File name:

CurseForge - Installer.exe

Full analysis: https://app.any.run/tasks/3895c37f-bec5-4b83-b622-085c1d10132f
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 09, 2024, 20:42:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

A3D6B1C36722CD8C0DBFF8553B9FDA1E

SHA1:

B5671027A2D18132AA5232A9950DFCFC0953528B

SHA256:

47A6AB82EB1B46C818419942FF886695682BB7DD68E332043EEEFB8C66F67DF9

SSDEEP:

98304:Ab/LL0J/A9nGcRa1xXcVsy3RxeLLCIJgap176MVhbD2bLd129hhoA6qT6p9BwCiL:ib

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • OWInstaller.exe (PID: 4784)

    • Steals credentials from Web Browsers

      • OverwolfLauncher.exe (PID: 6964)

    • Actions looks like stealing of personal data

      • OverwolfLauncher.exe (PID: 6964)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • CurseForge - Installer.exe (PID: 5556)
      • CurseForge - Installer.exe (PID: 6824)
      • OverwolfSetup.exe (PID: 6364)
      • OverwolfUpdater.exe (PID: 6316)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • CurseForge - Installer.exe (PID: 6824)
      • CurseForge - Installer.exe (PID: 5556)
      • OverwolfSetup.exe (PID: 6364)

    • Application launched itself

      • CurseForge - Installer.exe (PID: 5556)
      • OverwolfLauncher.exe (PID: 6836)

    • Reads security settings of Internet Explorer

      • CurseForge - Installer.exe (PID: 5556)
      • CurseForge - Installer.exe (PID: 6824)
      • OWInstaller.exe (PID: 4784)
      • OverwolfSetup.exe (PID: 6364)
      • OverwolfUpdater.exe (PID: 4132)
      • OverwolfLauncher.exe (PID: 6836)
      • OverwolfLauncher.exe (PID: 6964)
      • Overwolf.exe (PID: 2248)

    • Executable content was dropped or overwritten

      • CurseForge - Installer.exe (PID: 6824)
      • CurseForge - Installer.exe (PID: 5556)
      • OverwolfSetup.exe (PID: 6364)
      • OverwolfUpdater.exe (PID: 6316)
      • OWInstaller.exe (PID: 4784)
      • Overwolf.exe (PID: 2248)

    • The process creates files with name similar to system file names

      • CurseForge - Installer.exe (PID: 5556)
      • CurseForge - Installer.exe (PID: 6824)
      • OverwolfSetup.exe (PID: 6364)

    • Reads the date of Windows installation

      • OWInstaller.exe (PID: 4784)
      • Overwolf.exe (PID: 2248)

    • Reads Microsoft Outlook installation path

      • OWInstaller.exe (PID: 4784)

    • Creates/Modifies COM task schedule object

      • dxdiag.exe (PID: 1936)

    • Reads Internet Explorer settings

      • OWInstaller.exe (PID: 4784)

    • Checks Windows Trust Settings

      • OWInstaller.exe (PID: 4784)
      • OverwolfSetup.exe (PID: 6364)
      • OverwolfUpdater.exe (PID: 4132)
      • Overwolf.exe (PID: 2248)

    • Process drops legitimate windows executable

      • OverwolfSetup.exe (PID: 6364)
      • OWInstaller.exe (PID: 4784)

    • The process drops C-runtime libraries

      • OverwolfSetup.exe (PID: 6364)

    • Creates a software uninstall entry

      • OverwolfSetup.exe (PID: 6364)
      • Overwolf.exe (PID: 2248)

    • Adds/modifies Windows certificates

      • OverwolfUpdater.exe (PID: 4132)

    • Starts SC.EXE for service management

      • OverwolfUpdater.exe (PID: 4132)

    • The process executes via Task Scheduler

      • OverwolfLauncher.exe (PID: 6836)

    • Searches for installed software

      • Overwolf.exe (PID: 2248)

    • There is functionality for taking screenshot (YARA)

      • Overwolf.exe (PID: 2248)

  • INFO

    • Checks supported languages

      • CurseForge - Installer.exe (PID: 5556)
      • OWInstaller.exe (PID: 4784)
      • CurseForge - Installer.exe (PID: 6824)
      • OverwolfSetup.exe (PID: 6364)
      • OverwolfUpdater.exe (PID: 6316)
      • OverwolfUpdater.exe (PID: 4132)
      • OverwolfTSHelper.exe (PID: 5796)
      • checkRedist.exe (PID: 6632)
      • OverwolfLauncher.exe (PID: 6836)
      • OverwolfLauncher.exe (PID: 6964)
      • OverwolfTSHelper.exe (PID: 6368)
      • OverwolfBrowser.exe (PID: 6344)
      • OverwolfBrowser.exe (PID: 5944)
      • OverwolfBrowser.exe (PID: 6032)
      • Overwolf.exe (PID: 2248)

    • Reads the computer name

      • CurseForge - Installer.exe (PID: 5556)
      • CurseForge - Installer.exe (PID: 6824)
      • OWInstaller.exe (PID: 4784)
      • OverwolfSetup.exe (PID: 6364)
      • OverwolfUpdater.exe (PID: 6316)
      • OverwolfTSHelper.exe (PID: 5796)
      • OverwolfLauncher.exe (PID: 6836)
      • OverwolfUpdater.exe (PID: 4132)
      • OverwolfLauncher.exe (PID: 6964)
      • Overwolf.exe (PID: 2248)
      • OverwolfTSHelper.exe (PID: 6368)
      • OverwolfBrowser.exe (PID: 6344)
      • OverwolfBrowser.exe (PID: 5944)
      • OverwolfBrowser.exe (PID: 6032)

    • Create files in a temporary directory

      • CurseForge - Installer.exe (PID: 5556)
      • CurseForge - Installer.exe (PID: 6824)
      • OWInstaller.exe (PID: 4784)
      • OverwolfSetup.exe (PID: 6364)
      • OverwolfLauncher.exe (PID: 6964)

    • Process checks computer location settings

      • CurseForge - Installer.exe (PID: 5556)
      • OWInstaller.exe (PID: 4784)
      • Overwolf.exe (PID: 2248)

    • Creates files or folders in the user directory

      • CurseForge - Installer.exe (PID: 6824)
      • OWInstaller.exe (PID: 4784)
      • OverwolfSetup.exe (PID: 6364)
      • dxdiag.exe (PID: 1936)
      • OverwolfUpdater.exe (PID: 4132)
      • Overwolf.exe (PID: 2248)
      • OverwolfLauncher.exe (PID: 6964)
      • OverwolfBrowser.exe (PID: 6344)
      • dxdiag.exe (PID: 300)

    • Checks proxy server information

      • CurseForge - Installer.exe (PID: 6824)
      • dxdiag.exe (PID: 1936)
      • OverwolfSetup.exe (PID: 6364)
      • OWInstaller.exe (PID: 4784)
      • OverwolfUpdater.exe (PID: 4132)
      • Overwolf.exe (PID: 2248)

    • Reads the machine GUID from the registry

      • OWInstaller.exe (PID: 4784)
      • OverwolfSetup.exe (PID: 6364)
      • OverwolfUpdater.exe (PID: 4132)
      • Overwolf.exe (PID: 2248)
      • OverwolfBrowser.exe (PID: 6344)
      • OverwolfBrowser.exe (PID: 6032)
      • OverwolfBrowser.exe (PID: 5944)

    • The process uses the downloaded file

      • OWInstaller.exe (PID: 4784)
      • OverwolfUpdater.exe (PID: 4132)
      • chrome.exe (PID: 3304)
      • chrome.exe (PID: 5048)
      • chrome.exe (PID: 4024)
      • chrome.exe (PID: 400)
      • chrome.exe (PID: 6996)
      • chrome.exe (PID: 6152)
      • chrome.exe (PID: 5052)
      • chrome.exe (PID: 5064)
      • OverwolfLauncher.exe (PID: 6836)
      • OverwolfLauncher.exe (PID: 6964)
      • Overwolf.exe (PID: 2248)

    • Reads Environment values

      • OWInstaller.exe (PID: 4784)
      • Overwolf.exe (PID: 2248)
      • OverwolfBrowser.exe (PID: 6344)

    • Reads the software policy settings

      • OWInstaller.exe (PID: 4784)
      • dxdiag.exe (PID: 1936)
      • OverwolfSetup.exe (PID: 6364)
      • OverwolfUpdater.exe (PID: 4132)
      • OverwolfLauncher.exe (PID: 6836)
      • OverwolfLauncher.exe (PID: 6964)
      • Overwolf.exe (PID: 2248)
      • dxdiag.exe (PID: 300)

    • Reads product name

      • OWInstaller.exe (PID: 4784)
      • Overwolf.exe (PID: 2248)

    • Disables trace logs

      • OWInstaller.exe (PID: 4784)
      • Overwolf.exe (PID: 2248)

    • Reads security settings of Internet Explorer

      • dxdiag.exe (PID: 1936)
      • dxdiag.exe (PID: 300)

    • Creates files in the program directory

      • OWInstaller.exe (PID: 4784)
      • OverwolfSetup.exe (PID: 6364)
      • OverwolfUpdater.exe (PID: 6316)
      • OverwolfUpdater.exe (PID: 4132)
      • Overwolf.exe (PID: 2248)

    • Application launched itself

      • chrome.exe (PID: 6928)

    • Sends debugging messages

      • OverwolfLauncher.exe (PID: 6836)
      • Overwolf.exe (PID: 2248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:57:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x352d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.258.0.4
ProductVersionNumber: 2.258.0.4
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
CompanyName: Overwolf Ltd.
FileDescription: CurseForge
FileVersion: 2.258.0.4
LegalCopyright: Copyright (C) 2021 Overwolf Ltd. All Rights Reserved.
LegalTrademarks: -
ProductName: CurseForge
ProductVersion: 2.258.0.4
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
67
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start curseforge - installer.exe curseforge - installer.exe owinstaller.exe dxdiag.exe overwolfsetup.exe overwolfupdater.exe overwolfupdater.exe overwolftshelper.exe no specs checkredist.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs overwolflauncher.exe overwolflauncher.exe THREAT overwolf.exe dxdiag.exe no specs overwolftshelper.exe no specs overwolfbrowser.exe no specs overwolfbrowser.exe no specs overwolfbrowser.exe chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
300"C:\WINDOWS\System32\DxDiag.exe" /tC:\Users\admin\AppData\Local\Overwolf\Temp\DxDiagOutput.txtC:\Windows\System32\dxdiag.exeOverwolf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft DirectX Diagnostic Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dxdiag.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
400"sc" sdshow OverwolfUpdaterC:\Windows\System32\sc.exeOverwolfUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
400"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5596 --field-trial-handle=1928,i,14516410041653264200,9122254943343748603,262144 --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1060"sc" sdset OverwolfUpdater D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;SY)(A;;RPWPCR;;;S-1-5-19)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)C:\Windows\System32\sc.exeOverwolfUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1108"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5696 --field-trial-handle=1928,i,14516410041653264200,9122254943343748603,262144 --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1116"sc" sdset OverwolfUpdater D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-18)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)C:\Windows\System32\sc.exeOverwolfUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1552"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=1928,i,14516410041653264200,9122254943343748603,262144 --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1680"sc" sdshow OverwolfUpdaterC:\Windows\System32\sc.exeOverwolfUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1700\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
44 113
Read events
43 750
Write events
313
Delete events
50

Modification events

(PID) Process:(6824) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6824) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6824) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4784) OWInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Overwolf
Operation:writeName:MUID
Value:
bb926e54-e3ca-40fd-ae90-2764341e7792
(PID) Process:(1936) dxdiag.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(4784) OWInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4784) OWInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4784) OWInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4784) OWInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4784) OWInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
Executable files
412
Suspicious files
687
Text files
1 777
Unknown types
20

Dropped files

PID
Process
Filename
Type
5556CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nshA9D6.tmp\OWInstaller.exeexecutable
MD5:F917A0C54D415132747330FFED94A13E
SHA256:8953A3E3EF8E53D95486A73A78F15FF7D0B4BAEE198CF469D1ECEF926B493C3B
5556CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nshA9D6.tmp\SharpRaven.dllexecutable
MD5:551A0903C6598FB93777FB10FCD11E3E
SHA256:CD53520A046058FD26CF0051BFF47051948D3B7932234A90A60E3E59E57D6361
5556CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nshA9D6.tmp\nsProcess.dllexecutable
MD5:10E47E822B85D2A12FA4727001612182
SHA256:D530589A90918334B8E08D7355630892DD62F41333D948A860735D5BECFCB391
5556CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nshA9D6.tmp\UserInfo.dllexecutable
MD5:1DD4CA0F4A94155F8D46EC95A20ADA4A
SHA256:A27DC3069793535CB64123C27DCA8748983D133C8FA5AADDEE8CDBC83F16986D
5556CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nshA9D6.tmp\nsis7z64.dllexecutable
MD5:284C46AF1FD2EC3A60EE0C28F276F2A4
SHA256:2368BE6D8B21E0047146D3F61F90966A71D0737EED0146BC692B59F3CAC97793
5556CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nshA9D6.tmp\uac.dllexecutable
MD5:861F7E800BB28F68927E65719869409C
SHA256:10A0E8CF46038AB3B2C3CF5DCE407B9A043A631CBDE9A5C8BCF0A54B2566C010
5556CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nshA9D6.tmp\utils.dllexecutable
MD5:C6B46A5FCDCCBF3AEFF930B1E5B383D4
SHA256:251AB3E2690562DCFCD510642607F206E6DCF626D06D94B74E1FA8297B1050A0
5556CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nshA9D6.tmp\DotNetZip.dllexecutable
MD5:190E712F2E3B065BA3D5F63CB9B7725E
SHA256:6C512D9943A225D686B26FC832589E4C8BEF7C4DD0A8BDFD557D5D27FE5BBA0F
5556CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nshA9D6.tmp\app\index.htmlhtml
MD5:C7B752ACF6D1E10F3ACA2C67B1CCF4D3
SHA256:69B9F99F6611F953D94984AC35BDAF9E9817F689E1E3614976BEBE3465C613FC
5556CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nshA9D6.tmp\Newtonsoft.Json.dllexecutable
MD5:98CBB64F074DC600B23A2EE1A0F46448
SHA256:7B44639CBFBC8DDAC8C7A3DE8FFA97A7460BEBB0D54E9FF2E1CCDC3A742C2B13
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
69
TCP/UDP connections
99
DNS requests
90
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4784
OWInstaller.exe
GET
200
142.250.186.110:80
http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=238895001&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=748975085&utmr=/&utmp=/&utmac=UA-18298709-8&utmcc=__utma%3D0.1214070212.1725914589.1725914589.1725914589.2%3B%2B__utmz%3D0.1725914589.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28Funnel2%2AInstaller%20Launched%2A2.0.50727%20SP2%2C%203.0%20SP2%2C%203.5%20SP1%2C%204%20Client%2C%204%20Full%2C%204.0%20Client%29%28%29&gaq=1&utmt=event
unknown
whitelisted
4784
OWInstaller.exe
GET
200
142.250.181.227:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
6824
CurseForge - Installer.exe
GET
200
18.244.18.51:80
http://analyticsnew.overwolf.com/analytics/Counter?Name=installer_uac_action&Value=1&&Extra=%5b%7b%22Name%22%3a%22installer_version%22%2c%22Value%22%3a%222.258.0.4%22%7d%5d
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4784
OWInstaller.exe
GET
200
18.245.39.64:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D
unknown
unknown
4784
OWInstaller.exe
GET
200
52.84.193.90:80
http://ocsp.rootca3.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRkNawYMzz%2BjKSfYbTyFR0AXuhs6QQUq7bb1waeN6wwhgeRcMecxBmxeMACEwdzEm3iwvr9LEetiLFWbgGCBG0%3D
unknown
whitelisted
4784
OWInstaller.exe
GET
200
172.217.18.3:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
4784
OWInstaller.exe
GET
200
142.250.184.238:80
http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=823076227&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=762430635&utmr=/&utmp=/&utmac=UA-80584726-1&utmcc=__utma%3D0.1214070212.1725914589.1725914589.1725914589.2%3B%2B__utmz%3D0.1725914589.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28HostingBandwidth%2Asetup-overwolf-com.akamaized.net%2A%29%28%29&gaq=1&utmt=event
unknown
whitelisted
4784
OWInstaller.exe
GET
200
142.250.186.131:80
http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEGs31zQSL0RFCna%2BsoPon%2Bg%3D
unknown
whitelisted
1936
dxdiag.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6652
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
20.72.205.209:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6824
CurseForge - Installer.exe
18.244.18.51:80
analyticsnew.overwolf.com
US
whitelisted
4784
OWInstaller.exe
142.250.186.110:80
www.google-analytics.com
GOOGLE
US
whitelisted
4784
OWInstaller.exe
18.244.18.51:443
analyticsnew.overwolf.com
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.72.205.209
  • 40.127.240.158
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
analyticsnew.overwolf.com
  • 18.244.18.51
  • 18.244.18.46
  • 18.244.18.106
  • 18.244.18.56
whitelisted
www.google-analytics.com
  • 142.250.186.110
  • 142.250.184.238
whitelisted
content.overwolf.com
  • 18.239.83.78
  • 18.239.83.121
  • 18.239.83.76
  • 18.239.83.31
  • 18.245.86.110
  • 18.245.86.78
  • 18.245.86.117
  • 18.245.86.39
whitelisted
ocsp.rootca3.amazontrust.com
  • 52.84.193.90
unknown
storeapi.overwolf.com
  • 18.172.112.72
  • 18.172.112.62
  • 18.172.112.117
  • 18.172.112.84
shared
www.overwolf.com
  • 18.164.52.69
  • 18.164.52.60
  • 18.164.52.54
  • 18.164.52.34
  • 108.138.26.25
  • 108.138.26.27
  • 108.138.26.77
  • 108.138.26.98
whitelisted

Threats

PID
Process
Class
Message
6824
CurseForge - Installer.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
16 ETPRO signatures available at the full report
Process
Message
OverwolfLauncher.exe
OWLauncher::Process executed C:\Program Files (x86)\Overwolf\Overwolf.exe
OverwolfLauncher.exe
OWLauncher::Waiting for event...
Overwolf.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Overwolf directory exists )
OverwolfLauncher.exe
OWLauncher::Process timeout
OverwolfLauncher.exe
OWLauncher::Exit Listener.
OverwolfLauncher.exe
OWLauncher::Listener End.
OverwolfLauncher.exe
OWLauncher::End.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CurseForge - Installer.exe