File name:

overwolf-0-198-0-11.exe

Full analysis: https://app.any.run/tasks/25e908d4-3fa7-472b-9acd-87e4c0e6ca26
Verdict: Malicious activity
Analysis date: April 07, 2024, 23:03:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

2825F1269E82A2C763D14A52FCF2CC69

SHA1:

A6D70E6D07A31695EAFDDF755C93FD1824D47ADC

SHA256:

9B6BE3D1A4462B4C435E4F9E7DC4CF97B61355D06D81ED0EA857611703DD6D0E

SSDEEP:

49152:YFN3c7lNpx6Z9qJiEkzlWTUxuVZDwj+ha0gt721HdxG/4JH6ZgcFM58EERR88xvd:YFNMZQZ985kzYTVZDwjT0gtS19xG/QIb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • overwolf-0-198-0-11.exe (PID: 1692)
      • overwolf-0-198-0-11.exe (PID: 3180)
      • OWinstaller.exe (PID: 1656)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • overwolf-0-198-0-11.exe (PID: 1692)
      • overwolf-0-198-0-11.exe (PID: 3180)

    • The process creates files with name similar to system file names

      • overwolf-0-198-0-11.exe (PID: 1692)
      • overwolf-0-198-0-11.exe (PID: 3180)

    • Reads the Internet Settings

      • overwolf-0-198-0-11.exe (PID: 3180)
      • OWinstaller.exe (PID: 1656)
      • dxdiag.exe (PID: 2564)

    • Application launched itself

      • overwolf-0-198-0-11.exe (PID: 1692)

    • Reads security settings of Internet Explorer

      • overwolf-0-198-0-11.exe (PID: 3180)
      • OWinstaller.exe (PID: 1656)

    • Drops 7-zip archiver for unpacking

      • overwolf-0-198-0-11.exe (PID: 3180)

    • Checks Windows Trust Settings

      • OWinstaller.exe (PID: 1656)

    • Reads settings of System Certificates

      • OWinstaller.exe (PID: 1656)
      • dxdiag.exe (PID: 2564)

    • Adds/modifies Windows certificates

      • OWinstaller.exe (PID: 1656)

    • Creates/Modifies COM task schedule object

      • dxdiag.exe (PID: 2564)

    • Reads Internet Explorer settings

      • OWinstaller.exe (PID: 1656)

    • Reads Microsoft Outlook installation path

      • OWinstaller.exe (PID: 1656)

  • INFO

    • Reads the computer name

      • overwolf-0-198-0-11.exe (PID: 1692)
      • overwolf-0-198-0-11.exe (PID: 3180)
      • OWinstaller.exe (PID: 1656)

    • Checks supported languages

      • overwolf-0-198-0-11.exe (PID: 1692)
      • overwolf-0-198-0-11.exe (PID: 3180)
      • OWinstaller.exe (PID: 1656)

    • Create files in a temporary directory

      • overwolf-0-198-0-11.exe (PID: 1692)
      • overwolf-0-198-0-11.exe (PID: 3180)
      • dxdiag.exe (PID: 2564)

    • Checks proxy server information

      • overwolf-0-198-0-11.exe (PID: 3180)
      • OWinstaller.exe (PID: 1656)

    • Reads the machine GUID from the registry

      • overwolf-0-198-0-11.exe (PID: 3180)
      • OWinstaller.exe (PID: 1656)

    • Creates files or folders in the user directory

      • overwolf-0-198-0-11.exe (PID: 3180)
      • OWinstaller.exe (PID: 1656)
      • dxdiag.exe (PID: 2564)

    • Reads the software policy settings

      • OWinstaller.exe (PID: 1656)
      • dxdiag.exe (PID: 2564)

    • Reads product name

      • OWinstaller.exe (PID: 1656)

    • Reads Environment values

      • OWinstaller.exe (PID: 1656)

    • Reads security settings of Internet Explorer

      • dxdiag.exe (PID: 2564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:12:25 05:01:44+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 25088
InitializedDataSize: 186368
UninitializedDataSize: 2048
EntryPoint: 0x3229
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.195.0.0
ProductVersionNumber: 2.195.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
CompanyName: Overwolf Ltd.
FileDescription: Overwolf
FileVersion: 2.195.0.0
LegalCopyright: Copyright (C) 2021 Overwolf Ltd. All Rights Reserved.
LegalTrademarks: -
ProductName: Overwolf
ProductVersion: 2.195.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start overwolf-0-198-0-11.exe no specs overwolf-0-198-0-11.exe owinstaller.exe dxdiag.exe

Process information

PID
CMD
Path
Indicators
Parent process
1656"C:\Users\admin\AppData\Local\Temp\nsi215F.tmp\OWinstaller.exe" Sel=0&Channel=web_dl_btn /UAC:14019C /NCRC -partnerCustomizationLevel 0 -exepath C:\Users\admin\AppData\Local\Temp\overwolf-0-198-0-11.exe C:\Users\admin\AppData\Local\Temp\nsi215F.tmp\OWinstaller.exe
overwolf-0-198-0-11.exe
User:
admin
Company:
Overwolf
Integrity Level:
HIGH
Description:
Overwolf Installer
Version:
2.195.0.0
Modules
Images
c:\users\admin\appdata\local\temp\nsi215f.tmp\owinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1692"C:\Users\admin\AppData\Local\Temp\overwolf-0-198-0-11.exe" C:\Users\admin\AppData\Local\Temp\overwolf-0-198-0-11.exeexplorer.exe
User:
admin
Company:
Overwolf Ltd.
Integrity Level:
MEDIUM
Description:
Overwolf
Version:
2.195.0.0
Modules
Images
c:\users\admin\appdata\local\temp\overwolf-0-198-0-11.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2564"C:\Windows\System32\DxDiag.exe" /tC:\Users\admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txtC:\Windows\System32\dxdiag.exe
OWinstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft DirectX Diagnostic Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dxdiag.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3180"C:\Users\admin\AppData\Local\Temp\overwolf-0-198-0-11.exe" /UAC:14019C /NCRC C:\Users\admin\AppData\Local\Temp\overwolf-0-198-0-11.exe
overwolf-0-198-0-11.exe
User:
admin
Company:
Overwolf Ltd.
Integrity Level:
HIGH
Description:
Overwolf
Version:
2.195.0.0
Modules
Images
c:\users\admin\appdata\local\temp\overwolf-0-198-0-11.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
27 690
Read events
27 406
Write events
248
Delete events
36

Modification events

(PID) Process:(3180) overwolf-0-198-0-11.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3180) overwolf-0-198-0-11.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3180) overwolf-0-198-0-11.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(3180) overwolf-0-198-0-11.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(3180) overwolf-0-198-0-11.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(3180) overwolf-0-198-0-11.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3180) overwolf-0-198-0-11.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3180) overwolf-0-198-0-11.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3180) overwolf-0-198-0-11.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3180) overwolf-0-198-0-11.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
13
Suspicious files
13
Text files
78
Unknown types
28

Dropped files

PID
Process
Filename
Type
1692overwolf-0-198-0-11.exeC:\Users\admin\AppData\Local\Temp\nsh2026.tmp\UserInfo.dllexecutable
MD5:
SHA256:
1692overwolf-0-198-0-11.exeC:\Users\admin\AppData\Local\Temp\nsh2026.tmp\System.dllexecutable
MD5:
SHA256:
1692overwolf-0-198-0-11.exeC:\Users\admin\AppData\Local\Temp\nsh2026.tmp\uac.dllexecutable
MD5:
SHA256:
1692overwolf-0-198-0-11.exeC:\Users\admin\AppData\Local\Temp\nsh2026.tmp\nsProcess.dllexecutable
MD5:
SHA256:
3180overwolf-0-198-0-11.exeC:\Users\admin\AppData\Local\Temp\nsi215F.tmp\UserInfo.dllexecutable
MD5:
SHA256:
3180overwolf-0-198-0-11.exeC:\Users\admin\AppData\Local\Temp\nsi215F.tmp\System.dllexecutable
MD5:
SHA256:
3180overwolf-0-198-0-11.exeC:\Users\admin\AppData\Local\Temp\nsi215F.tmp\uac.dllexecutable
MD5:
SHA256:
3180overwolf-0-198-0-11.exeC:\Users\admin\AppData\Local\Temp\nsi215F.tmp\INetC.dllexecutable
MD5:
SHA256:
3180overwolf-0-198-0-11.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\Counter[1]binary
MD5:
SHA256:
3180overwolf-0-198-0-11.exeC:\Users\admin\AppData\Local\Overwolf\OWInstall.logtext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
21
DNS requests
10
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3180
overwolf-0-198-0-11.exe
GET
200
18.244.18.106:80
http://analyticsnew.overwolf.com/analytics/Counter?Name=installer_uac_action&Value=1&Extra=%5b%7b%22Name%22%3a%22installer_version%22%2c%22Value%22%3a%222.195.0.0%22%7d%5d
unknown
unknown
1656
OWinstaller.exe
GET
200
18.244.18.106:80
http://analyticsnew.overwolf.com/analytics/Counter?CurrentVersion=2.195.0.0&PartnerID=0&Name=Manual_Funnel2_Installer_Launched&Value=1&UserName=&GameSessionId=&owver=0.195.0.8&MUID=04af837a-cacd-41f7-bfda-46c01c26ea76
unknown
unknown
1656
OWinstaller.exe
GET
200
142.250.186.110:80
http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=155621008&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=180908536&utmr=/&utmp=/&utmac=UA-80584726-1&utmcc=__utma%3D0.2102084912.1712530991.1712530991.1712530991.2%3B%2B__utmz%3D0.1712530991.1.1.utmcsr%3D(direct)%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5(Funnel2*Installer%20Launched*2.0.50727%20SP2%2C%203.0%20SP2%2C%203.5%20SP1%2C%204%20Client%2C%204%20Full%2C%204.0%20Client)()&gaq=1&utmt=event
unknown
unknown
1656
OWinstaller.exe
GET
304
23.53.40.49:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3ab299a1b8d7efac
unknown
unknown
1656
OWinstaller.exe
GET
200
108.138.2.107:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
unknown
unknown
1656
OWinstaller.exe
GET
304
23.53.40.49:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a61769e2cb9c77d0
unknown
unknown
1656
OWinstaller.exe
GET
200
18.245.39.64:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEowz8xPdLX1MG5U07e%2BCsM%3D
unknown
unknown
1656
OWinstaller.exe
GET
304
23.53.40.49:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1e64360b57564b50
unknown
unknown
1656
OWinstaller.exe
GET
200
142.250.186.35:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
unknown
1656
OWinstaller.exe
GET
200
18.245.39.64:80
http://ocsp.rootca3.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRkNawYMzz%2BjKSfYbTyFR0AXuhs6QQUq7bb1waeN6wwhgeRcMecxBmxeMACEwdzEm3iwvr9LEetiLFWbgGCBG0%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3180
overwolf-0-198-0-11.exe
18.244.18.106:80
analyticsnew.overwolf.com
US
unknown
1656
OWinstaller.exe
18.244.18.106:80
analyticsnew.overwolf.com
US
unknown
1656
OWinstaller.exe
142.250.186.110:80
www.google-analytics.com
GOOGLE
US
whitelisted
1656
OWinstaller.exe
18.245.86.78:443
content.overwolf.com
US
unknown
1656
OWinstaller.exe
23.53.40.49:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1656
OWinstaller.exe
142.250.186.170:443
fonts.googleapis.com
GOOGLE
US
whitelisted
1656
OWinstaller.exe
108.138.2.107:80
o.ss2.us
AMAZON-02
US
whitelisted

DNS requests

Domain
IP
Reputation
analyticsnew.overwolf.com
  • 18.244.18.106
  • 18.244.18.46
  • 18.244.18.51
  • 18.244.18.56
unknown
www.google-analytics.com
  • 142.250.186.110
whitelisted
content.overwolf.com
  • 18.245.86.78
  • 18.245.86.110
  • 18.245.86.117
  • 18.245.86.39
whitelisted
ctldl.windowsupdate.com
  • 23.53.40.49
  • 23.53.40.35
whitelisted
fonts.googleapis.com
  • 142.250.186.170
whitelisted
o.ss2.us
  • 108.138.2.107
  • 108.138.2.10
  • 108.138.2.195
  • 108.138.2.173
whitelisted
ocsp.rootg2.amazontrust.com
  • 18.245.39.64
whitelisted
ocsp.pki.goog
  • 142.250.186.35
whitelisted
ocsp.rootca3.amazontrust.com
  • 18.245.39.64
unknown
fonts.gstatic.com
  • 142.250.181.227
whitelisted

Threats

PID
Process
Class
Message
3180
overwolf-0-198-0-11.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
overwolf-0-198-0-11.exe