File name:

OverwolfLauncher.exe

Full analysis: https://app.any.run/tasks/17c484b4-4c9e-4ad6-9f2d-2b9c136287a6
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 25, 2025, 22:58:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

8225FAE0EEDAD5F9CB0479C07906C15A

SHA1:

EC291FC409DE9DB43E5BAED7726CA0FA9A49D0D6

SHA256:

F86EE5AE51798DE2B392B57A760C5273879FF294B937DBB7F9E6B40C90081739

SSDEEP:

49152:/KbMkixJtJ3rmqeFhqbtmGeoC8yZCTpy3BzhPZG0CXBOtZhA5MkL8Qnyk0AcZvew:cixJuphBGeqwCdy3BzhPZQRK7kL30

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • OverwolfLauncher.exe (PID: 6624)

    • Steals credentials from Web Browsers

      • OverwolfLauncher.exe (PID: 6624)

  • SUSPICIOUS

    • Application launched itself

      • OverwolfLauncher.exe (PID: 6528)

    • There is functionality for taking screenshot (YARA)

      • OverwolfLauncher.exe (PID: 6528)

  • INFO

    • Checks supported languages

      • OverwolfLauncher.exe (PID: 6528)
      • OverwolfLauncher.exe (PID: 6624)

    • Reads the computer name

      • OverwolfLauncher.exe (PID: 6624)
      • OverwolfLauncher.exe (PID: 6528)

    • Reads the software policy settings

      • OverwolfLauncher.exe (PID: 6624)
      • OverwolfLauncher.exe (PID: 6528)

    • Creates files or folders in the user directory

      • OverwolfLauncher.exe (PID: 6624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:01:08 12:51:30+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.16
CodeSize: 1186304
InitializedDataSize: 664576
UninitializedDataSize: -
EntryPoint: 0xe5130
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.131.268.11
ProductVersionNumber: 1.131.268.11
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Process default
CharacterSet: Unicode
CompanyName: Overwolf Ltd.
FileDescription: Overwolf Launcher
FileVersion: 1.131.268.11
InternalName: Overwolf Launcher
LegalCopyright: Copyright Overwolf © 2025
OriginalFileName: OverwolfLauncher
ProductName: OverwolfLauncher
ProductVersion: 1.131.268.11
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start overwolflauncher.exe overwolflauncher.exe Set Network Location Elevated Virtual Factory no specs

Process information

PID
CMD
Path
Indicators
Parent process
6192C:\WINDOWS\system32\DllHost.exe /Processid:{46B988E8-BEC2-401F-A1C5-16C694F26D3E}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
6528"C:\Users\admin\AppData\Local\Temp\OverwolfLauncher.exe" C:\Users\admin\AppData\Local\Temp\OverwolfLauncher.exe
explorer.exe
User:
admin
Company:
Overwolf Ltd.
Integrity Level:
MEDIUM
Description:
Overwolf Launcher
Exit code:
0
Version:
1.131.268.11
Modules
Images
c:\users\admin\appdata\local\temp\overwolflauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6624-csC:\Users\admin\AppData\Local\Temp\OverwolfLauncher.exe
OverwolfLauncher.exe
User:
admin
Company:
Overwolf Ltd.
Integrity Level:
MEDIUM
Description:
Overwolf Launcher
Exit code:
1
Version:
1.131.268.11
Modules
Images
c:\users\admin\appdata\local\temp\overwolflauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
1 140
Read events
1 140
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6624OverwolfLauncher.exeC:\Users\admin\AppData\Local\Overwolf\CefBrowserCache\Default\Network\Cookies-journalbinary
MD5:B590FA5EE4E6A1FEC533BD72CF4D0332
SHA256:B0F60DCD453DB26D857B25F383C0A4466D2B44CCE740A0BF7820CEC3A79A2F83
6624OverwolfLauncher.exeC:\Users\admin\AppData\Local\Overwolf\CefBrowserCache\Default\Network\Cookiesbinary
MD5:CCF182EBA517015B532F6F9A17958A0B
SHA256:50689921DEC5DAA501017F897A08D1B39A9CA2A95CB8EF53B60FD1EE0BBBB9ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
35
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
95.101.54.122:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.54.122:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6312
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6312
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6808
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
640
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
95.101.54.122:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.209.214.100:80
www.microsoft.com
PT. Telekomunikasi Selular
ID
whitelisted
5064
SearchApp.exe
2.19.96.128:443
www.bing.com
Akamai International B.V.
DE
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:138
whitelisted
6528
OverwolfLauncher.exe
18.245.86.39:443
content.overwolf.com
US
whitelisted
6624
OverwolfLauncher.exe
18.245.86.39:443
content.overwolf.com
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 95.101.54.122
  • 2.16.202.115
whitelisted
www.microsoft.com
  • 23.209.214.100
  • 184.30.21.171
whitelisted
google.com
  • 172.217.16.206
whitelisted
www.bing.com
  • 2.19.96.128
  • 2.19.96.120
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
content.overwolf.com
  • 18.245.86.39
  • 18.245.86.78
  • 18.245.86.117
  • 18.245.86.110
whitelisted
tracking.overwolf.com
  • 54.92.136.147
  • 3.227.30.80
  • 3.231.116.5
  • 54.91.137.49
whitelisted
login.live.com
  • 40.126.31.1
  • 40.126.31.69
  • 40.126.31.67
  • 40.126.31.128
  • 20.190.159.131
  • 20.190.159.73
  • 40.126.31.130
  • 20.190.159.130
whitelisted
go.microsoft.com
  • 2.18.97.227
whitelisted

Threats

No threats detected
Process
Message
OverwolfLauncher.exe
OWLauncher::Process execution failed 2.
OverwolfLauncher.exe
OWLauncher::Waiting for event...
OverwolfLauncher.exe
OWLauncher::Process timeout
OverwolfLauncher.exe
OWLauncher::Exit Listener.
OverwolfLauncher.exe
OWLauncher::Listener End.
OverwolfLauncher.exe
OWLauncher::End.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OverwolfLauncher.exe