File name:

CurseForge - Installer.exe

Full analysis: https://app.any.run/tasks/8365915e-19e1-4637-8a93-83206919cc06
Verdict: Malicious activity
Analysis date: January 21, 2025, 14:15:03
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
arch-doc
arch-html
arch-scr
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

9869DDF1F215D8899015FC1C8569566D

SHA1:

4AC02E9E4495C5EF769C5EB52041229389EAFA3D

SHA256:

5743075FA3FA7CD8A1B2C582405F583F886C0D3539EA1C2A1AFDB76D4EE1D43B

SSDEEP:

98304:p0qtzNa6J/A9nGcRa1xXcVsy3RxeLLCIJgap176MVhuhKrHVk2ENB0+o1QVNGRpQ:w

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • OWInstaller.exe (PID: 4768)
      • VC_redist.x64.exe (PID: 6404)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OverwolfSetup.exe (PID: 1424)

    • The process creates files with name similar to system file names

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OverwolfSetup.exe (PID: 1424)

    • Executable content was dropped or overwritten

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 1400)
      • vcredist.exe (PID: 3060)
      • vcredist.exe (PID: 7012)
      • VC_redist.x64.exe (PID: 6404)
      • OWInstaller.exe (PID: 4768)
      • VC_redist.x64.exe (PID: 5264)
      • VC_redist.x64.exe (PID: 2192)

    • Drops 7-zip archiver for unpacking

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 1400)

    • Reads the Internet Settings

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 4628)
      • WerFault.exe (PID: 1912)
      • vcredist.exe (PID: 3060)
      • OverwolfLauncher.exe (PID: 2212)
      • VC_redist.x64.exe (PID: 5264)

    • Reads security settings of Internet Explorer

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 4628)
      • vcredist.exe (PID: 3060)
      • OverwolfLauncher.exe (PID: 2212)
      • VC_redist.x64.exe (PID: 5264)

    • Application launched itself

      • CurseForge - Installer.exe (PID: 5064)
      • VC_redist.x64.exe (PID: 808)
      • VC_redist.x64.exe (PID: 5264)

    • Reads the date of Windows installation

      • OWInstaller.exe (PID: 4768)

    • Creates/Modifies COM task schedule object

      • dxdiag.exe (PID: 2892)

    • There is functionality for taking screenshot (YARA)

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)

    • Reads Internet Explorer settings

      • OWInstaller.exe (PID: 4768)

    • Reads Microsoft Outlook installation path

      • OWInstaller.exe (PID: 4768)

    • Reads settings of System Certificates

      • dxdiag.exe (PID: 2892)
      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 4628)
      • OverwolfLauncher.exe (PID: 2212)

    • Checks Windows Trust Settings

      • OverwolfSetup.exe (PID: 1424)
      • OWInstaller.exe (PID: 4768)
      • OverwolfUpdater.exe (PID: 4628)
      • msiexec.exe (PID: 1208)

    • Process drops legitimate windows executable

      • OverwolfSetup.exe (PID: 1424)
      • vcredist.exe (PID: 7012)
      • vcredist.exe (PID: 3060)
      • VC_redist.x64.exe (PID: 6404)
      • OWInstaller.exe (PID: 4768)
      • msiexec.exe (PID: 1208)
      • VC_redist.x64.exe (PID: 2192)

    • The process drops C-runtime libraries

      • OverwolfSetup.exe (PID: 1424)
      • msiexec.exe (PID: 1208)

    • Creates a software uninstall entry

      • OverwolfSetup.exe (PID: 1424)
      • VC_redist.x64.exe (PID: 6404)

    • Executes application which crashes

      • checkRedist.exe (PID: 6516)

    • Windows service management via SC.EXE

      • sc.exe (PID: 5276)
      • sc.exe (PID: 2928)
      • sc.exe (PID: 3888)
      • sc.exe (PID: 2256)
      • sc.exe (PID: 6116)
      • sc.exe (PID: 872)
      • sc.exe (PID: 5800)
      • sc.exe (PID: 6100)
      • sc.exe (PID: 3252)
      • sc.exe (PID: 2832)
      • sc.exe (PID: 5160)
      • sc.exe (PID: 1872)

    • Starts SC.EXE for service management

      • OverwolfUpdater.exe (PID: 4628)

    • Adds/modifies Windows certificates

      • OverwolfUpdater.exe (PID: 4628)

    • Starts a Microsoft application from unusual location

      • vcredist.exe (PID: 3060)
      • VC_redist.x64.exe (PID: 6404)

    • Searches for installed software

      • vcredist.exe (PID: 3060)
      • dllhost.exe (PID: 6788)
      • VC_redist.x64.exe (PID: 6404)
      • VC_redist.x64.exe (PID: 5264)
      • VC_redist.x64.exe (PID: 2192)

    • Starts itself from another location

      • vcredist.exe (PID: 3060)

    • Executes as Windows Service

      • VSSVC.exe (PID: 1060)

    • The process executes via Task Scheduler

      • OverwolfLauncher.exe (PID: 2212)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 1208)

  • INFO

    • Checks supported languages

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 4628)
      • OverwolfUpdater.exe (PID: 1400)
      • checkRedist.exe (PID: 6516)
      • OverwolfTSHelper.exe (PID: 6308)
      • vcredist.exe (PID: 7012)
      • VC_redist.x64.exe (PID: 6404)
      • vcredist.exe (PID: 3060)
      • OverwolfLauncher.exe (PID: 2212)
      • identity_helper.exe (PID: 1096)
      • VC_redist.x64.exe (PID: 808)
      • VC_redist.x64.exe (PID: 5264)
      • msiexec.exe (PID: 1208)
      • Overwolf.exe (PID: 528)
      • VC_redist.x64.exe (PID: 2192)

    • The sample compiled with english language support

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 1400)
      • vcredist.exe (PID: 7012)
      • vcredist.exe (PID: 3060)
      • OWInstaller.exe (PID: 4768)
      • VC_redist.x64.exe (PID: 6404)
      • msiexec.exe (PID: 1208)
      • VC_redist.x64.exe (PID: 5264)
      • VC_redist.x64.exe (PID: 2192)

    • Reads the computer name

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 1400)
      • OverwolfUpdater.exe (PID: 4628)
      • OverwolfTSHelper.exe (PID: 6308)
      • vcredist.exe (PID: 7012)
      • vcredist.exe (PID: 3060)
      • VC_redist.x64.exe (PID: 6404)
      • msiexec.exe (PID: 1208)
      • identity_helper.exe (PID: 1096)
      • VC_redist.x64.exe (PID: 5264)
      • Overwolf.exe (PID: 528)
      • VC_redist.x64.exe (PID: 2192)

    • Create files in a temporary directory

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • vcredist.exe (PID: 3060)

    • Checks proxy server information

      • CurseForge - Installer.exe (PID: 3520)
      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 4628)

    • Reads Environment values

      • OWInstaller.exe (PID: 4768)
      • identity_helper.exe (PID: 1096)
      • Overwolf.exe (PID: 528)

    • Creates files or folders in the user directory

      • CurseForge - Installer.exe (PID: 3520)
      • OWInstaller.exe (PID: 4768)
      • dxdiag.exe (PID: 2892)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 4628)
      • WerFault.exe (PID: 1912)

    • Reads the machine GUID from the registry

      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 4628)
      • VC_redist.x64.exe (PID: 6404)
      • msiexec.exe (PID: 1208)
      • Overwolf.exe (PID: 528)

    • Reads product name

      • OWInstaller.exe (PID: 4768)

    • Disables trace logs

      • OWInstaller.exe (PID: 4768)

    • The process uses the downloaded file

      • OWInstaller.exe (PID: 4768)

    • Reads the software policy settings

      • dxdiag.exe (PID: 2892)
      • OverwolfSetup.exe (PID: 1424)
      • OWInstaller.exe (PID: 4768)
      • OverwolfUpdater.exe (PID: 4628)
      • WerFault.exe (PID: 1912)
      • msiexec.exe (PID: 1208)
      • OverwolfLauncher.exe (PID: 2212)

    • Reads security settings of Internet Explorer

      • dxdiag.exe (PID: 2892)

    • Creates files in the program directory

      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 1400)
      • OverwolfUpdater.exe (PID: 4628)

    • Application launched itself

      • msedge.exe (PID: 2592)
      • msedge.exe (PID: 2436)
      • msedge.exe (PID: 3852)

    • Manual execution by a user

      • msedge.exe (PID: 2436)

    • Manages system restore points

      • SrTasks.exe (PID: 252)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:57:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x352d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.250.0.2
ProductVersionNumber: 2.250.0.2
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
CompanyName: Overwolf Ltd.
FileDescription: CurseForge
FileVersion: 2.250.0.2
LegalCopyright: Copyright (C) 2021 Overwolf Ltd. All Rights Reserved.
LegalTrademarks: -
ProductName: CurseForge
ProductVersion: 2.250.0.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
85
Malicious processes
12
Suspicious processes
1

Behavior graph

Click at the process to see the details
start curseforge - installer.exe curseforge - installer.exe owinstaller.exe dxdiag.exe no specs overwolfsetup.exe overwolfupdater.exe overwolfupdater.exe overwolftshelper.exe no specs checkredist.exe conhost.exe no specs werfault.exe sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs vcredist.exe vcredist.exe vc_redist.x64.exe SPPSurrogate no specs vssvc.exe no specs msedge.exe no specs overwolflauncher.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs vc_redist.x64.exe no specs vc_redist.x64.exe vc_redist.x64.exe overwolf.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
252C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:14C:\Windows\System32\SrTasks.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Windows System Protection background tasks.
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
528"C:\Program Files (x86)\Overwolf\OverwolfLauncher.exe" -launchapp ojgnfnbjckbpfaciphphehonokbggjhpnnoafackC:\Program Files (x86)\Overwolf\Overwolf.exeOverwolfLauncher.exe
User:
admin
Company:
Overwolf LTD
Integrity Level:
MEDIUM
Description:
Overwolf
Version:
0.266.1.26
Modules
Images
c:\program files (x86)\overwolf\overwolf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\overwolf\owutils.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
808"C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1204 -burn.embedded BurnPipe.{4C84D939-C85D-4A13-AD1F-273E0B0015AD} {90E01020-F2BB-42F3-8F99-AB69641C626E} 6404C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeVC_redist.x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532
Exit code:
0
Version:
14.36.32532.0
Modules
Images
c:\programdata\package cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
872"sc" sdshow OverwolfUpdaterC:\Windows\System32\sc.exeOverwolfUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
936"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2060 --field-trial-handle=2076,i,16049830400305547909,6557062901066300174,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1060C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1096"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4348 --field-trial-handle=2076,i,16049830400305547909,6557062901066300174,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
122.0.2365.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.92\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1172\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1208C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1216"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4656 --field-trial-handle=2076,i,13026697606479653172,8207173793214993779,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
52 221
Read events
50 872
Write events
950
Delete events
399

Modification events

(PID) Process:(3520) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3520) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3520) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3520) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3520) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3520) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3520) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4768) OWInstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4768) OWInstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4768) OWInstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
419
Suspicious files
501
Text files
738
Unknown types
9

Dropped files

PID
Process
Filename
Type
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\uac.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\System.dllexecutable
MD5:7399323923E3946FE9140132AC388132
SHA256:5A1C20A3E2E2EB182976977669F2C5D9F3104477E98F74D69D2434E79B92FDC3
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\nsProcess.dllexecutable
MD5:F0438A894F3A7E01A4AAE8D1B5DD0289
SHA256:30C6C3DD3CC7FCEA6E6081CE821ADC7B2888542DAE30BF00E881C0A105EB4D11
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\UserInfo.dllexecutable
MD5:9301577FF4D229347FE33259B43EF3B2
SHA256:090C4BC8DC534E97B3877BD5115EB58B3E181495F29F231479F540BAB5C01EDC
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\SharpRaven.dllexecutable
MD5:8F6FF3176E7F0B58B033B3D3F1303DB3
SHA256:0EA20361A01F8FC8EAB21AB5613E77D36A3506793D4487438C314DAF86E90630
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\DotNetZip.dllexecutable
MD5:190E712F2E3B065BA3D5F63CB9B7725E
SHA256:6C512D9943A225D686B26FC832589E4C8BEF7C4DD0A8BDFD557D5D27FE5BBA0F
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\nsis7z.dllexecutable
MD5:583A84E8A3C6C4C8FB41A00718AA2B21
SHA256:CB497A074F0CAD8198CB13C581BBC17D9B0D20A8DDE0BBDBA13522B68282DFC5
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\OWInstaller.exeexecutable
MD5:805A1EB0AFB2A239AF7612C2F659A02F
SHA256:28A6739560FB543702217930F3C22050142A9B09C2F94CAC653E5AAA14493596
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\Microsoft.Win32.TaskScheduler.dllexecutable
MD5:9F725BA6EB84F97A3A10D064ECAB70E3
SHA256:94961A4D686FA65B85B9E56A2A47AA87122C7B4F4FF8A9E7EF881C2A142283EB
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\Newtonsoft.Json.dllexecutable
MD5:98CBB64F074DC600B23A2EE1A0F46448
SHA256:7B44639CBFBC8DDAC8C7A3DE8FFA97A7460BEBB0D54E9FF2E1CCDC3A742C2B13
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
47
TCP/UDP connections
93
DNS requests
104
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3520
CurseForge - Installer.exe
GET
200
13.32.110.84:80
http://analyticsnew.overwolf.com/analytics/Counter?Name=installer_uac_action&Value=1&&Extra=%5b%7b%22Name%22%3a%22installer_version%22%2c%22Value%22%3a%222.250.0.2%22%7d%5d
unknown
whitelisted
4768
OWInstaller.exe
GET
200
142.250.181.238:80
http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=15133501&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=985632566&utmr=/&utmp=/&utmac=UA-18298709-8&utmcc=__utma%3D0.1185067807.1737468921.1737468921.1737468921.2%3B%2B__utmz%3D0.1737468921.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28Funnel2%2AInstaller%20Launched%2A2.0.50727%20SP2%2C%203.0%20SP2%2C%203.5%20SP1%2C%204%20Client%2C%204%20Full%2C%204.0%20Client%29%28%29&gaq=1&utmt=event
unknown
whitelisted
1592
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4768
OWInstaller.exe
GET
200
142.250.181.238:80
http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=105640680&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=953650969&utmr=/&utmp=/&utmac=UA-80584726-1&utmcc=__utma%3D0.1185067807.1737468921.1737468921.1737468921.2%3B%2B__utmz%3D0.1737468921.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28Funnel2%2AInstaller%20Launched%2A2.0.50727%20SP2%2C%203.0%20SP2%2C%203.5%20SP1%2C%204%20Client%2C%204%20Full%2C%204.0%20Client%29%28%29&gaq=1&utmt=event
unknown
whitelisted
1296
svchost.exe
GET
200
88.221.110.147:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
3040
MoUsoCoreWorker.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1be742dc39d765d6
unknown
whitelisted
4768
OWInstaller.exe
GET
200
18.245.38.41:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D
unknown
whitelisted
4768
OWInstaller.exe
GET
200
142.250.185.99:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
4768
OWInstaller.exe
GET
200
18.245.38.41:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D
unknown
whitelisted
4768
OWInstaller.exe
GET
200
18.245.38.41:80
http://ocsp.rootca3.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRkNawYMzz%2BjKSfYbTyFR0AXuhs6QQUq7bb1waeN6wwhgeRcMecxBmxeMACEwdzEm3iwvr9LEetiLFWbgGCBG0%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3520
CurseForge - Installer.exe
13.32.110.84:80
analyticsnew.overwolf.com
AMAZON-02
US
whitelisted
1296
svchost.exe
88.221.110.216:80
Akamai International B.V.
DE
unknown
3040
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3040
MoUsoCoreWorker.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
1592
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1592
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5552
svchost.exe
239.255.255.250:1900
whitelisted
4768
OWInstaller.exe
142.250.181.238:80
www.google-analytics.com
GOOGLE
US
whitelisted
1296
svchost.exe
88.221.110.147:80
Akamai International B.V.
DE
unknown
4768
OWInstaller.exe
13.32.110.84:443
analyticsnew.overwolf.com
AMAZON-02
US
whitelisted

DNS requests

Domain
IP
Reputation
analyticsnew.overwolf.com
  • 13.32.110.84
  • 13.32.110.4
  • 13.32.110.114
  • 13.32.110.105
  • 18.244.18.51
  • 18.244.18.106
  • 18.244.18.56
  • 18.244.18.46
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
login.live.com
  • 40.126.32.74
  • 20.190.160.22
  • 40.126.32.72
  • 40.126.32.76
  • 20.190.160.17
  • 40.126.32.138
  • 40.126.32.134
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
www.google-analytics.com
  • 142.250.181.238
whitelisted
fs.microsoft.com
  • 184.28.90.27
whitelisted
content.overwolf.com
  • 18.245.86.110
  • 18.245.86.39
  • 18.245.86.78
  • 18.245.86.117
whitelisted
ocsp.rootca3.amazontrust.com
  • 18.245.38.41
unknown
storeapi.overwolf.com
  • 18.172.112.117
  • 18.172.112.84
  • 18.172.112.62
  • 18.172.112.72
shared

Threats

PID
Process
Class
Message
3520
CurseForge - Installer.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
1296
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
6892
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
2 ETPRO signatures available at the full report
Process
Message
msiexec.exe
Failed to release Service
OverwolfLauncher.exe
OWLauncher::Process executed C:\Program Files (x86)\Overwolf\Overwolf.exe
OverwolfLauncher.exe
OWLauncher::Waiting for event...
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CurseForge - Installer.exe