File name:

CurseForge - Installer.exe

Full analysis: https://app.any.run/tasks/8365915e-19e1-4637-8a93-83206919cc06
Verdict: Malicious activity
Analysis date: January 21, 2025, 14:15:03
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
arch-doc
arch-html
arch-scr
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

9869DDF1F215D8899015FC1C8569566D

SHA1:

4AC02E9E4495C5EF769C5EB52041229389EAFA3D

SHA256:

5743075FA3FA7CD8A1B2C582405F583F886C0D3539EA1C2A1AFDB76D4EE1D43B

SSDEEP:

98304:p0qtzNa6J/A9nGcRa1xXcVsy3RxeLLCIJgap176MVhuhKrHVk2ENB0+o1QVNGRpQ:w

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • OWInstaller.exe (PID: 4768)
      • VC_redist.x64.exe (PID: 6404)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OverwolfSetup.exe (PID: 1424)

    • Executable content was dropped or overwritten

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 1400)
      • vcredist.exe (PID: 7012)
      • vcredist.exe (PID: 3060)
      • OWInstaller.exe (PID: 4768)
      • VC_redist.x64.exe (PID: 6404)
      • VC_redist.x64.exe (PID: 5264)
      • VC_redist.x64.exe (PID: 2192)

    • Reads the Internet Settings

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 4628)
      • WerFault.exe (PID: 1912)
      • vcredist.exe (PID: 3060)
      • OverwolfLauncher.exe (PID: 2212)
      • VC_redist.x64.exe (PID: 5264)

    • The process creates files with name similar to system file names

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OverwolfSetup.exe (PID: 1424)

    • Drops 7-zip archiver for unpacking

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 1400)

    • Reads security settings of Internet Explorer

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 4628)
      • vcredist.exe (PID: 3060)
      • OverwolfLauncher.exe (PID: 2212)
      • VC_redist.x64.exe (PID: 5264)

    • Application launched itself

      • CurseForge - Installer.exe (PID: 5064)
      • VC_redist.x64.exe (PID: 808)
      • VC_redist.x64.exe (PID: 5264)

    • Reads the date of Windows installation

      • OWInstaller.exe (PID: 4768)

    • Creates/Modifies COM task schedule object

      • dxdiag.exe (PID: 2892)

    • Reads Internet Explorer settings

      • OWInstaller.exe (PID: 4768)

    • There is functionality for taking screenshot (YARA)

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)

    • Reads settings of System Certificates

      • OWInstaller.exe (PID: 4768)
      • dxdiag.exe (PID: 2892)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 4628)
      • OverwolfLauncher.exe (PID: 2212)

    • Checks Windows Trust Settings

      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 4628)
      • msiexec.exe (PID: 1208)

    • Reads Microsoft Outlook installation path

      • OWInstaller.exe (PID: 4768)

    • The process drops C-runtime libraries

      • OverwolfSetup.exe (PID: 1424)
      • msiexec.exe (PID: 1208)

    • Process drops legitimate windows executable

      • OverwolfSetup.exe (PID: 1424)
      • vcredist.exe (PID: 3060)
      • vcredist.exe (PID: 7012)
      • OWInstaller.exe (PID: 4768)
      • VC_redist.x64.exe (PID: 6404)
      • msiexec.exe (PID: 1208)
      • VC_redist.x64.exe (PID: 2192)

    • Creates a software uninstall entry

      • OverwolfSetup.exe (PID: 1424)
      • VC_redist.x64.exe (PID: 6404)

    • Executes application which crashes

      • checkRedist.exe (PID: 6516)

    • Windows service management via SC.EXE

      • sc.exe (PID: 5276)
      • sc.exe (PID: 3888)
      • sc.exe (PID: 2928)
      • sc.exe (PID: 2256)
      • sc.exe (PID: 6116)
      • sc.exe (PID: 872)
      • sc.exe (PID: 3252)
      • sc.exe (PID: 5800)
      • sc.exe (PID: 6100)
      • sc.exe (PID: 1872)
      • sc.exe (PID: 5160)
      • sc.exe (PID: 2832)

    • Adds/modifies Windows certificates

      • OverwolfUpdater.exe (PID: 4628)

    • Starts SC.EXE for service management

      • OverwolfUpdater.exe (PID: 4628)

    • Starts a Microsoft application from unusual location

      • vcredist.exe (PID: 3060)
      • VC_redist.x64.exe (PID: 6404)

    • Searches for installed software

      • vcredist.exe (PID: 3060)
      • VC_redist.x64.exe (PID: 6404)
      • dllhost.exe (PID: 6788)
      • VC_redist.x64.exe (PID: 5264)
      • VC_redist.x64.exe (PID: 2192)

    • Starts itself from another location

      • vcredist.exe (PID: 3060)

    • Executes as Windows Service

      • VSSVC.exe (PID: 1060)

    • The process executes via Task Scheduler

      • OverwolfLauncher.exe (PID: 2212)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 1208)

  • INFO

    • The sample compiled with english language support

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 1400)
      • vcredist.exe (PID: 7012)
      • vcredist.exe (PID: 3060)
      • OWInstaller.exe (PID: 4768)
      • VC_redist.x64.exe (PID: 6404)
      • msiexec.exe (PID: 1208)
      • VC_redist.x64.exe (PID: 5264)
      • VC_redist.x64.exe (PID: 2192)

    • Checks supported languages

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 1400)
      • OverwolfUpdater.exe (PID: 4628)
      • OverwolfTSHelper.exe (PID: 6308)
      • checkRedist.exe (PID: 6516)
      • vcredist.exe (PID: 7012)
      • OverwolfLauncher.exe (PID: 2212)
      • VC_redist.x64.exe (PID: 6404)
      • msiexec.exe (PID: 1208)
      • identity_helper.exe (PID: 1096)
      • VC_redist.x64.exe (PID: 808)
      • VC_redist.x64.exe (PID: 2192)
      • VC_redist.x64.exe (PID: 5264)
      • Overwolf.exe (PID: 528)
      • vcredist.exe (PID: 3060)

    • Reads the computer name

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 1400)
      • OverwolfTSHelper.exe (PID: 6308)
      • OverwolfUpdater.exe (PID: 4628)
      • vcredist.exe (PID: 7012)
      • vcredist.exe (PID: 3060)
      • VC_redist.x64.exe (PID: 6404)
      • msiexec.exe (PID: 1208)
      • identity_helper.exe (PID: 1096)
      • VC_redist.x64.exe (PID: 5264)
      • VC_redist.x64.exe (PID: 2192)
      • Overwolf.exe (PID: 528)

    • Create files in a temporary directory

      • CurseForge - Installer.exe (PID: 5064)
      • CurseForge - Installer.exe (PID: 3520)
      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • vcredist.exe (PID: 3060)

    • Checks proxy server information

      • CurseForge - Installer.exe (PID: 3520)
      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 4628)

    • Creates files or folders in the user directory

      • CurseForge - Installer.exe (PID: 3520)
      • OWInstaller.exe (PID: 4768)
      • dxdiag.exe (PID: 2892)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 4628)
      • WerFault.exe (PID: 1912)

    • Reads the machine GUID from the registry

      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 4628)
      • msiexec.exe (PID: 1208)
      • VC_redist.x64.exe (PID: 6404)
      • Overwolf.exe (PID: 528)

    • Reads product name

      • OWInstaller.exe (PID: 4768)

    • Reads Environment values

      • OWInstaller.exe (PID: 4768)
      • identity_helper.exe (PID: 1096)
      • Overwolf.exe (PID: 528)

    • Disables trace logs

      • OWInstaller.exe (PID: 4768)

    • Reads security settings of Internet Explorer

      • dxdiag.exe (PID: 2892)

    • Reads the software policy settings

      • OWInstaller.exe (PID: 4768)
      • dxdiag.exe (PID: 2892)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 4628)
      • WerFault.exe (PID: 1912)
      • msiexec.exe (PID: 1208)
      • OverwolfLauncher.exe (PID: 2212)

    • Creates files in the program directory

      • OWInstaller.exe (PID: 4768)
      • OverwolfSetup.exe (PID: 1424)
      • OverwolfUpdater.exe (PID: 1400)
      • OverwolfUpdater.exe (PID: 4628)

    • The process uses the downloaded file

      • OWInstaller.exe (PID: 4768)

    • Manual execution by a user

      • msedge.exe (PID: 2436)

    • Application launched itself

      • msedge.exe (PID: 2592)
      • msedge.exe (PID: 3852)
      • msedge.exe (PID: 2436)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1208)

    • Manages system restore points

      • SrTasks.exe (PID: 252)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:57:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x352d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.250.0.2
ProductVersionNumber: 2.250.0.2
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
CompanyName: Overwolf Ltd.
FileDescription: CurseForge
FileVersion: 2.250.0.2
LegalCopyright: Copyright (C) 2021 Overwolf Ltd. All Rights Reserved.
LegalTrademarks: -
ProductName: CurseForge
ProductVersion: 2.250.0.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
85
Malicious processes
12
Suspicious processes
1

Behavior graph

Click at the process to see the details
start curseforge - installer.exe curseforge - installer.exe owinstaller.exe dxdiag.exe no specs overwolfsetup.exe overwolfupdater.exe overwolfupdater.exe overwolftshelper.exe no specs checkredist.exe conhost.exe no specs werfault.exe sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs vcredist.exe vcredist.exe vc_redist.x64.exe SPPSurrogate no specs vssvc.exe no specs msedge.exe no specs overwolflauncher.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs vc_redist.x64.exe no specs vc_redist.x64.exe vc_redist.x64.exe overwolf.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
252C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:14C:\Windows\System32\SrTasks.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Windows System Protection background tasks.
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
528"C:\Program Files (x86)\Overwolf\OverwolfLauncher.exe" -launchapp ojgnfnbjckbpfaciphphehonokbggjhpnnoafackC:\Program Files (x86)\Overwolf\Overwolf.exeOverwolfLauncher.exe
User:
admin
Company:
Overwolf LTD
Integrity Level:
MEDIUM
Description:
Overwolf
Version:
0.266.1.26
Modules
Images
c:\program files (x86)\overwolf\overwolf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\overwolf\owutils.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
808"C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1204 -burn.embedded BurnPipe.{4C84D939-C85D-4A13-AD1F-273E0B0015AD} {90E01020-F2BB-42F3-8F99-AB69641C626E} 6404C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeVC_redist.x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532
Exit code:
0
Version:
14.36.32532.0
Modules
Images
c:\programdata\package cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
872"sc" sdshow OverwolfUpdaterC:\Windows\System32\sc.exeOverwolfUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
936"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2060 --field-trial-handle=2076,i,16049830400305547909,6557062901066300174,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1060C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1096"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4348 --field-trial-handle=2076,i,16049830400305547909,6557062901066300174,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
122.0.2365.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.92\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1172\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1208C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1216"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4656 --field-trial-handle=2076,i,13026697606479653172,8207173793214993779,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
52 221
Read events
50 872
Write events
950
Delete events
399

Modification events

(PID) Process:(3520) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3520) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3520) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3520) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3520) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3520) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3520) CurseForge - Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4768) OWInstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4768) OWInstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4768) OWInstaller.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
419
Suspicious files
501
Text files
738
Unknown types
9

Dropped files

PID
Process
Filename
Type
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\nsProcess.dllexecutable
MD5:F0438A894F3A7E01A4AAE8D1B5DD0289
SHA256:30C6C3DD3CC7FCEA6E6081CE821ADC7B2888542DAE30BF00E881C0A105EB4D11
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\log4net.dllexecutable
MD5:F15C8A9E2876568B3910189B2D493706
SHA256:AE9C8073C3357C490F5D1C64101362918357C568F6B9380A60B09A4A4C1FF309
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\OWInstaller.exeexecutable
MD5:805A1EB0AFB2A239AF7612C2F659A02F
SHA256:28A6739560FB543702217930F3C22050142A9B09C2F94CAC653E5AAA14493596
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\DotNetZip.dllexecutable
MD5:190E712F2E3B065BA3D5F63CB9B7725E
SHA256:6C512D9943A225D686B26FC832589E4C8BEF7C4DD0A8BDFD557D5D27FE5BBA0F
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\uac.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\websocket-sharp.dllexecutable
MD5:CB39CB181DE7D36C82D2DFD178802F38
SHA256:8B7230E7CD859DDEEB5FB48346E9576E47098C1009620C2E5D585BEF4B108FBC
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\Microsoft.Win32.TaskScheduler.dllexecutable
MD5:9F725BA6EB84F97A3A10D064ECAB70E3
SHA256:94961A4D686FA65B85B9E56A2A47AA87122C7B4F4FF8A9E7EF881C2A142283EB
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\SharpRaven.dllexecutable
MD5:8F6FF3176E7F0B58B033B3D3F1303DB3
SHA256:0EA20361A01F8FC8EAB21AB5613E77D36A3506793D4487438C314DAF86E90630
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\OverWolf.Client.CommonUtils.dllexecutable
MD5:6A45B1F51B619BA08761FC91567BF0A7
SHA256:4AD3ECD0591F8DAD217D5D99E11D809CC699C28F55296845148254F6FCE69828
5064CurseForge - Installer.exeC:\Users\admin\AppData\Local\Temp\nseA9B.tmp\CommandLine.dllexecutable
MD5:1D859391711A062C5F48212686505A6A
SHA256:CEE8683C16CC43A542CFA1490894F555857EAF031FCDFB1ED7059E1538E21C8A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
47
TCP/UDP connections
93
DNS requests
104
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3520
CurseForge - Installer.exe
GET
200
13.32.110.84:80
http://analyticsnew.overwolf.com/analytics/Counter?Name=installer_uac_action&Value=1&&Extra=%5b%7b%22Name%22%3a%22installer_version%22%2c%22Value%22%3a%222.250.0.2%22%7d%5d
unknown
whitelisted
1592
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4768
OWInstaller.exe
GET
200
142.250.181.238:80
http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=15133501&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=985632566&utmr=/&utmp=/&utmac=UA-18298709-8&utmcc=__utma%3D0.1185067807.1737468921.1737468921.1737468921.2%3B%2B__utmz%3D0.1737468921.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28Funnel2%2AInstaller%20Launched%2A2.0.50727%20SP2%2C%203.0%20SP2%2C%203.5%20SP1%2C%204%20Client%2C%204%20Full%2C%204.0%20Client%29%28%29&gaq=1&utmt=event
unknown
whitelisted
4768
OWInstaller.exe
GET
200
142.250.181.238:80
http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=105640680&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=953650969&utmr=/&utmp=/&utmac=UA-80584726-1&utmcc=__utma%3D0.1185067807.1737468921.1737468921.1737468921.2%3B%2B__utmz%3D0.1737468921.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28Funnel2%2AInstaller%20Launched%2A2.0.50727%20SP2%2C%203.0%20SP2%2C%203.5%20SP1%2C%204%20Client%2C%204%20Full%2C%204.0%20Client%29%28%29&gaq=1&utmt=event
unknown
whitelisted
3040
MoUsoCoreWorker.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1be742dc39d765d6
unknown
whitelisted
1296
svchost.exe
GET
200
88.221.110.147:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
4768
OWInstaller.exe
GET
200
18.245.38.41:80
http://ocsp.rootca3.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRkNawYMzz%2BjKSfYbTyFR0AXuhs6QQUq7bb1waeN6wwhgeRcMecxBmxeMACEwdzEm3iwvr9LEetiLFWbgGCBG0%3D
unknown
unknown
4768
OWInstaller.exe
GET
200
18.245.38.41:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D
unknown
whitelisted
4768
OWInstaller.exe
GET
200
18.245.38.41:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D
unknown
whitelisted
4768
OWInstaller.exe
GET
200
142.250.185.99:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3520
CurseForge - Installer.exe
13.32.110.84:80
analyticsnew.overwolf.com
AMAZON-02
US
whitelisted
1296
svchost.exe
88.221.110.216:80
Akamai International B.V.
DE
unknown
3040
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3040
MoUsoCoreWorker.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
1592
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1592
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5552
svchost.exe
239.255.255.250:1900
whitelisted
4768
OWInstaller.exe
142.250.181.238:80
www.google-analytics.com
GOOGLE
US
whitelisted
1296
svchost.exe
88.221.110.147:80
Akamai International B.V.
DE
unknown
4768
OWInstaller.exe
13.32.110.84:443
analyticsnew.overwolf.com
AMAZON-02
US
whitelisted

DNS requests

Domain
IP
Reputation
analyticsnew.overwolf.com
  • 13.32.110.84
  • 13.32.110.4
  • 13.32.110.114
  • 13.32.110.105
  • 18.244.18.51
  • 18.244.18.106
  • 18.244.18.56
  • 18.244.18.46
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
login.live.com
  • 40.126.32.74
  • 20.190.160.22
  • 40.126.32.72
  • 40.126.32.76
  • 20.190.160.17
  • 40.126.32.138
  • 40.126.32.134
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
www.google-analytics.com
  • 142.250.181.238
whitelisted
fs.microsoft.com
  • 184.28.90.27
whitelisted
content.overwolf.com
  • 18.245.86.110
  • 18.245.86.39
  • 18.245.86.78
  • 18.245.86.117
whitelisted
ocsp.rootca3.amazontrust.com
  • 18.245.38.41
unknown
storeapi.overwolf.com
  • 18.172.112.117
  • 18.172.112.84
  • 18.172.112.62
  • 18.172.112.72
shared

Threats

PID
Process
Class
Message
3520
CurseForge - Installer.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
1296
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
6892
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
2 ETPRO signatures available at the full report
Process
Message
msiexec.exe
Failed to release Service
OverwolfLauncher.exe
OWLauncher::Process executed C:\Program Files (x86)\Overwolf\Overwolf.exe
OverwolfLauncher.exe
OWLauncher::Waiting for event...
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CurseForge - Installer.exe