analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

run_this_if_you_got_balls.exe

Full analysis: https://app.any.run/tasks/ea8b861e-816a-434f-ab73-c7cc8f7dd529
Verdict: Malicious activity
Analysis date: January 15, 2022, 01:04:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

E63BF69ECCFEBFCF7580F4F770DB555E

SHA1:

65DF3E86542A8A6A548C6FACBF302213A9B26DF7

SHA256:

856564ABE8D897B441E4A8E44384E8F895BE65F32C456CF33F01D2EF34FB3A65

SSDEEP:

24576:OpZYvRoNyaooMslvC4AVeJ3H6UaLDd6l0BUL+YDRUSOqgEhTB0m6aoOcn+Ds:UZOWNyovhAVG3Htyd804pXgS0POc+A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • run_this_if_you_got_balls.exe (PID: 3980)
      • run_this_if_you_got_balls.exe (PID: 2528)
    • Loads dropped or rewritten executable

      • run_this_if_you_got_balls.exe (PID: 3980)
      • run_this_if_you_got_balls.exe (PID: 2528)
      • OWinstaller.exe (PID: 2300)
    • Changes settings of System certificates

      • OWinstaller.exe (PID: 2300)
    • Application was dropped or rewritten from another process

      • OWinstaller.exe (PID: 2300)
  • SUSPICIOUS

    • Checks supported languages

      • run_this_if_you_got_balls.exe (PID: 3980)
      • run_this_if_you_got_balls.exe (PID: 2528)
      • OWinstaller.exe (PID: 2300)
    • Reads the computer name

      • run_this_if_you_got_balls.exe (PID: 3980)
      • run_this_if_you_got_balls.exe (PID: 2528)
      • OWinstaller.exe (PID: 2300)
    • Application launched itself

      • run_this_if_you_got_balls.exe (PID: 3980)
    • Executable content was dropped or overwritten

      • run_this_if_you_got_balls.exe (PID: 3980)
      • run_this_if_you_got_balls.exe (PID: 2528)
      • OWinstaller.exe (PID: 2300)
    • Drops a file that was compiled in debug mode

      • run_this_if_you_got_balls.exe (PID: 2528)
      • OWinstaller.exe (PID: 2300)
    • Adds / modifies Windows certificates

      • OWinstaller.exe (PID: 2300)
    • Reads Environment values

      • OWinstaller.exe (PID: 2300)
      • DxDiag.exe (PID: 2620)
    • Creates/Modifies COM task schedule object

      • DxDiag.exe (PID: 2620)
    • Reads internet explorer settings

      • OWinstaller.exe (PID: 2300)
    • Reads Microsoft Outlook installation path

      • OWinstaller.exe (PID: 2300)
  • INFO

    • Reads settings of System Certificates

      • OWinstaller.exe (PID: 2300)
      • DxDiag.exe (PID: 2620)
    • Checks Windows Trust Settings

      • OWinstaller.exe (PID: 2300)
      • DxDiag.exe (PID: 2620)
    • Reads the computer name

      • DxDiag.exe (PID: 2620)
    • Checks supported languages

      • DxDiag.exe (PID: 2620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:12:25 06:01:44+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 25088
InitializedDataSize: 186368
UninitializedDataSize: 2048
EntryPoint: 0x3229
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.189.0.3
ProductVersionNumber: 2.189.0.3
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
CompanyName: Overwolf Ltd.
FileDescription: Overwolf
FileVersion: 2.189.0.3
LegalCopyright: Copyright (C) 2021 Overwolf Ltd. All Rights Reserved.
LegalTrademarks: -
ProductName: Overwolf
ProductVersion: 2.189.0.3

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 25-Dec-2013 05:01:44
Detected languages:
  • English - United States
Comments: -
CompanyName: Overwolf Ltd.
FileDescription: Overwolf
FileVersion: 2.189.0.3
LegalCopyright: Copyright (C) 2021 Overwolf Ltd. All Rights Reserved.
LegalTrademarks: -
ProductName: Overwolf
ProductVersion: 2.189.0.3

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000C8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 25-Dec-2013 05:01:44
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000606C
0x00006200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.45707
.rdata
0x00008000
0x00001460
0x00001600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.94596
.data
0x0000A000
0x0002AF98
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.79535
.ndata
0x00035000
0x00013000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00048000
0x00003540
0x00003600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.28573

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.27028
773
UNKNOWN
English - United States
RT_MANIFEST
2
7.57954
3714
UNKNOWN
English - United States
RT_ICON
3
1.10023
2216
UNKNOWN
English - United States
RT_ICON
4
2.26683
1128
UNKNOWN
English - United States
RT_ICON
103
2.50269
62
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.66174
256
UNKNOWN
English - United States
RT_DIALOG
106
2.88094
284
UNKNOWN
English - United States
RT_DIALOG
111
2.48825
96
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start run_this_if_you_got_balls.exe run_this_if_you_got_balls.exe owinstaller.exe dxdiag.exe

Process information

PID
CMD
Path
Indicators
Parent process
3980"C:\Users\admin\AppData\Local\Temp\run_this_if_you_got_balls.exe" C:\Users\admin\AppData\Local\Temp\run_this_if_you_got_balls.exe
Explorer.EXE
User:
admin
Company:
Overwolf Ltd.
Integrity Level:
MEDIUM
Description:
Overwolf
Exit code:
1223
Version:
2.189.0.3
Modules
Images
c:\users\admin\appdata\local\temp\run_this_if_you_got_balls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
2528"C:\Users\admin\AppData\Local\Temp\run_this_if_you_got_balls.exe" /UAC:901A8 /NCRC C:\Users\admin\AppData\Local\Temp\run_this_if_you_got_balls.exe
run_this_if_you_got_balls.exe
User:
admin
Company:
Overwolf Ltd.
Integrity Level:
HIGH
Description:
Overwolf
Exit code:
1223
Version:
2.189.0.3
Modules
Images
c:\users\admin\appdata\local\temp\run_this_if_you_got_balls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
2300"C:\Users\admin\AppData\Local\Temp\nsjEC1A.tmp\OWinstaller.exe" Sel=1&Channel=web_dl_btn&Partner=4204&Extension=edoaelkdajnifpnkdfillhjpaimimibflhkhjngh&Name=U.GG&Thanks=https%3A%2F%2Fgo.overwolf.com%2Finstall-successful%2F&UtmSource=ugghome /UAC:901A8 /NCRC -partnerCustomizationLevel 0 -exepath C:\Users\admin\AppData\Local\Temp\run_this_if_you_got_balls.exe C:\Users\admin\AppData\Local\Temp\nsjEC1A.tmp\OWinstaller.exe
run_this_if_you_got_balls.exe
User:
admin
Company:
Overwolf
Integrity Level:
HIGH
Description:
Overwolf Installer
Exit code:
0
Version:
2.187.0.5
Modules
Images
c:\users\admin\appdata\local\temp\nsjec1a.tmp\owinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2620"C:\Windows\System32\DxDiag.exe" /tC:\Users\admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txtC:\Windows\System32\DxDiag.exe
OWinstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft DirectX Diagnostic Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\dxdiag.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
Total events
22 047
Read events
21 763
Write events
267
Delete events
17

Modification events

(PID) Process:(2528) run_this_if_you_got_balls.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2528) run_this_if_you_got_balls.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2528) run_this_if_you_got_balls.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2528) run_this_if_you_got_balls.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2528) run_this_if_you_got_balls.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2528) run_this_if_you_got_balls.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2528) run_this_if_you_got_balls.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2528) run_this_if_you_got_balls.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2528) run_this_if_you_got_balls.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2528) run_this_if_you_got_balls.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
Operation:writeName:WpadDecisionReason
Value:
1
Executable files
12
Suspicious files
29
Text files
86
Unknown types
12

Dropped files

PID
Process
Filename
Type
2528run_this_if_you_got_balls.exeC:\Users\admin\AppData\Local\Temp\nsjEC1A.tmp\OWInstaller.exeexecutable
MD5:437BD6F8A674D7F60B9A6C49F3F40EDC
SHA256:409B1D25FAADD555D4EEBEF970378641EAE347E06F36E2B82E33009C49EEB178
2528run_this_if_you_got_balls.exeC:\Users\admin\AppData\Local\Temp\nsjEC1A.tmp\nsis7z.dllexecutable
MD5:8BC34305598F5FABED471A86A0133642
SHA256:AE7F725D7D37CA8B6639060C2BB4EA0BACFB59D281523411EBD048AF67393FBD
3980run_this_if_you_got_balls.exeC:\Users\admin\AppData\Local\Temp\nsxEA06.tmp\UserInfo.dllexecutable
MD5:9301577FF4D229347FE33259B43EF3B2
SHA256:090C4BC8DC534E97B3877BD5115EB58B3E181495F29F231479F540BAB5C01EDC
2528run_this_if_you_got_balls.exeC:\Users\admin\AppData\Local\Temp\nsjEC1A.tmp\app\manifest.jsonbinary
MD5:D13AC7ACBAD20D60DFA1DFEC462AB375
SHA256:7C351ECFC9D1646253EAED45E8260F67736B048CEF316B00B7240E273EDA4557
2528run_this_if_you_got_balls.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\Counter[1]text
MD5:99914B932BD37A50B983C5E7C90AE93B
SHA256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
3980run_this_if_you_got_balls.exeC:\Users\admin\AppData\Local\Temp\nsxEA06.tmp\uac.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
2528run_this_if_you_got_balls.exeC:\Users\admin\AppData\Local\Temp\nsjEC1A.tmp\System.dllexecutable
MD5:7399323923E3946FE9140132AC388132
SHA256:5A1C20A3E2E2EB182976977669F2C5D9F3104477E98F74D69D2434E79B92FDC3
2528run_this_if_you_got_balls.exeC:\Users\admin\AppData\Local\Temp\nsjEC1A.tmp\app\_locales\de\messages.jsonbinary
MD5:78EC264BF985B0393F3CF6F6C650EB23
SHA256:AC9DD27A1F4DB976FB741514E7E4D70047F988B79422B6994E9469E1D9E7714F
2528run_this_if_you_got_balls.exeC:\Users\admin\AppData\Local\Temp\nsjEC1A.tmp\OWInstaller.exe.configxml
MD5:4BF2A039CD2CF37CF37C19F2912996E0
SHA256:EC7C6BC4205712A0A78C68F7F0F762AC7E62276720A61A6877A94F6A573F0AA7
2528run_this_if_you_got_balls.exeC:\Users\admin\AppData\Local\Overwolf\OWInstall.logtext
MD5:07E605D2D7609CF336EA1708E86B5A0C
SHA256:C69AD6C6A1D6D89336E18DB86A6C852AB60C0CEB367C79922807E55DE7BE49DD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
23
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2300
OWinstaller.exe
GET
200
69.16.175.42:80
http://analyticsnew.overwolf.com/analytics/Counter?CurrentVersion=2.187.0.5&PartnerID=4204&Name=Manual_Installer_Launched&Value=1&UserName=&GameSessionId=&owver=0.187.0.4&MUID=21859394-9b15-41ba-bda6-e12e02f6e7ed
US
text
2 b
malicious
2300
OWinstaller.exe
GET
200
69.16.175.42:80
http://analyticsnew.overwolf.com/analytics/Counter?CurrentVersion=2.187.0.5&PartnerID=4204&Name=installer_webbrowser_init&Value=1&UserName=&GameSessionId=&Extra=%255b%257b%2522Name%2522%253a%2522ver%2522%252c%2522Value%2522%253a%252211.0.9600.19597%2522%257d%255d&owver=0.187.0.4&MUID=21859394-9b15-41ba-bda6-e12e02f6e7ed
US
text
2 b
malicious
2300
OWinstaller.exe
GET
200
41.63.96.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?52a47d7c98ee5bcf
ZA
compressed
4.70 Kb
whitelisted
2300
OWinstaller.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEG9FXshPqpwWCgAAAAEn3MY%3D
US
der
471 b
whitelisted
2300
OWinstaller.exe
GET
200
99.86.3.143:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
2300
OWinstaller.exe
GET
200
99.86.3.68:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
2300
OWinstaller.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
2300
OWinstaller.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEGmSmALa8169CgAAAAEn3NM%3D
US
der
471 b
whitelisted
2300
OWinstaller.exe
GET
200
65.9.62.120:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
2300
OWinstaller.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2300
OWinstaller.exe
41.63.96.0:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
ZA
suspicious
2300
OWinstaller.exe
143.204.215.24:443
storeapi.overwolf.com
US
malicious
2300
OWinstaller.exe
142.250.185.174:80
www.google-analytics.com
Google Inc.
US
whitelisted
2300
OWinstaller.exe
65.9.61.40:443
content.overwolf.com
AT&T Services, Inc.
US
unknown
2528
run_this_if_you_got_balls.exe
69.16.175.42:80
analyticsnew.overwolf.com
Highwinds Network Group, Inc.
US
malicious
2300
OWinstaller.exe
69.16.175.42:80
analyticsnew.overwolf.com
Highwinds Network Group, Inc.
US
malicious
2300
OWinstaller.exe
13.35.253.89:443
www.overwolf.com
US
suspicious
2300
OWinstaller.exe
142.250.186.67:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2300
OWinstaller.exe
142.250.186.138:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2300
OWinstaller.exe
99.86.3.143:80
ocsp.rootg2.amazontrust.com
AT&T Services, Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
analyticsnew.overwolf.com
  • 69.16.175.42
  • 69.16.175.10
malicious
www.google-analytics.com
  • 142.250.185.174
whitelisted
content.overwolf.com
  • 65.9.61.40
  • 65.9.61.96
  • 65.9.61.77
  • 65.9.61.114
whitelisted
storeapi.overwolf.com
  • 143.204.215.24
  • 143.204.215.107
  • 143.204.215.67
  • 143.204.215.30
shared
ctldl.windowsupdate.com
  • 41.63.96.0
whitelisted
fonts.googleapis.com
  • 142.250.186.138
whitelisted
o.ss2.us
  • 65.9.62.120
  • 65.9.62.115
  • 65.9.62.74
  • 65.9.62.53
whitelisted
ocsp.rootg2.amazontrust.com
  • 99.86.3.68
  • 99.86.3.204
  • 99.86.3.46
  • 99.86.3.143
whitelisted
ocsp.pki.goog
  • 142.250.186.67
whitelisted
ocsp.rootca1.amazontrust.com
  • 99.86.3.143
  • 99.86.3.68
  • 99.86.3.46
  • 99.86.3.204
shared

Threats

PID
Process
Class
Message
2528
run_this_if_you_got_balls.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
4 ETPRO signatures available at the full report
No debug info