plugx | 8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997

Analysis

max time kernel
158s
max time network
177s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe
Size

893KB
MD5

fcaba1be07ff24ecbc53df4eda744298
SHA1

5f793f1ec29377213eb80556b8819f7f7fefefdd
SHA256

8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997
SHA512

bcde87620a2590e05ac78b9a8777d1f6c51cfdc68b5a283ca15fdf7942cb288996c9d935b883d70aaca5f887f75ad5230304b263b69ad784a2f4d089cac2c9ae
SSDEEP

24576:lIbVFZC10w1sepi8Hx28WdNizMMTTdcvcCJM3pEGppDrIko:lILA1T1poMx28MNizMKor6uGp

Score

10^/10

plugx redline vidar infostealer stealer trojan

Malware Config

Signatures

Detects PlugX payload 3 IoCs

Processes:

resource	yara_rule
\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe	family_plugx
C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe	family_plugx
C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Executes dropped EXE 2 IoCs

Processes:

OWinstaller.exeOverwolfSetup.exe

pid process

1928 OWinstaller.exe
1840 OverwolfSetup.exe

Loads dropped DLL 14 IoCs

Processes:

8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exeOWinstaller.exeOverwolfSetup.exe

pid	process
1020	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe
1020	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe
1020	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe
1020	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1840	OverwolfSetup.exe
1840	OverwolfSetup.exe
1840	OverwolfSetup.exe
1840	OverwolfSetup.exe
1840	OverwolfSetup.exe

Drops file in Program Files directory 64 IoCs

Processes:

OverwolfSetup.exe

description	ioc	process
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\OverwolfCrashHandler.exe	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\xinput9_1_0.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\OWCleanup.exe	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\OverwolfBenchmarking.exe.config	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Interop.iTunesLib.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\chrome_elf.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\natives_blob.bin	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Tobii.EyeX.Client.Net20.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\cef_extensions.pak	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\OverWolf.Client.BL.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\D3DCompiler_43.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\win-h264.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\widevinecdmadapter.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Interop.OverwolfTSHelperLib.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Overwolf.RemoteController.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\OWExplorerLauncher.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\bin\32bit\libvorbisenc-2.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\bin\32bit\ow-obs.exe	OverwolfSetup.exe
File created	C:\Program Files (x86)\Common Files\Overwolf\0.116.2.25\OverwolfHelper64.exe	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\OverwolfBrowser.exe	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Interop.IWshRuntimeLibrary.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\bin\32bit\libobs-opengl.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\OverwolfStore.exe	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\protobuf-net.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\x64\OWClient.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\OverWolf.Client.CommonUtils.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\OWLog.cfg	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\bin\32bit\libEGL.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\bin\32bit\libopus-0.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\bin\32bit\obsglad.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\PepperFlash\pepflashplayer32.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Tobii.EyeX.Client.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\OverWolf.BL.Communication.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\bin\32bit\msvcr120.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\bin\32bit\w32-pthreads.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\cef_200_percent.pak	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\leveldb-sharp.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\x64\EasyHook.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\OverwolfTSHelper.exe	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\bin\32bit\swscale-4.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Google.GData.Client.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\OWClient.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\msvcp100.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\CommandLine.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\bin\32bit\zlib.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Common Files\Overwolf\0.116.2.25\OverwolfHelper.exe	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\devtools_resources.pak	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\icudtl.dat	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\OverwolfCrashHandler.exe.config	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\bin\32bit\libx264-152.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Google.GData.YouTube.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Xilium.CefGlue.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\v8_context_snapshot.bin	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\cef.pak	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\System.Windows.Interactivity.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\bin\32bit\libogg-0.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\PepperFlash\manifest.json	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\libpxcclr.cs.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\EyeXFramework.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\msvcr100.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\bin\32bit\avdevice-57.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\bin\32bit\libGLESv2.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\overwolf.ico	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\CoreAudioApi.dll	OverwolfSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

OWinstaller.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	OWinstaller.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

OverwolfSetup.exeOWinstaller.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	OverwolfSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	OWinstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	OWinstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	OWinstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	OWinstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	OverwolfSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	OverwolfSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	OverwolfSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	OverwolfSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	OWinstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	OWinstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	OverwolfSetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

OWinstaller.exe

pid	process
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe
1928	OWinstaller.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

OWinstaller.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1928	OWinstaller.exe
Token: 33	1080	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1080	AUDIODG.EXE
Token: 33	1080	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1080	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

OWinstaller.exe

pid process

1928 OWinstaller.exe
1928 OWinstaller.exe
1928 OWinstaller.exe
1928 OWinstaller.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exeOWinstaller.exe

description	pid	process	target process
PID 1020 wrote to memory of 1928	1020	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe	OWinstaller.exe
PID 1020 wrote to memory of 1928	1020	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe	OWinstaller.exe
PID 1020 wrote to memory of 1928	1020	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe	OWinstaller.exe
PID 1020 wrote to memory of 1928	1020	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe	OWinstaller.exe
PID 1020 wrote to memory of 1928	1020	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe	OWinstaller.exe
PID 1020 wrote to memory of 1928	1020	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe	OWinstaller.exe
PID 1020 wrote to memory of 1928	1020	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe	OWinstaller.exe
PID 1928 wrote to memory of 1840	1928	OWinstaller.exe	OverwolfSetup.exe
PID 1928 wrote to memory of 1840	1928	OWinstaller.exe	OverwolfSetup.exe
PID 1928 wrote to memory of 1840	1928	OWinstaller.exe	OverwolfSetup.exe
PID 1928 wrote to memory of 1840	1928	OWinstaller.exe	OverwolfSetup.exe
PID 1928 wrote to memory of 1840	1928	OWinstaller.exe	OverwolfSetup.exe
PID 1928 wrote to memory of 1840	1928	OWinstaller.exe	OverwolfSetup.exe
PID 1928 wrote to memory of 1840	1928	OWinstaller.exe	OverwolfSetup.exe

C:\Users\Admin\AppData\Local\Temp\8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe
"C:\Users\Admin\AppData\Local\Temp\8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020

C:\Users\Admin\AppData\Local\Temp\nsj6E7E.tmp\OWinstaller.exe
"C:\Users\Admin\AppData\Local\Temp\nsj6E7E.tmp\OWinstaller.exe" Partner=3337
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928

C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe
"C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe" /S "/TargetDir=C:\Program Files (x86)\Overwolf\" -ignoredotnet
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
PID:1840

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1644

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe
Filesize
241.1MB

MD5
e5559f83f3ee9ed0ed8b25d4e9dec909

SHA1
d1de96592bc181e44976c4e14ed9939854e2967b

SHA256
dd3a9a2fa0c4b14945ba49375312f0f834d769b995d5f4aac09630909c122152

SHA512
ad81f0747b83322b8599f61fb24c3351089a7e83e513697a669478f569c323a02d7e3d52ba59bc223b3a2d83e4ae30f4c76f9a4c977e20e538bbce7c81489b51

Download Submit
C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe
Filesize
216.7MB

MD5
a2aa4312ab2bebaf7e3ad355866913cc

SHA1
0f137b2fdb09c338ab60242ecebac28ffa2d75bb

SHA256
1aa2ab610a491cf708549c44e6a45b0f3ef35a47a912f1d5269a99e767e3fe41

SHA512
42d72a1bdcafa4ac653e6bfad425094afc82433c013167510c94896b21df5be159ea91db482ef74e38cbd45d88e5348e8721792dbeaf3ed6bca31ad1a1872fb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b79bfb32d0dcda4b629b6bbd9b77749a

SHA1
fbd6b1b2edf3a088bcacfcff2c21de5d319f3945

SHA256
0f955cabffea45c2b2aedd05655e32646ae8da940783d21569eb93c84a06a791

SHA512
9ea3286e6bd4063c1bdf1e43d1cf06af42f1c51f79feccf7b00e92d40f4f6e8bc78230969bfd6a0f8e2269ab03c718145124122796602280ed54eba74d2c4ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6E7E.tmp\OWInstaller.exe
Filesize
1.8MB

MD5
c2f4d3e0a24f4c1aefc19ef652584020

SHA1
84eb726913ce4100ed7a86d2be6f290aa884bda2

SHA256
8935c77b4a1abbd423b1ff36f9263a4f436356aaa338debb989cd5245d00e154

SHA512
2a1271871fb08587d1f7939ffa16e994fd46dfac1fbb84bd348f227c4ff8040a3f3f3f4ea248a5f1bc7e40debddd4d140805f173a84be43c137c28436424b64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6E7E.tmp\OWinstaller.exe
Filesize
1.8MB

MD5
c2f4d3e0a24f4c1aefc19ef652584020

SHA1
84eb726913ce4100ed7a86d2be6f290aa884bda2

SHA256
8935c77b4a1abbd423b1ff36f9263a4f436356aaa338debb989cd5245d00e154

SHA512
2a1271871fb08587d1f7939ffa16e994fd46dfac1fbb84bd348f227c4ff8040a3f3f3f4ea248a5f1bc7e40debddd4d140805f173a84be43c137c28436424b64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6E7E.tmp\OWinstaller.exe.config
Filesize
190B

MD5
4bf2a039cd2cf37cf37c19f2912996e0

SHA1
13d480c222d586a70fe568f45b499e6039e63cdb

SHA256
ec7c6bc4205712a0a78c68f7f0f762ac7e62276720a61a6877a94f6a573f0aa7

SHA512
0d69fa9238aad43d205926f92706bfa566eeab96ca213a22d8bdac8e414484b10c4a507a4f4deef058afa9c170e6a3be6c3b0196b290f5809da456860770e22c

Download Submit
\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe
Filesize
241.7MB

MD5
f22bb275ede1ec736b29e564deb7bd49

SHA1
ec7692ce6b5e060cb725337ada7a45b07fa8bd70

SHA256
e9271c11d1b86fec6d87b0921cf93cc97a4abedf5e690019a6e85560d9c9827f

SHA512
4dcc27ad4659f855bf6dcf085634b1079a755c7a16b45a2c4d086285ae9eac28ebc87038254fc1110028fbf00a2ca632dfbdca08d89704c2489d56f4d15653f8

Download Submit
\Users\Admin\AppData\Local\Overwolf\InstallerCache\OWResources.dll
Filesize
190KB

MD5
5c252f1bbeb9c18ec94c3697855a7ea5

SHA1
dd2d259a1924baef5be20d79036e156cd82f0f72

SHA256
e4ba5095daab78d5db2fd71a8fc64bef68457768f3d9cd984ae914aa2379dbfb

SHA512
885ae33aecbc07aebb4628ce464b0a780370ea823dd4fbfd5d5a7a87cfbac2e91c629e0fc77a3661e610038c3b9c9eced3820932dfd2a6e3f0293ca4ea60d15c

Download Submit
\Users\Admin\AppData\Local\Overwolf\InstallerCache\OWResources.dll
Filesize
190KB

MD5
5c252f1bbeb9c18ec94c3697855a7ea5

SHA1
dd2d259a1924baef5be20d79036e156cd82f0f72

SHA256
e4ba5095daab78d5db2fd71a8fc64bef68457768f3d9cd984ae914aa2379dbfb

SHA512
885ae33aecbc07aebb4628ce464b0a780370ea823dd4fbfd5d5a7a87cfbac2e91c629e0fc77a3661e610038c3b9c9eced3820932dfd2a6e3f0293ca4ea60d15c

Download Submit
\Users\Admin\AppData\Local\Overwolf\InstallerCache\OWResources.dll
Filesize
190KB

MD5
5c252f1bbeb9c18ec94c3697855a7ea5

SHA1
dd2d259a1924baef5be20d79036e156cd82f0f72

SHA256
e4ba5095daab78d5db2fd71a8fc64bef68457768f3d9cd984ae914aa2379dbfb

SHA512
885ae33aecbc07aebb4628ce464b0a780370ea823dd4fbfd5d5a7a87cfbac2e91c629e0fc77a3661e610038c3b9c9eced3820932dfd2a6e3f0293ca4ea60d15c

Download Submit
\Users\Admin\AppData\Local\Temp\0.116.2.25\nsis7z.dll
Filesize
169KB

MD5
567103638bb0c81cf9bd86f727ea12ac

SHA1
ddc03ea66412f11b5975092f92067a85d29d17b1

SHA256
37dd96230521a91dc7eba0d0a4fe8726b4405562b1a96363a01e28334bde94fd

SHA512
1d64a197489ea45e21a89ec535ca0282eed47ade40589dee31de865870ddb91ffc0921a5eacea89ddf9bc1d9b93bb7edf6f6c3148a18a9611df87be0fc369fa4

Download Submit
\Users\Admin\AppData\Local\Temp\nse1151.tmp\INetC.dll
Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
\Users\Admin\AppData\Local\Temp\nse1151.tmp\INetC.dll
Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
\Users\Admin\AppData\Local\Temp\nse1151.tmp\LogEx.dll
Filesize
44KB

MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
\Users\Admin\AppData\Local\Temp\nse1151.tmp\System.dll
Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
\Users\Admin\AppData\Local\Temp\nse1151.tmp\UserInfo.dll
Filesize
4KB

MD5
9301577ff4d229347fe33259b43ef3b2

SHA1
5e39eb4f99920005a4b2303c8089d77f589c133d

SHA256
090c4bc8dc534e97b3877bd5115eb58b3e181495f29f231479f540bab5c01edc

SHA512
77dc7a1dedaeb1fb2ccefaba0a526b8d40ea64b9b37af53c056b9428159b67d552e5e3861cbffc2149ec646fdfe9ce94f4fdca51703f79c93e5f45c085e52c79

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6E7E.tmp\OWInstaller.exe
Filesize
1.8MB

MD5
c2f4d3e0a24f4c1aefc19ef652584020

SHA1
84eb726913ce4100ed7a86d2be6f290aa884bda2

SHA256
8935c77b4a1abbd423b1ff36f9263a4f436356aaa338debb989cd5245d00e154

SHA512
2a1271871fb08587d1f7939ffa16e994fd46dfac1fbb84bd348f227c4ff8040a3f3f3f4ea248a5f1bc7e40debddd4d140805f173a84be43c137c28436424b64e

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6E7E.tmp\System.dll
Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6E7E.tmp\UserInfo.dll
Filesize
4KB

MD5
9301577ff4d229347fe33259b43ef3b2

SHA1
5e39eb4f99920005a4b2303c8089d77f589c133d

SHA256
090c4bc8dc534e97b3877bd5115eb58b3e181495f29f231479f540bab5c01edc

SHA512
77dc7a1dedaeb1fb2ccefaba0a526b8d40ea64b9b37af53c056b9428159b67d552e5e3861cbffc2149ec646fdfe9ce94f4fdca51703f79c93e5f45c085e52c79

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6E7E.tmp\utils.dll
Filesize
63KB

MD5
20863859dad63ca0638db7eed4ea6b80

SHA1
40e894a8bd5b58c162b52117ddde0fa785bcbfd3

SHA256
ec51e07941dc87526b7056204a679a9a88459d040704a44bf394a49d73c19aa4

SHA512
e06e8f40ea73d108cf7826a88fa349e34109fda96e5d3f9c7f16a35d7457f83cc103a94da6d4141c2c6ff3fef9f0b4555e0702267018dfbb1036f502a4b15998

Download Submit
memory/1020-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1840-73-0x0000000000000000-mapping.dmp

Download
memory/1840-80-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/1928-59-0x0000000000000000-mapping.dmp

Download
memory/1928-70-0x0000000002279000-0x000000000228A000-memory.dmp

Filesize
68KB

Download
memory/1928-82-0x0000000073C60000-0x000000007420B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-83-0x0000000002279000-0x000000000228A000-memory.dmp

Filesize
68KB

Download
memory/1928-69-0x0000000073C60000-0x000000007420B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-64-0x0000000073C60000-0x000000007420B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-68-0x0000000002279000-0x000000000228A000-memory.dmp

Filesize
68KB

Download