File name:

TwitchChatOverlay-Setup.exe

Full analysis: https://app.any.run/tasks/32414b7b-2281-4230-a798-2ed1db033c61
Verdict: Malicious activity
Analysis date: June 01, 2024, 16:15:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B9196F34528FDA944FCA5E8CB7250A8B

SHA1:

14EF85766EFC23444998179BB56285AB78BEA0B7

SHA256:

5B7949F289F3ED75FB19470141CD0CFD9D8130A596A2FD25EED4DB243A341DAE

SSDEEP:

98304:qD5YcuVSL8f/QS6Cf40/ZC4yTMPp0nUNrovE1mW97TAFDqICM6s55s9j1ycouiqj:2EPR7uDfI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • TwitchChatOverlay-Setup.exe (PID: 3980)
      • Update.exe (PID: 3996)
      • TransparentTwitchChatWPF.exe (PID: 4064)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • TwitchChatOverlay-Setup.exe (PID: 3980)
      • Update.exe (PID: 3996)
      • TransparentTwitchChatWPF.exe (PID: 4064)

    • Reads security settings of Internet Explorer

      • Update.exe (PID: 3996)
      • TransparentTwitchChatWPF.exe (PID: 4064)

    • Reads the Internet Settings

      • Update.exe (PID: 3996)
      • TransparentTwitchChatWPF.exe (PID: 4064)

    • Process drops legitimate windows executable

      • TransparentTwitchChatWPF.exe (PID: 4064)

    • Creates a software uninstall entry

      • Update.exe (PID: 3996)

    • Searches for installed software

      • Update.exe (PID: 3996)

    • Reads the date of Windows installation

      • TransparentTwitchChatWPF.exe (PID: 4064)

  • INFO

    • Creates files or folders in the user directory

      • TwitchChatOverlay-Setup.exe (PID: 3980)
      • Update.exe (PID: 3996)
      • TransparentTwitchChatWPF.exe (PID: 4064)

    • Checks supported languages

      • TwitchChatOverlay-Setup.exe (PID: 3980)
      • Update.exe (PID: 3996)
      • TransparentTwitchChatWPF.exe (PID: 4064)
      • wmpnscfg.exe (PID: 1112)

    • Reads the computer name

      • Update.exe (PID: 3996)
      • TransparentTwitchChatWPF.exe (PID: 4064)
      • wmpnscfg.exe (PID: 1112)

    • Reads the machine GUID from the registry

      • Update.exe (PID: 3996)
      • TransparentTwitchChatWPF.exe (PID: 4064)

    • Create files in a temporary directory

      • Update.exe (PID: 3996)
      • TransparentTwitchChatWPF.exe (PID: 4064)

    • Disables trace logs

      • TransparentTwitchChatWPF.exe (PID: 4064)

    • Reads Environment values

      • TransparentTwitchChatWPF.exe (PID: 4064)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:02:08 02:59:34+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 117248
InitializedDataSize: 6225408
UninitializedDataSize: -
EntryPoint: 0xab0b
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.4.0
ProductVersionNumber: 1.0.4.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Application for Windows that will display Twitch chat on top of a windowed or borderless windowed game.
FileVersion: 1.0.4
InternalName: Setup.exe
LegalCopyright: 2024
OriginalFileName: Setup.exe
ProductName: Application for Windows that will display Twitch chat on top of a windowed or borderless windowed game.
ProductVersion: 1.0.4
SquirrelAwareVersion: 1
CompanyName: baffler
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start twitchchatoverlay-setup.exe update.exe transparenttwitchchatwpf.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1112"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3980"C:\Users\admin\AppData\Local\Temp\TwitchChatOverlay-Setup.exe" C:\Users\admin\AppData\Local\Temp\TwitchChatOverlay-Setup.exe
explorer.exe
User:
admin
Company:
baffler
Integrity Level:
MEDIUM
Description:
Application for Windows that will display Twitch chat on top of a windowed or borderless windowed game.
Exit code:
0
Version:
1.0.4
Modules
Images
c:\users\admin\appdata\local\temp\twitchchatoverlay-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3996"C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe" --install . C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe
TwitchChatOverlay-Setup.exe
User:
admin
Company:
GitHub
Integrity Level:
MEDIUM
Description:
Update
Exit code:
0
Version:
1.9.1.0
Modules
Images
c:\users\admin\appdata\local\squirreltemp\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
4064"C:\Users\admin\AppData\Local\TransparentTwitchChatOverlay\app-1.0.4\TransparentTwitchChatWPF.exe" --squirrel-firstrunC:\Users\admin\AppData\Local\TransparentTwitchChatOverlay\app-1.0.4\TransparentTwitchChatWPF.exe
Update.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TransparentTwitchChatWPF
Version:
1.0.4
Modules
Images
c:\users\admin\appdata\local\transparenttwitchchatoverlay\app-1.0.4\transparenttwitchchatwpf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
9 361
Read events
9 261
Write events
100
Delete events
0

Modification events

(PID) Process:(3996) Update.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3996) Update.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3996) Update.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3996) Update.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3996) Update.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3996) Update.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\TransparentTwitchChatOverlay
Operation:writeName:DisplayName
Value:
Transparent Twitch Chat Overlay
(PID) Process:(3996) Update.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\TransparentTwitchChatOverlay
Operation:writeName:DisplayVersion
Value:
1.0.4
(PID) Process:(3996) Update.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\TransparentTwitchChatOverlay
Operation:writeName:InstallDate
Value:
20240601
(PID) Process:(3996) Update.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\TransparentTwitchChatOverlay
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\TransparentTwitchChatOverlay
(PID) Process:(3996) Update.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\TransparentTwitchChatOverlay
Operation:writeName:Publisher
Value:
baffler
Executable files
7
Suspicious files
12
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
3980TwitchChatOverlay-Setup.exeC:\Users\admin\AppData\Local\SquirrelTemp\RELEASEStext
MD5:ED33AC8BAB64AABAACA2A9305291C3FE
SHA256:CAEB28F1270C4D48ED323A2BFF3DA3EE9474380B22C2BA0E75B86CB27AE226D4
3996Update.exeC:\Users\admin\AppData\Local\TransparentTwitchChatOverlay\Update.exeexecutable
MD5:C5F6CDA4976AE38CD9FBA3D1E5EBD244
SHA256:DAE7BD888B715B8E215482BC5EA6F028DED32A3AD88BF4ACB6431D2A62FFE3F4
3996Update.exeC:\Users\admin\AppData\Local\TransparentTwitchChatOverlay\app-1.0.4\assets\Alert 1.wavwav
MD5:B913094D0D6C3D7CAB805DECF013BABD
SHA256:76C4820277959E50DD721AD8B03D9F3A9D23E20D310AFD1F067559A304448894
3996Update.exeC:\Users\admin\AppData\Local\TransparentTwitchChatOverlay\app-1.0.4\assets\Alert 3.wavbinary
MD5:FB2E5091989A05A8DB0F45C916160F87
SHA256:0601D5E5B3BAA15B4C8C8550F5DFC499E68C681DECFD94654F779A6AA5625FEC
3996Update.exeC:\Users\admin\AppData\Local\TransparentTwitchChatOverlay\app-1.0.4\TransparentTwitchChatWPF.exe.configxml
MD5:BD1765D475A5C70F84A0B84BF3BFC2FF
SHA256:42BC7106AA45DD97EDCBFDBD83AF1F356A6C5F9C25BC8B5A78E4BA57B4523505
3996Update.exeC:\Users\admin\AppData\Local\TransparentTwitchChatOverlay\app-1.0.4\TransparentTwitchChatWPF.exe.manifestxml
MD5:31E74989F5A5E38468A96324D7017D0D
SHA256:F3614AE08BBE2C738C3FABB31AB46D703B92A086F4450F6133BF81978AE982EA
3996Update.exeC:\Users\admin\AppData\Local\TransparentTwitchChatOverlay\packages\SquirrelTemp\tempatext
MD5:ED33AC8BAB64AABAACA2A9305291C3FE
SHA256:CAEB28F1270C4D48ED323A2BFF3DA3EE9474380B22C2BA0E75B86CB27AE226D4
3996Update.exeC:\Users\admin\AppData\Local\TransparentTwitchChatOverlay\TransparentTwitchChatWPF.exeexecutable
MD5:B676D88A0069EA5B59C579B75D87BA5C
SHA256:F7F4916F12D662C436E88412CE6E89C33CED0060CD26602E222ABBC96277C800
3996Update.exeC:\Users\admin\AppData\Local\TransparentTwitchChatOverlay\app-1.0.4\TransparentTwitchChatWPF.exeexecutable
MD5:A903ADECD9526A1780A7E5F372965E34
SHA256:099D4D7DDF912C80040A314379B6AB2BC799788F0C5B69F46599EF62A5011CD9
3996Update.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\baffler\TransparentTwitchChatWPF.lnkbinary
MD5:C99119A6AEB42819EC0738B5AA401375
SHA256:4BEFD4237A3171EF4285616674D44D08B059F91EEE0239ABD01F00959FBC2A7A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
4064
TransparentTwitchChatWPF.exe
140.82.121.6:443
api.github.com
GITHUB
US
unknown

DNS requests

Domain
IP
Reputation
api.github.com
  • 140.82.121.6
whitelisted

Threats

No threats detected
Process
Message
TransparentTwitchChatWPF.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
TransparentTwitchChatWPF.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
TransparentTwitchChatWPF.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
TransparentTwitchChatWPF.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
TransparentTwitchChatWPF.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
TransparentTwitchChatWPF.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
TransparentTwitchChatWPF.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
TransparentTwitchChatWPF.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
TransparentTwitchChatWPF.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
TransparentTwitchChatWPF.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TwitchChatOverlay-Setup.exe