File name:

OverwolfLauncher.exe

Full analysis: https://app.any.run/tasks/227d9303-e7ad-4479-8a9e-b68f83fa4fac
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 10, 2024, 08:40:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

6323FBEF5CC8DA8432D255023B8B40BB

SHA1:

2B48504458CC9DAD72B201141518C7A1025B57EB

SHA256:

DD08DB1A66A341858AEE10E1F3B6FFB7D2C2A6E75A484FD47AC765E6EB980CCB

SSDEEP:

49152:/v+Kgu5ZwSLr/tEEfqb1cupyIYuSF0Qwb1gEviE08kIHBahQuKWU2eZvevvdeO:au5Zflf9up1VSCQwb1gPYPhA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • OverwolfLauncher.exe (PID: 6804)

    • Steals credentials from Web Browsers

      • OverwolfLauncher.exe (PID: 6804)

  • SUSPICIOUS

    • Application launched itself

      • OverwolfLauncher.exe (PID: 6728)

  • INFO

    • Checks supported languages

      • OverwolfLauncher.exe (PID: 6728)
      • OverwolfLauncher.exe (PID: 6804)

    • Reads the software policy settings

      • OverwolfLauncher.exe (PID: 6728)
      • OverwolfLauncher.exe (PID: 6804)

    • Reads the computer name

      • OverwolfLauncher.exe (PID: 6728)
      • OverwolfLauncher.exe (PID: 6804)

    • Creates files or folders in the user directory

      • OverwolfLauncher.exe (PID: 6804)

    • Create files in a temporary directory

      • OverwolfLauncher.exe (PID: 6804)

    • Sends debugging messages

      • OverwolfLauncher.exe (PID: 6728)

    • Reads the machine GUID from the registry

      • OverwolfLauncher.exe (PID: 6728)
      • OverwolfLauncher.exe (PID: 6804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:08:27 18:13:38+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.16
CodeSize: 1176064
InitializedDataSize: 669696
UninitializedDataSize: -
EntryPoint: 0xe52c0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.120.259.2
ProductVersionNumber: 1.120.259.2
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Process default
CharacterSet: Unicode
CompanyName: Overwolf Ltd.
FileDescription: Overwolf Launcher
FileVersion: 1.120.259.2
InternalName: Overwolf Launcher
LegalCopyright: Copyright Overwolf © 2024
OriginalFileName: OverwolfLauncher
ProductName: OverwolfLauncher
ProductVersion: 1.120.259.2
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start overwolflauncher.exe overwolflauncher.exe

Process information

PID
CMD
Path
Indicators
Parent process
6728"C:\Users\admin\Desktop\OverwolfLauncher.exe" C:\Users\admin\Desktop\OverwolfLauncher.exe
explorer.exe
User:
admin
Company:
Overwolf Ltd.
Integrity Level:
MEDIUM
Description:
Overwolf Launcher
Exit code:
0
Version:
1.120.259.2
Modules
Images
c:\users\admin\desktop\overwolflauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6804-csC:\Users\admin\Desktop\OverwolfLauncher.exe
OverwolfLauncher.exe
User:
admin
Company:
Overwolf Ltd.
Integrity Level:
MEDIUM
Description:
Overwolf Launcher
Exit code:
0
Version:
1.120.259.2
Modules
Images
c:\users\admin\desktop\overwolflauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
6 794
Read events
6 794
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
8
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6804OverwolfLauncher.exeC:\Users\admin\AppData\Local\Temp\cs_39c4sqlite
MD5:46D9FCA6032297F8AEE08D73418312BA
SHA256:865856FA4C33C4AEE52E15FBB370B6611468FE947E76E197F0E50D0AD62CB1B4
6804OverwolfLauncher.exeC:\Users\admin\AppData\Local\Temp\cs_7d7d-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6804OverwolfLauncher.exeC:\Users\admin\AppData\Local\Temp\cs_6400binary
MD5:06AD9E737639FDC745B3B65312857109
SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
6804OverwolfLauncher.exeC:\Users\admin\AppData\Local\Overwolf\BrowserCache\Network\Cookies-journalbinary
MD5:3411F601F742DE486549685842DFF4A1
SHA256:3C46E6BEE59050DB39D9ECBAD74A29D677CE9D8E1DB920A27EA20630807C17A5
6804OverwolfLauncher.exeC:\Users\admin\AppData\Local\Overwolf\BrowserCache\Network\Cookiessqlite
MD5:CCF182EBA517015B532F6F9A17958A0B
SHA256:50689921DEC5DAA501017F897A08D1B39A9CA2A95CB8EF53B60FD1EE0BBBB9ED
6804OverwolfLauncher.exeC:\Users\admin\AppData\Local\Temp\cs_7d7dbinary
MD5:19BA68C3ECBCA72C2B90AFADDE745DC6
SHA256:8B3758EE2D2C0A07EE7003F902F0667ABE5D9667941F8617EDA3CDF94C78E7B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
26
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1764
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1764
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
65.9.95.55:443
https://content.overwolf.com/ow-electron/config/ow-launcher.json
unknown
binary
2 b
whitelisted
POST
200
18.235.122.59:443
https://tracking.overwolf.com/tracking/InsertStats?Stats=true
unknown
whitelisted
POST
200
18.204.157.117:443
https://tracking.overwolf.com/tracking/InsertStats?Stats=true
unknown
whitelisted
GET
200
65.9.95.124:443
https://content.overwolf.com/ow-electron/config/ow-launcher.json
unknown
binary
2 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1764
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.123:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6728
OverwolfLauncher.exe
18.245.86.78:443
content.overwolf.com
US
whitelisted
6804
OverwolfLauncher.exe
18.245.86.78:443
content.overwolf.com
US
whitelisted
6944
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1764
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
www.bing.com
  • 104.126.37.123
  • 104.126.37.128
  • 104.126.37.185
  • 104.126.37.130
  • 104.126.37.186
  • 104.126.37.178
  • 104.126.37.177
  • 104.126.37.176
  • 104.126.37.162
whitelisted
google.com
  • 142.250.185.142
whitelisted
content.overwolf.com
  • 18.245.86.78
  • 18.245.86.110
  • 18.245.86.117
  • 18.245.86.39
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
tracking.overwolf.com
  • 107.21.60.136
  • 18.204.157.117
  • 18.235.122.59
  • 52.73.148.109
whitelisted
self.events.data.microsoft.com
  • 20.42.65.89
whitelisted

Threats

No threats detected
Process
Message
OverwolfLauncher.exe
OWLauncher::Process execution failed 2.
OverwolfLauncher.exe
OWLauncher::Waiting for event...
OverwolfLauncher.exe
OWLauncher::Exit Listener.
OverwolfLauncher.exe
OWLauncher::Process timeout
OverwolfLauncher.exe
OWLauncher::Listener End.
OverwolfLauncher.exe
OWLauncher::End.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OverwolfLauncher.exe