URL:

https://download.overwolf.com/installer/prod/d04806934fc0ad00d6c2f1a0b783e01b/Porofessor.gg%20-%20Installer.exe

Full analysis: https://app.any.run/tasks/4eae7f7f-52ab-4ac2-a535-1e31c13c4cc9
Verdict: Malicious activity
Analysis date: November 24, 2024, 09:32:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-scr
arch-html
arch-doc
Indicators:
MD5:

26E79E25AD993EB3B1785A730548EFE8

SHA1:

BDF2F7AD9328C72FD26C16723F3F5F3513B2BFCB

SHA256:

3D2B89B20B259E926D769F9BCC672C4FC5361C369D56FD2946B710C64D451ABE

SSDEEP:

3:N8SElYSXKCgOXKVHcuvKTXSrUqZD6KX2/TXLNn:2SKYSXtgOXHDqUYDg7XLN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Porofessor.gg - Installer.exe (PID: 8152)
      • Porofessor.gg - Installer.exe (PID: 7188)
      • OverwolfSetup.exe (PID: 6964)

    • Executable content was dropped or overwritten

      • Porofessor.gg - Installer.exe (PID: 8152)
      • OverwolfSetup.exe (PID: 6964)
      • Porofessor.gg - Installer.exe (PID: 7188)
      • vcredist.exe (PID: 4556)
      • vcredist.exe (PID: 4336)
      • OWInstaller.exe (PID: 7256)
      • OverwolfUpdater.exe (PID: 7832)
      • VC_redist.x64.exe (PID: 3692)
      • VC_redist.x64.exe (PID: 8188)
      • Overwolf.exe (PID: 4968)
      • VC_redist.x64.exe (PID: 6368)

    • The process creates files with name similar to system file names

      • Porofessor.gg - Installer.exe (PID: 8152)
      • Porofessor.gg - Installer.exe (PID: 7188)

    • Drops 7-zip archiver for unpacking

      • Porofessor.gg - Installer.exe (PID: 8152)
      • Porofessor.gg - Installer.exe (PID: 7188)
      • OverwolfSetup.exe (PID: 6964)
      • OverwolfUpdater.exe (PID: 7832)

    • Reads security settings of Internet Explorer

      • Porofessor.gg - Installer.exe (PID: 8152)
      • Porofessor.gg - Installer.exe (PID: 7188)

    • Application launched itself

      • Porofessor.gg - Installer.exe (PID: 8152)
      • OverwolfLauncher.exe (PID: 4932)
      • VC_redist.x64.exe (PID: 7276)
      • VC_redist.x64.exe (PID: 8188)
      • OverwolfUpdater.exe (PID: 7940)

    • The process drops C-runtime libraries

      • OverwolfSetup.exe (PID: 6964)
      • msiexec.exe (PID: 6260)

    • Process drops legitimate windows executable

      • OverwolfSetup.exe (PID: 6964)
      • vcredist.exe (PID: 4556)
      • vcredist.exe (PID: 4336)
      • VC_redist.x64.exe (PID: 3692)
      • msiexec.exe (PID: 6260)
      • VC_redist.x64.exe (PID: 6368)

    • Starts SC.EXE for service management

      • OverwolfUpdater.exe (PID: 7840)

    • Starts a Microsoft application from unusual location

      • vcredist.exe (PID: 4336)
      • VC_redist.x64.exe (PID: 3692)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7068)
      • OverwolfUpdater.exe (PID: 7940)
      • OverwolfUpdater.exe (PID: 7604)

    • Starts itself from another location

      • vcredist.exe (PID: 4336)

    • The process executes via Task Scheduler

      • OverwolfLauncher.exe (PID: 4932)

    • Executes application which crashes

      • checkRedist.exe (PID: 3736)

  • INFO

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 5732)
      • msiexec.exe (PID: 6260)

    • The process uses the downloaded file

      • iexplore.exe (PID: 5748)
      • msedge.exe (PID: 7616)
      • msedge.exe (PID: 5732)

    • Reads Environment values

      • identity_helper.exe (PID: 6764)

    • Checks supported languages

      • identity_helper.exe (PID: 6764)
      • Porofessor.gg - Installer.exe (PID: 8152)
      • Porofessor.gg - Installer.exe (PID: 7188)
      • OWInstaller.exe (PID: 7256)

    • Application launched itself

      • msedge.exe (PID: 5732)
      • msedge.exe (PID: 7344)
      • msedge.exe (PID: 6560)

    • Reads the computer name

      • identity_helper.exe (PID: 6764)
      • Porofessor.gg - Installer.exe (PID: 8152)
      • Porofessor.gg - Installer.exe (PID: 7188)
      • OWInstaller.exe (PID: 7256)

    • Create files in a temporary directory

      • Porofessor.gg - Installer.exe (PID: 8152)
      • Porofessor.gg - Installer.exe (PID: 7188)

    • Process checks computer location settings

      • Porofessor.gg - Installer.exe (PID: 8152)

    • Creates files or folders in the user directory

      • Porofessor.gg - Installer.exe (PID: 7188)

    • Checks proxy server information

      • Porofessor.gg - Installer.exe (PID: 7188)

    • Reads the machine GUID from the registry

      • OWInstaller.exe (PID: 7256)

    • Manages system restore points

      • SrTasks.exe (PID: 4952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
279
Monitored processes
138
Malicious processes
7
Suspicious processes
5

Behavior graph

Click at the process to see the details
start iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs porofessor.gg - installer.exe porofessor.gg - installer.exe owinstaller.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs dxdiag.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs overwolfsetup.exe msedge.exe no specs msedge.exe no specs overwolfupdater.exe overwolfupdater.exe overwolftshelper.exe no specs checkredist.exe conhost.exe no specs werfault.exe sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs msedge.exe no specs vcredist.exe vcredist.exe vc_redist.x64.exe SPPSurrogate no specs vssvc.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs overwolflauncher.exe no specs overwolflauncher.exe no specs overwolf.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe dxdiag.exe no specs overwolftshelper.exe no specs overwolfbrowser.exe no specs overwolfbrowser.exe no specs vc_redist.x64.exe no specs vc_redist.x64.exe vc_redist.x64.exe overwolfbrowser.exe no specs overwolfupdater.exe no specs overwolfupdater.exe no specs overwolfupdater.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
648"sc" sdshow OverwolfUpdaterC:\Windows\System32\sc.exeOverwolfUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
836"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6836 --field-trial-handle=2396,i,2615778895685411924,8429020289654339894,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
880"C:\Program Files (x86)\Common Files\Overwolf\OverwolfUpdater.exe" /RunningFrom FromService /SelfLaunchedC:\Program Files (x86)\Common Files\Overwolf\OverwolfUpdater.exeOverwolfUpdater.exe
User:
SYSTEM
Company:
Overwolf LTD
Integrity Level:
SYSTEM
Description:
OverwolfUpdater
Exit code:
0
Version:
0.263.0.11
1216"sc" sdshow OverwolfUpdaterC:\Windows\System32\sc.exeOverwolfUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1416"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4924 --field-trial-handle=2396,i,2615778895685411924,8429020289654339894,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1468"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=5716 --field-trial-handle=2396,i,2615778895685411924,8429020289654339894,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
1556"sc" sdset OverwolfUpdater D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;SY)(A;;RPWPCR;;;S-1-5-19)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)C:\Windows\System32\sc.exeOverwolfUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1556"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6628 --field-trial-handle=2396,i,2615778895685411924,8429020289654339894,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
1944"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4736 --field-trial-handle=2368,i,14870776957278639530,10110869372589149664,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Total events
33 083
Read events
32 776
Write events
272
Delete events
35

Modification events

(PID) Process:(5748) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5748) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5748) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5748) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(5748) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(5748) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
(PID) Process:(5732) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
(PID) Process:(5732) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
Operation:writeName:Enabled
Value:
0
(PID) Process:(5732) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\Profiles
Operation:writeName:EnhancedLinkOpeningDefault
Value:
Default
(PID) Process:(5732) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\197342
Operation:writeName:WindowTabManagerFileMappingId
Value:
{9FD76F30-F506-4224-A69C-45FF05A5C778}
Executable files
392
Suspicious files
1 142
Text files
1 401
Unknown types
141

Dropped files

PID
Process
Filename
Type
5732msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF135538.TMP
MD5:
SHA256:
5732msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
5732msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF135538.TMP
MD5:
SHA256:
5732msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
5732msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF135538.TMP
MD5:
SHA256:
5732msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
5732msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF135538.TMP
MD5:
SHA256:
5732msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
5732msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF135557.TMP
MD5:
SHA256:
5732msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
119
TCP/UDP connections
199
DNS requests
186
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7256
OWInstaller.exe
GET
200
18.244.18.106:80
http://analyticsnew.overwolf.com/analytics/Counter?CurrentVersion=&PartnerID=3776&Name=Manual_Funnel2_Installer_Launched&Value=1&UserName=&GameSessionId=&Extra=%255b%257b%2522Name%2522%253a%2522OSBuild%2522%252c%2522Value%2522%253a%252210.0.19045.4046%2522%257d%255d&owver=2.214.0.3&MUID=fe714620-c41d-4857-867b-84a6bb99a27c
unknown
whitelisted
7256
OWInstaller.exe
GET
200
18.244.18.106:80
http://analyticsnew.overwolf.com/analytics/Counter?CurrentVersion=&PartnerID=3776&Name=Manual_Installer_Launched&Value=1&UserName=&GameSessionId=&Extra=%255b%257b%2522Name%2522%253a%2522OSBuild%2522%252c%2522Value%2522%253a%252210.0.19045.4046%2522%257d%252c%257b%2522Name%2522%253a%2522existingUUID%2522%252c%2522Value%2522%253a%2522fe714620-c41d-4857-867b-84a6bb99a27c%2522%257d%252c%257b%2522Name%2522%253a%2522appstoreUUID%2522%252c%2522Value%2522%253a%2522%2522%257d%252c%257b%2522Name%2522%253a%2522clientInstalled%2522%252c%2522Value%2522%253a%2522False%2522%257d%252c%257b%2522Name%2522%253a%2522sel_app%2522%252c%2522Value%2522%253a%2522pibhbkkgefgheeglaeemkkfjlhidhcedalapdggh%2522%257d%255d&owver=2.214.0.3&MUID=fe714620-c41d-4857-867b-84a6bb99a27c
unknown
whitelisted
7256
OWInstaller.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA0HeCoTP8b5pXKW4TH%2F0Xk%3D
unknown
whitelisted
7256
OWInstaller.exe
GET
200
172.217.23.110:80
http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=18532960&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=581379682&utmr=/&utmp=/&utmac=UA-80584726-1&utmcc=__utma%3D0.1533055717.1732440802.1732440802.1732440802.2%3B%2B__utmz%3D0.1732440802.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28Funnel2%2AInstaller%20Launched%2A2.0.50727%20SP2%2C%203.0%20SP2%2C%203.5%20SP1%2C%204%20Client%2C%204%20Full%2C%204.0%20Client%29%28%29&gaq=1&utmt=event
unknown
whitelisted
7256
OWInstaller.exe
GET
200
18.244.18.106:80
http://analyticsnew.overwolf.com/analytics/Counter?CurrentVersion=&PartnerID=3776&Name=installer_webbrowser_init&Value=1&UserName=&GameSessionId=&Extra=%255b%257b%2522Name%2522%253a%2522OSBuild%2522%252c%2522Value%2522%253a%252210.0.19045.4046%2522%257d%252c%257b%2522Name%2522%253a%2522ver%2522%252c%2522Value%2522%253a%252211.0.19041.4046%2522%257d%255d&owver=2.214.0.3&MUID=fe714620-c41d-4857-867b-84a6bb99a27c
unknown
whitelisted
7256
OWInstaller.exe
GET
200
192.229.221.95:80
http://status.geotrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS6FKmrgWTGr7Q8nSk4Oub50ler6QQUlE%2FUXYvkpOKmgP792PkA76O%2BAlcCEArqAzbU4ihBQe%2F7Bu43vzE%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1596
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1596
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1596
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1596
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2.23.209.130:443
www.bing.com
Akamai International B.V.
GB
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
  • 2.16.164.51
  • 2.16.164.9
  • 2.16.164.18
  • 2.16.164.106
  • 2.16.164.43
  • 2.16.164.97
  • 23.48.23.173
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
  • 88.221.169.152
whitelisted
google.com
  • 172.217.16.142
whitelisted
www.bing.com
  • 2.23.209.130
  • 2.23.209.140
  • 2.23.209.187
  • 2.23.209.158
  • 2.23.209.133
  • 2.23.209.189
  • 2.23.209.150
  • 2.23.209.161
  • 2.23.209.149
  • 2.23.209.141
  • 2.23.209.177
  • 2.23.209.176
  • 2.23.209.160
  • 2.23.209.179
  • 2.23.209.185
  • 2.23.209.182
  • 2.23.209.181
  • 104.126.37.170
  • 104.126.37.145
  • 104.126.37.137
  • 104.126.37.139
  • 104.126.37.163
  • 104.126.37.144
  • 104.126.37.153
  • 104.126.37.131
  • 104.126.37.130
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
download.overwolf.com
  • 65.9.66.71
  • 65.9.66.110
  • 65.9.66.53
  • 65.9.66.30
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted

Threats

PID
Process
Class
Message
7188
Porofessor.gg - Installer.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://download.overwolf.com/installer/prod/d04806934fc0ad00d6c2f1a0b783e01b/Porofessor.gg%20-%20Installer.exe