plugx | 8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997

Analysis

max time kernel
209s
max time network
223s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe
Size

893KB
MD5

fcaba1be07ff24ecbc53df4eda744298
SHA1

5f793f1ec29377213eb80556b8819f7f7fefefdd
SHA256

8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997
SHA512

bcde87620a2590e05ac78b9a8777d1f6c51cfdc68b5a283ca15fdf7942cb288996c9d935b883d70aaca5f887f75ad5230304b263b69ad784a2f4d089cac2c9ae
SSDEEP

24576:lIbVFZC10w1sepi8Hx28WdNizMMTTdcvcCJM3pEGppDrIko:lILA1T1poMx28MNizMKor6uGp

Score

10^/10

plugx redline vidar discovery infostealer stealer trojan

Malware Config

Signatures

Detects PlugX payload 3 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe	family_plugx
C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe	family_plugx
C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Executes dropped EXE 4 IoCs

Processes:

OWinstaller.exeOverwolfSetup.exeOverwolfSetup.exeOverwolfTSHelper.exe

pid process

376 OWinstaller.exe
1068 OverwolfSetup.exe
2076 OverwolfSetup.exe
1440 OverwolfTSHelper.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OWinstaller.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	OWinstaller.exe

Loads dropped DLL 21 IoCs

Processes:

8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exeOWinstaller.exeOverwolfSetup.exe

pid	process
3464	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe
3464	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe
3464	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
1068	OverwolfSetup.exe
1068	OverwolfSetup.exe
1068	OverwolfSetup.exe
1068	OverwolfSetup.exe
1068	OverwolfSetup.exe
1068	OverwolfSetup.exe
1068	OverwolfSetup.exe
1068	OverwolfSetup.exe
1068	OverwolfSetup.exe
1068	OverwolfSetup.exe
1068	OverwolfSetup.exe
1068	OverwolfSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

OverwolfSetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Purplizer\ca-certs\VeriSign_Class3_Extended_Validation_CA.pem	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\fonts\KlavikaWebBasicBoldItalic.woff	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Licenses\Task_Scheduler_Managed_Wrapper.license.txt	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\images\ftue-slides\slide-apps-image.png	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\images\ftue-slides\small-04.png	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Microsoft.Win32.TaskScheduler.dll	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\data\libobs\premultiplied_alpha.effect	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\partials\sliders\giveaways.html	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\scripts\directives\carousel.js	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\data\libobs\deinterlace_yadif.effect	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Locales\es\OverWolf.Client.Core.resources.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\scripts\directives\ftue-tooltip.js	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\scripts\directives\radio-group.js	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\obs-plugins\32bit\win-wasapi.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\D3DCompiler_43.dll	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Resources\uninstaller\Files\js\progressSlide.js	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\fonts\KlavikaWebBasicRegular.woff	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\images\ftue-slides\game-icons\dota-2.png	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\data\libobs\deinterlace_yadif_2x.effect	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Licenses\DotNetZip\License.bzip2.txt	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Purplizer\ca-certs\Equifax_Secure_CA.pem	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Resources\Audio\Pop_Cropped_-3db.wav	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\data\obs-plugins\obs-filters\sharpness.effect	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Licenses\UltraID3Lib_License.txt	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\OWUninstallMenu.exe	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Resources\uninstaller\Files\assets\fonts\klavika\KlavikaWebBasicRegular.woff	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\images\ftue-slides\last-slide-animation-sequence.png	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Purplizer\libssp-0.dll	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Purplizer\ca-certs\DigiCertHighAssuranceEVRootCA.pem	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Purplizer\ca-certs\Equifax_Secure_Certificate_Authority.pem	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Purplizer\ca-certs\Thawte_Premium_Server_CA.pem	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\images\global\no-games-decoration.png	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\partials\sliders\skins.html	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\data\obs-plugins\obs-filters\color_correction_filter.effect	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\data\obs-plugins\win-capture\graphics-hook32.dll	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Locales\tr\OverWolf.Client.Core.resources.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Resources\builtin_extensions\hbldcjbmnmmlfdcmnelgpfgbhjfchkfbpbjiifjp\Icon.ico	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\ow-tobii-gaze.exe	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\obs-plugins\32bit\obs-x264.dll	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Resources\builtin_extensions\emokficlajnchpkacabnhhjldoakmbdabppoeeme\Splash.png	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Resources\uninstaller\Files\js\main.js	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Resources\builtin_extensions\locaglkdehlbijgkcmejdmjbdhibknmknnkknfcf\Icon.png	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\images\ftue-slides\game-icons\minecraft.png	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\scripts\non-ng\strings-loader.js	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Resources\builtin_extensions\pgohpgeckmkcnmnkpjgdjdlhmefopdopnhcnllfe\manifest.json	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\VLCRemote.dll	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\bin\32bit\be-right-back.png	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Resources\builtin_extensions\emokficlajnchpkacabnhhjldoakmbdabppoeeme\manifest.json	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Resources\builtin_extensions\iighjfalpgednmflhnefmogncmaafgaddchbadgn\manifest.json	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\obs\obs-plugins\32bit\rtmp-services.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Resources\builtin_extensions\gphodffjnplojfigjjffnbbpjpcpdpfiimfpfacl\Icon.ico	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Resources\uninstaller\Files\js\window-size.js	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Licenses\Facebook_Devloper_Kit.license.txt	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Licenses\WPF_Toolkit.license.txt	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\images\ftue-slides\large-01.png	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Resources\uninstaller\Files\js\block_inputs.js	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Overwolf\0.116.2.25\OverwolfHelper64.exe	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\UltraID3Lib.dll	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Resources\default_extensions\uninstaller.opk	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Resources\builtin_extensions\jnabojaampcpfclojlbildognlnebnhfhibiielh\Icon.png	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\partials\sliders\games_inner.html	OverwolfSetup.exe
File created	C:\Program Files (x86)\Overwolf\0.116.2.25\Store\temp\files\scripts\controllers\search.js	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\OWService.dll	OverwolfSetup.exe
File opened for modification	C:\Program Files (x86)\Overwolf\0.116.2.25\Purplizer\ca-certs\StartCom_Free_SSL_CA.pem	OverwolfSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OWinstaller.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OWinstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OWinstaller.exe

Modifies registry class 15 IoCs

Processes:

OverwolfSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\ = "open"	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\edit\command	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\edit	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.opk	OverwolfSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.opk\ = "OPK_File"	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File	OverwolfSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\open\command\ = "\"C:\\Program Files (x86)\\Overwolf\\\\OverwolfLauncher.exe\" -install-opk %1"	OverwolfSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\ = "OPK_File"	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\DefaultIcon	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\open	OverwolfSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\DefaultIcon\ = "C:\\Program Files (x86)\\Overwolf\\\\0.116.2.25\\IconFileOverwolf_32Bit_16_32_48_256.ico"	OverwolfSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\open\command	OverwolfSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\edit\ = "Edit OPK_File"	OverwolfSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OPK_File\shell\edit\command\ = "\"C:\\Program Files (x86)\\Overwolf\\\\OverwolfLauncher.exe\" -install-opk %1"	OverwolfSetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

OWinstaller.exe

pid	process
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe
376	OWinstaller.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

OWinstaller.exe

description pid process

Token: SeDebugPrivilege 376 OWinstaller.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OWinstaller.exe

pid process

376 OWinstaller.exe
376 OWinstaller.exe

description	pid	process
Token: SeDebugPrivilege	376	OWinstaller.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exeOWinstaller.exe

description	pid	process	target process
PID 3464 wrote to memory of 376	3464	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe	OWinstaller.exe
PID 3464 wrote to memory of 376	3464	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe	OWinstaller.exe
PID 3464 wrote to memory of 376	3464	8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe	OWinstaller.exe
PID 376 wrote to memory of 1068	376	OWinstaller.exe	OverwolfSetup.exe
PID 376 wrote to memory of 1068	376	OWinstaller.exe	OverwolfSetup.exe
PID 376 wrote to memory of 1068	376	OWinstaller.exe	OverwolfSetup.exe
PID 376 wrote to memory of 2076	376	OWinstaller.exe	OverwolfSetup.exe
PID 376 wrote to memory of 2076	376	OWinstaller.exe	OverwolfSetup.exe
PID 376 wrote to memory of 2076	376	OWinstaller.exe	OverwolfSetup.exe

C:\Users\Admin\AppData\Local\Temp\8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe
"C:\Users\Admin\AppData\Local\Temp\8e0c7fabb2ed7c880f985e160f6e5fbdfc15bb645a8ae9701761cd70a582f997.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Local\Temp\nsk61DC.tmp\OWinstaller.exe
"C:\Users\Admin\AppData\Local\Temp\nsk61DC.tmp\OWinstaller.exe" Partner=3337
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:376

C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe
"C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe" /S "/TargetDir=C:\Program Files (x86)\Overwolf\" -ignoredotnet
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1068

C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe
"C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe" /S "/TargetDir=C:\Program Files (x86)\Overwolf\" -ignoredotnet
3⤵
- Executes dropped EXE
- Modifies registry class
PID:2076

C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe
"C:\Program Files (x86)\Overwolf\\OverwolfUpdater.exe" /Register
4⤵
PID:1444

C:\Program Files (x86)\Overwolf\0.116.2.25\OverwolfTSHelper.exe
"C:\Program Files (x86)\Overwolf\\0.116.2.25\OverwolfTSHelper.exe" /RegServer
4⤵
- Executes dropped EXE
PID:1440

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Overwolf\0.116.2.25\OverwolfTSHelper.exe
Filesize
452KB

MD5
0940e7945d3e5d199ca74c5c483178a3

SHA1
8c56b19a69c61f3b2ae24bcaa341464b7e08bc56

SHA256
3a856e811bf36233f3f982fd0c71abfae44dd53111a1612421d6bdf8305645f9

SHA512
814cf2c113c656a931675b19b6b422bbff83018083741425d83244108a3d799803e5ce054689301c49ec011572cb633686be7e6d20e0099137a902b8bbfa93a0

Download Submit
C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe
Filesize
244.3MB

MD5
a3c7b34e775d6323ab88616580d5e1e0

SHA1
9bd707ef8a5107313405886fceccb659e70de3c7

SHA256
d678b995cb7c6f58996d41e5bd815aadc3df4a58ab008d433c2870265816a246

SHA512
87d9c85477a7eba5bb0aa00bd14960655b6bfa45182facde80ef3bcfe8dd5f705195158b3b5985a3deb74712cb0d594082109efb979d40fb5911cf0826f17fa9

Download Submit
C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe
Filesize
244.3MB

MD5
a3c7b34e775d6323ab88616580d5e1e0

SHA1
9bd707ef8a5107313405886fceccb659e70de3c7

SHA256
d678b995cb7c6f58996d41e5bd815aadc3df4a58ab008d433c2870265816a246

SHA512
87d9c85477a7eba5bb0aa00bd14960655b6bfa45182facde80ef3bcfe8dd5f705195158b3b5985a3deb74712cb0d594082109efb979d40fb5911cf0826f17fa9

Download Submit
C:\ProgramData\Overwolf\Setup\0.116.2.25\OverwolfSetup.exe
Filesize
244.3MB

MD5
a3c7b34e775d6323ab88616580d5e1e0

SHA1
9bd707ef8a5107313405886fceccb659e70de3c7

SHA256
d678b995cb7c6f58996d41e5bd815aadc3df4a58ab008d433c2870265816a246

SHA512
87d9c85477a7eba5bb0aa00bd14960655b6bfa45182facde80ef3bcfe8dd5f705195158b3b5985a3deb74712cb0d594082109efb979d40fb5911cf0826f17fa9

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\InstallerCache\OWResources.dll
Filesize
190KB

MD5
5c252f1bbeb9c18ec94c3697855a7ea5

SHA1
dd2d259a1924baef5be20d79036e156cd82f0f72

SHA256
e4ba5095daab78d5db2fd71a8fc64bef68457768f3d9cd984ae914aa2379dbfb

SHA512
885ae33aecbc07aebb4628ce464b0a780370ea823dd4fbfd5d5a7a87cfbac2e91c629e0fc77a3661e610038c3b9c9eced3820932dfd2a6e3f0293ca4ea60d15c

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\InstallerCache\OWResources.dll
Filesize
190KB

MD5
5c252f1bbeb9c18ec94c3697855a7ea5

SHA1
dd2d259a1924baef5be20d79036e156cd82f0f72

SHA256
e4ba5095daab78d5db2fd71a8fc64bef68457768f3d9cd984ae914aa2379dbfb

SHA512
885ae33aecbc07aebb4628ce464b0a780370ea823dd4fbfd5d5a7a87cfbac2e91c629e0fc77a3661e610038c3b9c9eced3820932dfd2a6e3f0293ca4ea60d15c

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\InstallerCache\OWResources.dll
Filesize
190KB

MD5
5c252f1bbeb9c18ec94c3697855a7ea5

SHA1
dd2d259a1924baef5be20d79036e156cd82f0f72

SHA256
e4ba5095daab78d5db2fd71a8fc64bef68457768f3d9cd984ae914aa2379dbfb

SHA512
885ae33aecbc07aebb4628ce464b0a780370ea823dd4fbfd5d5a7a87cfbac2e91c629e0fc77a3661e610038c3b9c9eced3820932dfd2a6e3f0293ca4ea60d15c

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\InstallerCache\OWResources.dll
Filesize
190KB

MD5
5c252f1bbeb9c18ec94c3697855a7ea5

SHA1
dd2d259a1924baef5be20d79036e156cd82f0f72

SHA256
e4ba5095daab78d5db2fd71a8fc64bef68457768f3d9cd984ae914aa2379dbfb

SHA512
885ae33aecbc07aebb4628ce464b0a780370ea823dd4fbfd5d5a7a87cfbac2e91c629e0fc77a3661e610038c3b9c9eced3820932dfd2a6e3f0293ca4ea60d15c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.116.2.25\nsis7z.dll
Filesize
169KB

MD5
567103638bb0c81cf9bd86f727ea12ac

SHA1
ddc03ea66412f11b5975092f92067a85d29d17b1

SHA256
37dd96230521a91dc7eba0d0a4fe8726b4405562b1a96363a01e28334bde94fd

SHA512
1d64a197489ea45e21a89ec535ca0282eed47ade40589dee31de865870ddb91ffc0921a5eacea89ddf9bc1d9b93bb7edf6f6c3148a18a9611df87be0fc369fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.116.2.25\nsis7z.dll
Filesize
169KB

MD5
567103638bb0c81cf9bd86f727ea12ac

SHA1
ddc03ea66412f11b5975092f92067a85d29d17b1

SHA256
37dd96230521a91dc7eba0d0a4fe8726b4405562b1a96363a01e28334bde94fd

SHA512
1d64a197489ea45e21a89ec535ca0282eed47ade40589dee31de865870ddb91ffc0921a5eacea89ddf9bc1d9b93bb7edf6f6c3148a18a9611df87be0fc369fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb52DA.tmp\INetC.dll
Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb52DA.tmp\INetC.dll
Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb52DA.tmp\INetC.dll
Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb52DA.tmp\INetC.dll
Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb52DA.tmp\LogEx.dll
Filesize
44KB

MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb52DA.tmp\LogEx.dll
Filesize
44KB

MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb52DA.tmp\System.dll
Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb52DA.tmp\UserInfo.dll
Filesize
4KB

MD5
9301577ff4d229347fe33259b43ef3b2

SHA1
5e39eb4f99920005a4b2303c8089d77f589c133d

SHA256
090c4bc8dc534e97b3877bd5115eb58b3e181495f29f231479f540bab5c01edc

SHA512
77dc7a1dedaeb1fb2ccefaba0a526b8d40ea64b9b37af53c056b9428159b67d552e5e3861cbffc2149ec646fdfe9ce94f4fdca51703f79c93e5f45c085e52c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb52DA.tmp\nsisunz.dll
Filesize
88KB

MD5
bd97d86d8bd07ebdc8ec662a3f31dfd5

SHA1
5e2b3a1af5ee53ab6d1d6c2cb8127add39ee7e82

SHA256
c31b590cba443de87f0f4a81712f0883ac3b506f3868759d918d9a81f84ea922

SHA512
4575d1ea0d1b2f74df74cad94eae7fdf31c513e5dc6d945e81e0873b99f94a5d81b1c385c71ab79a19e5bb6c00fc5fffec7a3bbfd60ad7de312cbb53d8bcce9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb52DA.tmp\nsisunz.dll
Filesize
88KB

MD5
bd97d86d8bd07ebdc8ec662a3f31dfd5

SHA1
5e2b3a1af5ee53ab6d1d6c2cb8127add39ee7e82

SHA256
c31b590cba443de87f0f4a81712f0883ac3b506f3868759d918d9a81f84ea922

SHA512
4575d1ea0d1b2f74df74cad94eae7fdf31c513e5dc6d945e81e0873b99f94a5d81b1c385c71ab79a19e5bb6c00fc5fffec7a3bbfd60ad7de312cbb53d8bcce9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb52DA.tmp\nsisunz.dll
Filesize
88KB

MD5
bd97d86d8bd07ebdc8ec662a3f31dfd5

SHA1
5e2b3a1af5ee53ab6d1d6c2cb8127add39ee7e82

SHA256
c31b590cba443de87f0f4a81712f0883ac3b506f3868759d918d9a81f84ea922

SHA512
4575d1ea0d1b2f74df74cad94eae7fdf31c513e5dc6d945e81e0873b99f94a5d81b1c385c71ab79a19e5bb6c00fc5fffec7a3bbfd60ad7de312cbb53d8bcce9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb52DA.tmp\nsisunz.dll
Filesize
88KB

MD5
bd97d86d8bd07ebdc8ec662a3f31dfd5

SHA1
5e2b3a1af5ee53ab6d1d6c2cb8127add39ee7e82

SHA256
c31b590cba443de87f0f4a81712f0883ac3b506f3868759d918d9a81f84ea922

SHA512
4575d1ea0d1b2f74df74cad94eae7fdf31c513e5dc6d945e81e0873b99f94a5d81b1c385c71ab79a19e5bb6c00fc5fffec7a3bbfd60ad7de312cbb53d8bcce9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk61DC.tmp\OWInstaller.exe
Filesize
1.8MB

MD5
c2f4d3e0a24f4c1aefc19ef652584020

SHA1
84eb726913ce4100ed7a86d2be6f290aa884bda2

SHA256
8935c77b4a1abbd423b1ff36f9263a4f436356aaa338debb989cd5245d00e154

SHA512
2a1271871fb08587d1f7939ffa16e994fd46dfac1fbb84bd348f227c4ff8040a3f3f3f4ea248a5f1bc7e40debddd4d140805f173a84be43c137c28436424b64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk61DC.tmp\OWinstaller.exe
Filesize
1.8MB

MD5
c2f4d3e0a24f4c1aefc19ef652584020

SHA1
84eb726913ce4100ed7a86d2be6f290aa884bda2

SHA256
8935c77b4a1abbd423b1ff36f9263a4f436356aaa338debb989cd5245d00e154

SHA512
2a1271871fb08587d1f7939ffa16e994fd46dfac1fbb84bd348f227c4ff8040a3f3f3f4ea248a5f1bc7e40debddd4d140805f173a84be43c137c28436424b64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk61DC.tmp\OWinstaller.exe.config
Filesize
190B

MD5
4bf2a039cd2cf37cf37c19f2912996e0

SHA1
13d480c222d586a70fe568f45b499e6039e63cdb

SHA256
ec7c6bc4205712a0a78c68f7f0f762ac7e62276720a61a6877a94f6a573f0aa7

SHA512
0d69fa9238aad43d205926f92706bfa566eeab96ca213a22d8bdac8e414484b10c4a507a4f4deef058afa9c170e6a3be6c3b0196b290f5809da456860770e22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk61DC.tmp\System.dll
Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk61DC.tmp\UserInfo.dll
Filesize
4KB

MD5
9301577ff4d229347fe33259b43ef3b2

SHA1
5e39eb4f99920005a4b2303c8089d77f589c133d

SHA256
090c4bc8dc534e97b3877bd5115eb58b3e181495f29f231479f540bab5c01edc

SHA512
77dc7a1dedaeb1fb2ccefaba0a526b8d40ea64b9b37af53c056b9428159b67d552e5e3861cbffc2149ec646fdfe9ce94f4fdca51703f79c93e5f45c085e52c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk61DC.tmp\utils.dll
Filesize
63KB

MD5
20863859dad63ca0638db7eed4ea6b80

SHA1
40e894a8bd5b58c162b52117ddde0fa785bcbfd3

SHA256
ec51e07941dc87526b7056204a679a9a88459d040704a44bf394a49d73c19aa4

SHA512
e06e8f40ea73d108cf7826a88fa349e34109fda96e5d3f9c7f16a35d7457f83cc103a94da6d4141c2c6ff3fef9f0b4555e0702267018dfbb1036f502a4b15998

Download Submit
memory/376-135-0x0000000000000000-mapping.dmp

Download
memory/376-146-0x000000000B8D0000-0x000000000B901000-memory.dmp

Filesize
196KB

Download
memory/376-139-0x0000000074470000-0x0000000074A21000-memory.dmp

Filesize
5.7MB

Download
memory/1068-157-0x0000000002270000-0x000000000227C000-memory.dmp

Filesize
48KB

Download
memory/1068-166-0x0000000004690000-0x00000000046AD000-memory.dmp

Filesize
116KB

Download
memory/1068-160-0x0000000002291000-0x0000000002295000-memory.dmp

Filesize
16KB

Download
memory/1068-148-0x0000000000000000-mapping.dmp

Download
memory/2076-150-0x0000000000000000-mapping.dmp

Download