066388ba859d290970a6011de59455dcaa6059b0ca120213b0b601ffe59369

Resubmissions

01-12-2024 18:15

241201-wwd19axqbx 10

01-12-2024 18:07

241201-wqgj7axpct 10

Analysis

max time kernel
150s
max time network
141s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-12-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KiPoypXaweM/NVIDIA.exe
Size

59.5MB
MD5

e9411904a5793c0accdfe6c04f188f54
SHA1

1685b9afcd93937f56a7f8a34d39bd5e3f2d201b
SHA256

04bc993d4352f2bda8ea5f9d8cf124711b4b5ad82329a64c97fd325f22c6ed98
SHA512

052ac21a92072846107d5785127cb6b47a1cd45b3dc2bf317ade84b6ec6e252d7afd2bf562ef2efe483c4eda632aa808b512cebc3d10b9bcb77a3ff452ed7ef1
SSDEEP

786432:4CAq85qFp3n4/14bJ7spyKbb3vhgnG/GYdXW+nZq4Hw3MutfvvTBlA1l3apTyB5a:zc14t0rGGeH+ZqmwMYNq1l3a4BT6CGO

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NVIDIA.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	OWinstaller.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
1944	OWinstaller.exe

Loads dropped DLL 11 IoCs

pid	Process
5068	OverwolfInstaller.exe
5068	OverwolfInstaller.exe
5068	OverwolfInstaller.exe
5068	OverwolfInstaller.exe
5068	OverwolfInstaller.exe
5068	OverwolfInstaller.exe
5068	OverwolfInstaller.exe
1944	OWinstaller.exe
1944	OWinstaller.exe
1944	OWinstaller.exe
1944	OWinstaller.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_71e43a6eaa912e56\input.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_e89200d3ede2154e\hdaudbus.PNF	DxDiag.exe
File created	C:\Windows\System32\MicrosoftStoreHwd.txt	NVIDIA.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_72ab89a5cc3218be\machine.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_f6ccd5b2c8226c4a\mshdc.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_f6ccd5b2c8226c4a\mshdc.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_72ab89a5cc3218be\machine.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_230f9025c8623e5d\usbport.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_230f9025c8623e5d\usbport.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_71e43a6eaa912e56\input.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	DxDiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	DxDiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_e89200d3ede2154e\hdaudbus.PNF	DxDiag.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3628	sc.exe
3204	sc.exe
1088	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OverwolfInstaller.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DxDiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DxDiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DxDiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DxDiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DxDiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DxDiag.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	NVIDIA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	NVIDIA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Kills process with taskkill 15 IoCs

evasion

pid	Process
4784	taskkill.exe
4704	taskkill.exe
3660	taskkill.exe
3960	taskkill.exe
4180	taskkill.exe
4652	taskkill.exe
1376	taskkill.exe
3932	taskkill.exe
3360	taskkill.exe
4020	taskkill.exe
2460	taskkill.exe
1976	taskkill.exe
3956	taskkill.exe
236	taskkill.exe
4960	taskkill.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	DxDiag.exe
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings	taskmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	DxDiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-641261377-2215826147-608237349-1000\{D690DF12-FD67-42D3-855A-6D82F57CA266}	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\System32\\dxdiagn.dll"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	DxDiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-641261377-2215826147-608237349-1000\{F6D82E39-4C0B-4A22-9BC6-8D8D81474564}	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	DxDiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	DxDiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	DxDiag.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe
2824	NVIDIA.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3996	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	4180	taskkill.exe
Token: SeDebugPrivilege	3360	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	4784	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	236	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	4960	taskkill.exe
Token: SeDebugPrivilege	4704	taskkill.exe
Token: SeDebugPrivilege	3932	taskkill.exe
Token: SeDebugPrivilege	3660	taskkill.exe
Token: SeDebugPrivilege	3960	taskkill.exe
Token: SeDebugPrivilege	3996	taskmgr.exe
Token: SeSystemProfilePrivilege	3996	taskmgr.exe
Token: SeCreateGlobalPrivilege	3996	taskmgr.exe
Token: SeDebugPrivilege	1944	OWinstaller.exe
Token: SeBackupPrivilege	1940	svchost.exe
Token: SeRestorePrivilege	1940	svchost.exe
Token: SeSecurityPrivilege	1940	svchost.exe
Token: SeTakeOwnershipPrivilege	1940	svchost.exe
Token: 35	1940	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1944	OWinstaller.exe
1944	OWinstaller.exe
1944	OWinstaller.exe
448	DxDiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 1792	2824	NVIDIA.exe	84
PID 2824 wrote to memory of 1792	2824	NVIDIA.exe	84
PID 2824 wrote to memory of 2232	2824	NVIDIA.exe	85
PID 2824 wrote to memory of 2232	2824	NVIDIA.exe	85
PID 2232 wrote to memory of 4180	2232	cmd.exe	86
PID 2232 wrote to memory of 4180	2232	cmd.exe	86
PID 2824 wrote to memory of 2184	2824	NVIDIA.exe	87
PID 2824 wrote to memory of 2184	2824	NVIDIA.exe	87
PID 2184 wrote to memory of 3360	2184	cmd.exe	88
PID 2184 wrote to memory of 3360	2184	cmd.exe	88
PID 2824 wrote to memory of 4736	2824	NVIDIA.exe	89
PID 2824 wrote to memory of 4736	2824	NVIDIA.exe	89
PID 4736 wrote to memory of 3628	4736	cmd.exe	90
PID 4736 wrote to memory of 3628	4736	cmd.exe	90
PID 2824 wrote to memory of 3160	2824	NVIDIA.exe	91
PID 2824 wrote to memory of 3160	2824	NVIDIA.exe	91
PID 3160 wrote to memory of 4020	3160	cmd.exe	92
PID 3160 wrote to memory of 4020	3160	cmd.exe	92
PID 2824 wrote to memory of 4308	2824	NVIDIA.exe	93
PID 2824 wrote to memory of 4308	2824	NVIDIA.exe	93
PID 4308 wrote to memory of 4652	4308	cmd.exe	94
PID 4308 wrote to memory of 4652	4308	cmd.exe	94
PID 2824 wrote to memory of 2052	2824	NVIDIA.exe	95
PID 2824 wrote to memory of 2052	2824	NVIDIA.exe	95
PID 2052 wrote to memory of 2460	2052	cmd.exe	96
PID 2052 wrote to memory of 2460	2052	cmd.exe	96
PID 2824 wrote to memory of 4864	2824	NVIDIA.exe	98
PID 2824 wrote to memory of 4864	2824	NVIDIA.exe	98
PID 2824 wrote to memory of 4360	2824	NVIDIA.exe	99
PID 2824 wrote to memory of 4360	2824	NVIDIA.exe	99
PID 4360 wrote to memory of 4784	4360	cmd.exe	100
PID 4360 wrote to memory of 4784	4360	cmd.exe	100
PID 2824 wrote to memory of 2980	2824	NVIDIA.exe	101
PID 2824 wrote to memory of 2980	2824	NVIDIA.exe	101
PID 2980 wrote to memory of 1976	2980	cmd.exe	102
PID 2980 wrote to memory of 1976	2980	cmd.exe	102
PID 2824 wrote to memory of 4952	2824	NVIDIA.exe	103
PID 2824 wrote to memory of 4952	2824	NVIDIA.exe	103
PID 4952 wrote to memory of 3204	4952	cmd.exe	104
PID 4952 wrote to memory of 3204	4952	cmd.exe	104
PID 2824 wrote to memory of 2704	2824	NVIDIA.exe	105
PID 2824 wrote to memory of 2704	2824	NVIDIA.exe	105
PID 2704 wrote to memory of 3956	2704	cmd.exe	106
PID 2704 wrote to memory of 3956	2704	cmd.exe	106
PID 2824 wrote to memory of 2592	2824	NVIDIA.exe	107
PID 2824 wrote to memory of 2592	2824	NVIDIA.exe	107
PID 2592 wrote to memory of 236	2592	cmd.exe	108
PID 2592 wrote to memory of 236	2592	cmd.exe	108
PID 2824 wrote to memory of 4384	2824	NVIDIA.exe	109
PID 2824 wrote to memory of 4384	2824	NVIDIA.exe	109
PID 4384 wrote to memory of 1376	4384	cmd.exe	110
PID 4384 wrote to memory of 1376	4384	cmd.exe	110
PID 2824 wrote to memory of 3236	2824	NVIDIA.exe	114
PID 2824 wrote to memory of 3236	2824	NVIDIA.exe	114
PID 2824 wrote to memory of 2136	2824	NVIDIA.exe	115
PID 2824 wrote to memory of 2136	2824	NVIDIA.exe	115
PID 2824 wrote to memory of 1004	2824	NVIDIA.exe	116
PID 2824 wrote to memory of 1004	2824	NVIDIA.exe	116
PID 1004 wrote to memory of 4960	1004	cmd.exe	117
PID 1004 wrote to memory of 4960	1004	cmd.exe	117
PID 2824 wrote to memory of 2856	2824	NVIDIA.exe	118
PID 2824 wrote to memory of 2856	2824	NVIDIA.exe	118
PID 2824 wrote to memory of 3844	2824	NVIDIA.exe	119
PID 2824 wrote to memory of 3844	2824	NVIDIA.exe	119

C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\NVIDIA.exe
"C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\NVIDIA.exe"
1⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color e
  2⤵
  PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:3844
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:448
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1800
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3620
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3124
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3960

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\OverwolfInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\OverwolfInstaller.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5068
- C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\OWinstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\OWinstaller.exe" Sel=0&Referer=www.gezginler.net&Browser=chrome -partnerCustomizationLevel 0 -exepath C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\OverwolfInstaller.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1944
- - C:\Windows\System32\DxDiag.exe
    "C:\Windows\System32\DxDiag.exe" /tC:\Users\Admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txt
    3⤵
    - Drops file in System32 directory
    - Checks SCSI registry key(s)
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Overwolf\Log\InstallerTrace_2024-12-01_18-19_1944.log

Filesize
1KB

MD5
66b06b7b9bf1da5a0851b0bc1dbee840

SHA1
e28dccb28824d2c6ec180683078098ee53a4db7a

SHA256
420c2cb1a8d3961f0b7c0ce8b44c04186da087956c2828fff680cd44446a5b37

SHA512
3b12bb009723e495b90ddbd411444a755f9618eba1dc6fa473cd8b54d6d3991055fe7aa10a8bd59734beced90b4c1c2a5737348ff67e47a3c3bb7ad7d0092c31

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\Settings\SettingsPageBasic.xml

Filesize
752B

MD5
380c5dedc767bd75ef097a54334429f3

SHA1
2ee42c2dafe7e180746d6b6c4c4ee741c2f410d4

SHA256
bf1c1b9875c613ee6dd2755a9377abfef571e3b170895a8f02fbf795719d6f9c

SHA512
57513363d4536b9e4100ec85e758ca76b0cea064754117b41cd44b078554819c67645add388780abb4d208d89227761972a22dbafe83988e2d53a8b2cd4662cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\CommandLine.dll

Filesize
71KB

MD5
6d11c677cae02caa249a4f7f35fff112

SHA1
b417114c9b95ac2f3a2e9a68bf669f7342cd4cdb

SHA256
dde08c1db1ff43b08c7de59ae14045cb6fec13bec7ac65e142142453b8ab1ad4

SHA512
f992c2ad42372d0981e8512b34516b88c8ecacd89ade1027600ad883a6346c2b9d448fb027d38915b15f15f39c6b7f7d25c9af0c36835ff85224e48034609857

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\INetC.dll

Filesize
34KB

MD5
87050902acf23fa5aa6d6aa61703db97

SHA1
d5555e17151540095a8681cd892b79bce8246832

SHA256
0ecf8b76a413726d2a9c10213ad6e406211330e9e79cfde5024968eedc64a750

SHA512
d75d3fc84a61887ee63bad3e5e38f6df32446fd5c17bedce3edca785030b723b13134b09a9bbbbaca86d5ea07405b8c4afd524cc156a8c1d78f044a22dee9eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\Newtonsoft.Json.dll

Filesize
692KB

MD5
98cbb64f074dc600b23a2ee1a0f46448

SHA1
c5e5ec666eeb51ec15d69d27685fe50148893e34

SHA256
7b44639cbfbc8ddac8c7a3de8ffa97a7460bebb0d54e9ff2e1ccdc3a742c2b13

SHA512
eb9eabee5494f5eb1062a33cc605b66d051da6c6990860fe4fd20e5b137458277a636cf27c4f133012d7e0efaa5feb6f48f1e2f342008482c951a6d61feec147

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\OWInstaller.exe

Filesize
305KB

MD5
4d4b3bc910f70b7bb6d7da07a76c7404

SHA1
082d17c125fb2b7dcb13d1a81dc99fbfc5ecbe75

SHA256
d9274e926fd1202f5691d187a694b130c227eafac03ed59f18e019b881ea8454

SHA512
c54d94a25c23eca98927a14728b62b3b8de41b8ec907d4a3ebcbd63db8ba400537b6fb3e59b243c2f2675eeebe70baa78d75b9a21d4c93a5d43b24d7d386ddc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\OWinstaller.exe.config

Filesize
632B

MD5
82d22e4e19e27e306317513b9bfa70ff

SHA1
ff3c7dd06b7fff9c12b1beaf0ca32517710ac161

SHA256
272e4c5364193e73633caa3793e07509a349b79314ea01808b24fdb12c51b827

SHA512
b0fb708f6bcab923f5b381b7f03b3220793eff69559e895d7cf0e33781358ec2159f9c8276bf8ba81302feda8721327d43607868de5caaa9015d7bb82060a0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\OverWolf.Client.CommonUtils.dll

Filesize
655KB

MD5
9562911e11231c09a4d420378c286f64

SHA1
a093e50dfb3cd7b71265d20c78c6182857ea518f

SHA256
c44259feeeae0f009deeffe5b83ed7e72727b8c409c7b62ef6ecb7b24b78b12a

SHA512
6cc6baeb2ca726856c7ba4cfe5a9bf247584a28470dd0de3794274883693d6a0efe922af492e487beae21b53198413e61596ad0e70d448c92acdb06dd9143e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\SharpRaven.dll

Filesize
82KB

MD5
f2f1cd4e9b1f772b7b7955c3310a126a

SHA1
6ea2b5ee4461053ad353d4826ba61388f98c28fc

SHA256
a8cd61fc4478da0464967f5c74b6ecc6a880e879f49ba552f7c3056d3d0d562a

SHA512
587aec3e0b2c913eb40259928dee536ffdb4f51c693682bf926351c86e1ace020bfff3fd9f279a48ecb0d2a46a460aa5d8adeddb3e268c7a5e5dae220100b66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\System.dll

Filesize
21KB

MD5
51bd16a2ea23ae1e7a92cedc6785c82e

SHA1
a9fbaeb9a695b9f2ba8a3ed8f0d95d2bf6a3d36c

SHA256
4dbc79d2b1c7987cc64bb5d014db81bb5108bdd6d8bf3a5f820fac1ded62be33

SHA512
66ffc18b2daf6c4cba01aef0e4af2f006a51aa218eab0f21dc66e47eea0389d2b1748ef0e30d2ec9f0123fd7f38ed3aee964dd6bde5779aaee19ebf55369af79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\UserInfo.dll

Filesize
14KB

MD5
1dd4ca0f4a94155f8d46ec95a20ada4a

SHA1
5869f0d89e5422c5c4ad411e0a6a8d5b2321ff81

SHA256
a27dc3069793535cb64123c27dca8748983d133c8fa5aaddee8cdbc83f16986d

SHA512
f4914edc0357af44ed2855d5807c99c8168b305e6b7904dc865771ad0ee90756038612fe69c67b459c468396d1d39875395b1c8ec69e6da559fb92859204763e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\assets\fonts\lato\LatoLatin-Regular.eot

Filesize
66KB

MD5
6cfad5881181ae658a6efdd68889a690

SHA1
5b54f6ccc20ed3a078fbdf94d7a68ac80002624d

SHA256
c6c970b103b3c3aa83f7a45172619a4451ea5f015f9f3ef4fd08c9a4aa895cbc

SHA512
ddd3d43540eb3d4eef48d0834136de1e7bf23a52f286d0a666cf57c7d685aadf1cea6d37c88f9d7ce5ad6143d7c3213f54b16a11f616b7dce154bba50997bbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\images\icon.ico

Filesize
10KB

MD5
b48ea7b5eab0cb7d27b0441ffee2eba2

SHA1
2d457a40e376b73dc332c74b3a1b9af920b06a4e

SHA256
ab6c2f416a0a8f5a23d43c7d1e58c00fab46c039ab29192b80c90633e2746b2e

SHA512
94f1e3e6e616d184b757b35f4d68619da3127c1ae387947c8436988de58f70f08aa299f5c42cb087c5761c9df92703889b44f88d4d96aac004ca696190af46c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\index.html

Filesize
20KB

MD5
c7b752acf6d1e10f3aca2c67b1ccf4d3

SHA1
ab793cb43e0c2b5af0fdcbf90d0d29d5d3e164f7

SHA256
69b9f99f6611f953d94984ac35bdaf9e9817f689e1e3614976bebe3465c613fc

SHA512
120addd79b7ade4f35b426c02631c8167d81080fde30a01b989453113f7547784e525d53bede41ede0c9b3caca8513060753ba51f75bf6936d32ee597d642576

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\app.js

Filesize
21KB

MD5
de88fce9253d26e0c61daa1783baa775

SHA1
07c5848354a247056baad369059aac9d3c940ecc

SHA256
993f140f9f4e5cdbdcc657a3c159328bf58b3483dbc27c451516a556763a79ba

SHA512
71ddd47ef7ed7c02fb31e8ffa2ea6d1b5178dbda2ab37bac208e088c8ba2127e0cf5eaa74ee7ad5809fa69e534853312c6c8775c68aeda63bf0e4a5caefa39b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\block_inputs.js

Filesize
789B

MD5
b5b52c92b90f4283a761cb8a40860c75

SHA1
7212e7e566795017e179e7b9c9bf223b0cdb9ec2

SHA256
f8dbd6793b35f7a26806f4dabad157aaafdf6d66fad094b50c77d60f223fd544

SHA512
16ad53ede5424ca1384e3caea25225589e9eec9e80e2d845948802db90fad222f709a7b651cd7601a34ba67a0627433f25764638fd542cbd4612871308e7b353

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\libs\cmp.bundle.js

Filesize
347KB

MD5
deb60b40df89edecd35ea3d1410ef7a6

SHA1
9899f48d1b29c6a51e4b80ce0579ec4f51b72c74

SHA256
2eed337a035bfcba83bdf00686f236319bfdcdc5c5b4d57541cf855bfe4fd67a

SHA512
484daa9e6423c4aa90b310f7c957f850109afd4ef30ff0dc57e05d7ea30f9ae12dbed862197ac9f1ee99b26a7204ba14d1a95d8a8a6f5064a825e5d861fb8705

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\libs\jquery-1.10.2.min.js

Filesize
90KB

MD5
44e3f0db3e4ab6fedc5758c05cf27591

SHA1
2d408aa1d35661019c95adcc60b78c0727ed25b4

SHA256
bc44d3631ffef1df7960e359f02002d3ada45ee05205c2cf1edd85da2f518144

SHA512
4d4844e53e686fc59a52e86588f328dca3ed6fdad7195c58942a98c51755a24981b903ee7c7b27785375eaad5a7d9501cf74b999674b79f214e66103bad9efdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\models\notifications.js

Filesize
5KB

MD5
911451f65b2503d23bc27c6a6aa6af72

SHA1
01d3654b23ef7f5adeb4097bd851e8c100a7b2ab

SHA256
c32495d55eed52f47dc7268eeccb90fb6bdc5686135ed089416c6bb8f703a578

SHA512
06edaebb0bb2980a7b6d6baa31a9c0894a9bb5f14a91468ffb8f182d98f04bb811df2a4c37f0b56d612603528aa21f390eaa7cf885874ae770a24dce2f9b249c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\utils\analytics.js

Filesize
4KB

MD5
525281e9959af4c1c0d11b9243c798a1

SHA1
237a84c5b57bd132f48446d718b20640cb28c263

SHA256
c37f0699cf8ba7d9e3e0f73f1b2af65f4bdc2a31f44594ffc8c73e98b6c2fd1d

SHA512
fe5bafda7773e69c65dd63270e0306abcd39cb2d886b675ab8c714ae0833efde963b69623d468551a1ab37f1db1a1d457f1568f7a29d9cf0bb23bb0edcab5fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\utils\commands.js

Filesize
13KB

MD5
186f2a801c3d12b8b53e4b8f0510bd35

SHA1
567932df79e60d27d62752b1a1d72d6bf386c6b0

SHA256
bd6e86d0e6b33a44a1617458f0adff34a5cb0fc52568e03e5d74b8c72b5f379e

SHA512
eb87666e8fb40f81d9f14f61a6cffdba57edce1ab9b62c1df3ea3ffb0f96747f90465b2bee956c096f3762d25e90f5f130537046d8deba388d183cee1cc473c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\utils\cookies.js

Filesize
1KB

MD5
6c60e675f8c8c68c0174b644d3a63a2a

SHA1
3635a3fe07ccc4a6f33a986ddb690522d0611abb

SHA256
9d3cb3822e20d6f5157faa02dc69bdaef44576c3fb5523e00aa152107ce30287

SHA512
1dc9ec7b139bcf37107ecd673c01e4fcc606332ea1645a4a1b4e5d95f817d4c99d5964cd3d941a6a526689341d9623b17b4efc002cdf4c73404299d52b1be452

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\utils\modal-events-delegate.js

Filesize
1KB

MD5
117e4fdbdb0ecf211c8bd909efd337d1

SHA1
9f8684d856b7c95bdffb139217dfd89f41373187

SHA256
267661f932a2ea78d8c7a98cc03d1b18d7cb8132deb84636772ecd1fcfbe4857

SHA512
f474ee20b59d3d0c11f9f6aee6b6e2b66f7025beaec9841f88455e60533dc96cb4e27910be0dae92b0028c5578932b7f459fdb91d594ad010f72a3b3af6addb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\utils\strings-loader.js

Filesize
5KB

MD5
9c94eb933d8a43dd3825e67a7e30c980

SHA1
7ec7b16af6f399219209ba5967d377040486a11b

SHA256
96445709fde2613af50f4b8908296d4bfccdccb2d9db9febc34a9bf4dcc70ecf

SHA512
a662a299e31633f71a9b9675970359430fdac06dcc284fd7ce92919f244c7f921639f97a42356e993a95865e6c9f198dcba82c126f82065bf2009a31ec9b02f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\utils\utils.js

Filesize
118B

MD5
a0952ebeab701c05c75710c33d725e7e

SHA1
1da8a2e889f1213d481ae3cd5571670c01e64adc

SHA256
b4f0c48cbfeaf8141fd44b12031e3f0410cb0cdc313888ffdb14fdf1d2341246

SHA512
5e5ae616d3fded7d2bf47a326242c4477ca3119fb52897bfb41de0be230ccbd6c3da2c00268b3973e9bf7b4f2886aba64fd9719b448662e4130ee66d87913389

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\cri\cri-controller.js

Filesize
3KB

MD5
4e4b4a9e2d86ae3c108105078db6d730

SHA1
826946be793c999316af6c1db10523950b18ea2c

SHA256
cee7fc5a36a01a439125be031923d7e7415ec56194255048098169a0108034b7

SHA512
1420065cd000ce9b9c39d27b5dc5f4055f67146e06573a03184649851c9745f0c0af2b5e35b41b5923703dd74e32f9ed95fc59a43db25f854584e319950beffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\cri\template.js

Filesize
1KB

MD5
76c1ef0cb437db144c2bed53a5a8a5d7

SHA1
aaab8fff649f8e46d1e9510018118ee9abe01498

SHA256
505d3c4de7d9cf8f0155b5b1a3c8792bc0ca2eda6781b441bd85455f144be22e

SHA512
822bf9feda91c89539d263c6c9053163e8dfa3c511195bc61a9b608b4687fb4048733323f03dd30a7ab661a4be4acf6c8d8ae7bb6723771122540a9551899c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\finish-with-recommended-app\finish-with-recommended-app-controller.js

Filesize
1KB

MD5
eb6d6bd7e05d4477e2704dd87b57ca35

SHA1
f42672ec1e23a3f4bcc2952746d87ba8deff44be

SHA256
5ca97132a258ed1f36e401d70ccb95be2c9e18395e6010c40f61172914477de5

SHA512
1402d611f910cf5078e804175fa4693b591348d3e7cf6d0a6bbe026c259eb9e0bc285233c80cb2f4690674c3e927bc72fbdcbe758826b98fd02ecb3ed82e339a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\finish-with-recommended-app\template.js

Filesize
681B

MD5
d1cb34b57cef7e28b9286454b197b712

SHA1
f3a964b319bab82d4eda07e126bbfd6dec35c349

SHA256
b61dfc304b46e8cd95d7b15bb93c6160b30523a1a093397a84fc8b8bed00ac42

SHA512
3a07de9c58134edbb7998f85e6d037a0cd066e32c4daa07594a949a7574f5693153bbcdb59739e1a92e847ab1128e2369fb30ba76a7b9cdfa9a37a409db691c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\finish\finish-controller.js

Filesize
1KB

MD5
138240ea22084428e9e25583e9156568

SHA1
e8bef7eab5b6e7040b996ec9504436e073444bd9

SHA256
4cb4e1aa25c15ae5f2e63fa4658a8acff0ce63e0f59cb6eb634df2dfe336e2ec

SHA512
e97b81b0ecd964e6e909019353efe4f5582f65763ac4197d754f1c4eea19cfc249900ae597fd33e29f531bb0d1c7e0f010793c59a2b0099fa75ad0b7d01ce8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\finish\template.js

Filesize
1KB

MD5
f092de7ea66d8e920b345f38537fa35d

SHA1
82d107a409f18878307ae0cefe24074db64937c4

SHA256
b05f111369e12ecb4cdc6526dd554061eb31097aa0de4bd126ddc185b69d922f

SHA512
14942c0122f216c07595cbaae498f9c4d37a2d0fd95f262c332502befdf4566c7a042c4d85702c1d82a111123dde677096195e9efeb1d74eb1dfd4df84d01a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\main\main-controller.js

Filesize
11KB

MD5
15b665a5c915004e1aa7e9e11a710f7e

SHA1
7821924e42bb19d60c572ff80bbaaa04d7aaeefb

SHA256
84dc33e2eb3118fc77a38b0ca53af42c53f6eb85cfb1e8737dbe39fa03515653

SHA512
dd47f7bac0dbaac714e6d2fc91b4c24756ca4acb70bdbc4b54cd5216552d6bb85ba2e1c3c8445c5fb40d116dfab6569945cd74730bb7c8f3cf46e8d08f8afa02

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\main\template.js

Filesize
3KB

MD5
a118c7724c208f12083240cafccfd10b

SHA1
f89c676a215b869626737862a08c9eb07d440211

SHA256
63a43bb08403972d0f4b0e381bd264af14e826e0035242bc1baa9a815956b8fc

SHA512
9fede79044ae5de7baf5bfba0d5a515ce462a25420026ff45bcf1751e57510023cb40df42d08e880114f62b38ddb218355d5357b725df32a41ae4e6a18414cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\modal\modal-controller.js

Filesize
2KB

MD5
b04bdfd1c7d09bdbdb94a2455fdd677b

SHA1
f000ba4866ff16d75bfd6cf446763498e19b12b1

SHA256
4565ee81ffe222b31982088b1c18850076e3acf59198ebce08118e12cbd87ea1

SHA512
3cb6ef0a16309046e7f407e7321eb12212b0eec09ec1a04b1d813f6c7a04546714865c3b398a93985041f598156ed905ebd23a64260801281b29ada9bc19ec5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\privacy\privacy-controller.js

Filesize
2KB

MD5
15bbec339f5046f525e3aa96d36c30ec

SHA1
f73d40bf06584737fe327f1eec6f4b0446545226

SHA256
14d9c60cd97f18e74fee2dd80b6a190eaccc526085991f356feb6b4d330a0fc3

SHA512
2b0edfd2d5efb3f739e56eb6f3bcfae4789af3e1639f5f8e5f7530f5af10eb1a61464d665c9d9b2f4eb3796f2445108599d8bea75f1709aa562feebee519da4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\privacy\template.js

Filesize
655B

MD5
cf8d2c26520d7c84e560dfa79e31dcd3

SHA1
716f2ec17480d5cc9c145bc147833fbfc39d36f0

SHA256
95c459eae0edccdb94702aea603a097e461daa0e5f37dcd0e30de7df665433a8

SHA512
d466dcf7e86a4295857020feea281fc89f519f6bf1e79c3b5e1046d0745c9c9010377b1941e06c9a9b2c78a4173ed9909332d5d6c39b05f460e8a863086c895b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\progress\progress-1-controller.js

Filesize
1KB

MD5
82f0b997ed552c52a510a9f2ab29dc3a

SHA1
92aec3a656053c71eccdde610130f5d8008fa96f

SHA256
838bab990ce38372dfedb50eb0a270db705811729630ab8557c08bd1e9e8e105

SHA512
ecf67f877002d746eff8af3a50155aa381513ddafd17b6bff0188c85f0765579fea0112e82e1371f962b1f5decc94b65e6120f21fb516533dac35a2d541065bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\progress\template.js

Filesize
242B

MD5
92b145e6649ba0add3dee9a69d3fa91e

SHA1
4db1a45392ec973cc8a7eecf3a30a9a7ecc7a64d

SHA256
a7128a08bca53dd919cab3e5cb4dab31ded7ae2dafc957209b9fdd23f3b944ab

SHA512
747a087dffdba5c92d9f4c8923615d388b9c4c79d3b71d3cb90487aa37c132290a4f5107eef3055c03eadcb9614e20d4655393dc9251fab7e0ee2438f0d95751

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\settings\settings-controller.js

Filesize
6KB

MD5
378c18dd7d5cee6ca7c4ddd0396b535b

SHA1
d5f81d4fab29201fd1629dc4d8e6f918c0c30479

SHA256
b5c5dc5e0684fd97eb4c45896dc1c2de8a6a6fdc63b6aa83a99103c15787ef35

SHA512
c29416b3f0245f4826d857dc8c52c969071d2410c945bda96f38f59a9bc7137ee534d84865e5ac55a1e3cea6bb705c5d592725af709cd97e7f38ff05dbaafe5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\settings\template.js

Filesize
4KB

MD5
28513de0830383a516028e4a6e7585a0

SHA1
d31fc3a6f4a3ce6c4afb82ff2342a1ed718809e5

SHA256
8014a7c919da249ba2f2196d9c9b62639d20851be426f3ffaef161cbe477c45f

SHA512
0f7321c2ae13145bb694368dae1b74e6fe20e6b09712da2178bc46e6aa65223ab84c38abbf0ed074c85b42dba1a238a5f3f8d1ae060a0af6df748c5befe11b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\welcome\template.js

Filesize
1KB

MD5
17f54fca6723b983875d940d931e0afb

SHA1
01774cd5cea36bd74c80a708d6f77567e8091024

SHA256
42c546e9da748ef76fdab56b96fd511eb607617a9ba37b3dc420148b769d8acb

SHA512
401df9a54cd14c19227d91bd08b4775a7b437644b4ca0d1d636d3e07b04591f9c5516e80040ae6a79ba400457d15e3d80aa148a63de870a64664fc5a02f7a038

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\js\windows\welcome\welcome-controller.js

Filesize
2KB

MD5
50f676754862a2ab47a582dd4d79ecf3

SHA1
1cb2f4b11f9f8cfc8dc57ff29d0256dec4811158

SHA256
6155691dbdd66290109afb91617f9cf68af6bd912991d5d27b922f5faa7f530b

SHA512
ccfc89e08fd36f0a694fcda17efb84ca285b6c62afe2e3a794fdad19b6882a4b618645f4d9171673ba56fb4c55fce336d6b8d26dec3a5cc11293ae2b211f499f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\app\manifest.json

Filesize
691B

MD5
b22a7aee785fd57c82dd5f7f76a0b300

SHA1
97528822fed8e42faa0de1f4d4c3de61cc6ce1e3

SHA256
53faf2f62e7aa22b60bc926803461213ce4230e114fce86acfe5cfd720f1dfb4

SHA512
4c66855ae30762b53f6f31bcfd3a24183614f8be716dc08180d5df2c71729ff0f1957ab04fc43b70e73c7e95511143e42dfde8150d2feb758804fecb12dd877d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\log4net.dll

Filesize
270KB

MD5
f15c8a9e2876568b3910189b2d493706

SHA1
32634db97e7c1705286cb1ac5ce20bc4e0ec17af

SHA256
ae9c8073c3357c490f5d1c64101362918357c568f6b9380a60b09a4a4c1ff309

SHA512
805cd0a70aba2f1cf66e557d51ad30d42b32fbafcfbc6685ec204bc69847619479f653f4f33a4e466055707880d982eb1574ddab8edfa3c641e51cda950e2a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\uac.dll

Filesize
24KB

MD5
861f7e800bb28f68927e65719869409c

SHA1
a12bfcd2b9950e758ead281a9afbf1895bf10539

SHA256
10a0e8cf46038ab3b2c3cf5dce407b9a043a631cbde9a5c8bcf0a54b2566c010

SHA512
f2bf24a0da69bbe4b4a0f0b1bfc5af175a66b8bcc4f5cc379ed0b89166fa9ffe1e16206b41fca7260ac7f8b86f8695b76f016bb371d7642aa71e61e29a3976eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq7779.tmp\utils.dll

Filesize
58KB

MD5
c6b46a5fcdccbf3aeff930b1e5b383d4

SHA1
6d5a8e08de862b283610bad2f6ce44936f439821

SHA256
251ab3e2690562dcfcd510642607f206e6dcf626d06d94b74e1fa8297b1050a0

SHA512
97616475ef425421959489b650810b185488fcb02a1e90406b3014e948e66e5101df583815fd2be26d9c4d293a46b02ba4025426f743e682ed15d228f027f55c

Download Submit
memory/1944-205-0x0000026FB1F90000-0x0000026FB1FB2000-memory.dmp

Filesize
136KB

Download
memory/1944-173-0x0000026FB0960000-0x0000026FB0978000-memory.dmp

Filesize
96KB

Download
memory/1944-160-0x0000026F962C0000-0x0000026F9630E000-memory.dmp

Filesize
312KB

Download
memory/1944-164-0x0000026FB0770000-0x0000026FB0816000-memory.dmp

Filesize
664KB

Download
memory/1944-242-0x00000277B55C0000-0x00000277B5D66000-memory.dmp

Filesize
7.6MB

Download
memory/1944-166-0x0000026F97F80000-0x0000026F97F94000-memory.dmp

Filesize
80KB

Download
memory/1944-186-0x0000026FB0CB0000-0x0000026FB0D60000-memory.dmp

Filesize
704KB

Download
memory/1944-167-0x0000026FB0D70000-0x0000026FB1298000-memory.dmp

Filesize
5.2MB

Download
memory/1944-169-0x0000026FB0710000-0x0000026FB0756000-memory.dmp

Filesize
280KB

Download
memory/2824-1-0x00007FFA52D40000-0x00007FFA52D42000-memory.dmp

Filesize
8KB

Download
memory/2824-0-0x00007FFA52D30000-0x00007FFA52D32000-memory.dmp

Filesize
8KB

Download
memory/2824-2-0x00007FF79F640000-0x00007FF7A0640000-memory.dmp

Filesize
16.0MB

Download
memory/3996-17-0x00000200B4910000-0x00000200B4911000-memory.dmp

Filesize
4KB

Download
memory/3996-16-0x00000200B4910000-0x00000200B4911000-memory.dmp

Filesize
4KB

Download
memory/3996-15-0x00000200B4910000-0x00000200B4911000-memory.dmp

Filesize
4KB

Download
memory/3996-9-0x00000200B4910000-0x00000200B4911000-memory.dmp

Filesize
4KB

Download
memory/3996-10-0x00000200B4910000-0x00000200B4911000-memory.dmp

Filesize
4KB

Download
memory/3996-19-0x00000200B4910000-0x00000200B4911000-memory.dmp

Filesize
4KB

Download
memory/3996-8-0x00000200B4910000-0x00000200B4911000-memory.dmp

Filesize
4KB

Download
memory/3996-14-0x00000200B4910000-0x00000200B4911000-memory.dmp

Filesize
4KB

Download
memory/3996-18-0x00000200B4910000-0x00000200B4911000-memory.dmp

Filesize
4KB

Download
memory/3996-20-0x00000200B4910000-0x00000200B4911000-memory.dmp

Filesize
4KB

Download