Malware analysis Thunderstore Mod Manager - Installer.exe Malicious activity

Add for printing

File name:	Thunderstore Mod Manager - Installer.exe
Full analysis:	https://app.any.run/tasks/163f55a5-ac30-4331-8b2e-ec3d4f773cb9
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 02, 2025, 02:30:32
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-scr arch-html arch-doc stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	AD4EA7FCDEFBD8AF50D5EA432D4B9C22
SHA1:	A5828E81CCB4ED9E627916E5A29AD4AD4B3A3AEC
SHA256:	6097E551A21D28D5B774DD160B5FDCCD0908B8F43BE70F816E877DA35D30AA9E
SSDEEP:	98304:R//rhEGJ/A9nGcRa1xXcVsy3RxeLLCIJgap176MVhBIHtugzPFMNxs3JPAWQPIap:ZIYaROW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - OWInstaller.exe (PID: 7512)
  - VC_redist.x64.exe (PID: 6208)
- Actions looks like stealing of personal data
  - OverwolfLauncher.exe (PID: 7956)
- Steals credentials from Web Browsers
  - OverwolfLauncher.exe (PID: 7956)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Thunderstore Mod Manager - Installer.exe (PID: 7256)
  - Thunderstore Mod Manager - Installer.exe (PID: 7412)
  - OverwolfSetup.exe (PID: 8036)
  - OverwolfUpdater.exe (PID: 3784)
  - vcredist.exe (PID: 2192)
  - vcredist.exe (PID: 8084)
  - OWInstaller.exe (PID: 7512)
  - VC_redist.x64.exe (PID: 6208)
  - Overwolf.exe (PID: 6032)
  - VC_redist.x64.exe (PID: 7468)
  - VC_redist.x64.exe (PID: 1672)
- Malware-specific behavior (creating "System.dll" in Temp)
  - Thunderstore Mod Manager - Installer.exe (PID: 7256)
  - Thunderstore Mod Manager - Installer.exe (PID: 7412)
  - OverwolfSetup.exe (PID: 8036)
- Drops 7-zip archiver for unpacking
  - Thunderstore Mod Manager - Installer.exe (PID: 7256)
  - Thunderstore Mod Manager - Installer.exe (PID: 7412)
  - OverwolfSetup.exe (PID: 8036)
  - OverwolfUpdater.exe (PID: 3784)
- Reads security settings of Internet Explorer
  - Thunderstore Mod Manager - Installer.exe (PID: 7256)
  - Thunderstore Mod Manager - Installer.exe (PID: 7412)
  - OWInstaller.exe (PID: 7512)
  - OverwolfSetup.exe (PID: 8036)
  - OverwolfUpdater.exe (PID: 4220)
  - vcredist.exe (PID: 8084)
  - OverwolfLauncher.exe (PID: 3900)
  - OverwolfLauncher.exe (PID: 7956)
  - Overwolf.exe (PID: 6032)
  - ShellExperienceHost.exe (PID: 2420)
  - VC_redist.x64.exe (PID: 7468)
- Application launched itself
  - Thunderstore Mod Manager - Installer.exe (PID: 7256)
  - OverwolfLauncher.exe (PID: 3900)
  - VC_redist.x64.exe (PID: 7396)
  - VC_redist.x64.exe (PID: 7468)
- The process creates files with name similar to system file names
  - Thunderstore Mod Manager - Installer.exe (PID: 7412)
  - Thunderstore Mod Manager - Installer.exe (PID: 7256)
  - OverwolfSetup.exe (PID: 8036)
- Reads the date of Windows installation
  - OWInstaller.exe (PID: 7512)
- Creates/Modifies COM task schedule object
  - dxdiag.exe (PID: 7752)
  - dxdiag.exe (PID: 5544)
  - dxdiag.exe (PID: 4428)
  - dxdiag.exe (PID: 2284)
  - dxdiag.exe (PID: 2516)
  - dxdiag.exe (PID: 7976)
  - dxdiag.exe (PID: 5968)
  - dxdiag.exe (PID: 5084)
  - dxdiag.exe (PID: 5640)
- Reads Microsoft Outlook installation path
  - OWInstaller.exe (PID: 7512)
- Reads Internet Explorer settings
  - OWInstaller.exe (PID: 7512)
- Checks Windows Trust Settings
  - OWInstaller.exe (PID: 7512)
  - OverwolfSetup.exe (PID: 8036)
  - OverwolfUpdater.exe (PID: 4220)
  - msiexec.exe (PID: 4120)
  - Overwolf.exe (PID: 6032)
- There is functionality for taking screenshot (YARA)
  - Thunderstore Mod Manager - Installer.exe (PID: 7256)
  - Thunderstore Mod Manager - Installer.exe (PID: 7412)
- Process drops legitimate windows executable
  - OverwolfSetup.exe (PID: 8036)
  - vcredist.exe (PID: 2192)
  - vcredist.exe (PID: 8084)
  - VC_redist.x64.exe (PID: 6208)
  - msiexec.exe (PID: 4120)
  - VC_redist.x64.exe (PID: 1672)
- The process drops C-runtime libraries
  - OverwolfSetup.exe (PID: 8036)
  - msiexec.exe (PID: 4120)
- Executes application which crashes
  - checkRedist.exe (PID: 4284)
- Creates a software uninstall entry
  - OverwolfSetup.exe (PID: 8036)
  - VC_redist.x64.exe (PID: 6208)
  - Overwolf.exe (PID: 6032)
- Windows service management via SC.EXE
  - sc.exe (PID: 6516)
  - sc.exe (PID: 7284)
  - sc.exe (PID: 660)
  - sc.exe (PID: 6752)
  - sc.exe (PID: 7764)
  - sc.exe (PID: 4208)
  - sc.exe (PID: 8176)
  - sc.exe (PID: 1628)
  - sc.exe (PID: 5416)
  - sc.exe (PID: 960)
  - sc.exe (PID: 7396)
  - sc.exe (PID: 6072)
- Starts SC.EXE for service management
  - OverwolfUpdater.exe (PID: 4220)
- Starts a Microsoft application from unusual location
  - vcredist.exe (PID: 8084)
  - VC_redist.x64.exe (PID: 6208)
- Searches for installed software
  - vcredist.exe (PID: 8084)
  - VC_redist.x64.exe (PID: 6208)
  - dllhost.exe (PID: 3268)
  - Overwolf.exe (PID: 6032)
  - VC_redist.x64.exe (PID: 7468)
  - VC_redist.x64.exe (PID: 1672)
- Starts itself from another location
  - vcredist.exe (PID: 8084)
- Executes as Windows Service
  - VSSVC.exe (PID: 7244)
- The process executes via Task Scheduler
  - OverwolfLauncher.exe (PID: 3900)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 4120)
- The process checks if it is being run in the virtual environment
  - msiexec.exe (PID: 4120)
INFO
- The sample compiled with english language support
  - Thunderstore Mod Manager - Installer.exe (PID: 7256)
  - Thunderstore Mod Manager - Installer.exe (PID: 7412)
  - OverwolfSetup.exe (PID: 8036)
  - OverwolfUpdater.exe (PID: 3784)
  - vcredist.exe (PID: 2192)
  - vcredist.exe (PID: 8084)
  - VC_redist.x64.exe (PID: 6208)
  - msiexec.exe (PID: 4120)
  - Overwolf.exe (PID: 6032)
  - VC_redist.x64.exe (PID: 1672)
  - VC_redist.x64.exe (PID: 7468)
- Process checks computer location settings
  - Thunderstore Mod Manager - Installer.exe (PID: 7256)
  - OWInstaller.exe (PID: 7512)
  - vcredist.exe (PID: 8084)
  - OverwolfBrowser.exe (PID: 5680)
  - Overwolf.exe (PID: 6032)
  - VC_redist.x64.exe (PID: 7468)
- Create files in a temporary directory
  - Thunderstore Mod Manager - Installer.exe (PID: 7256)
  - Thunderstore Mod Manager - Installer.exe (PID: 7412)
  - OWInstaller.exe (PID: 7512)
  - OverwolfSetup.exe (PID: 8036)
  - VC_redist.x64.exe (PID: 6208)
  - vcredist.exe (PID: 8084)
  - VC_redist.x64.exe (PID: 7468)
- Checks supported languages
  - Thunderstore Mod Manager - Installer.exe (PID: 7412)
  - Thunderstore Mod Manager - Installer.exe (PID: 7256)
  - OWInstaller.exe (PID: 7512)
  - OverwolfSetup.exe (PID: 8036)
  - OverwolfUpdater.exe (PID: 3784)
  - checkRedist.exe (PID: 4284)
  - OverwolfTSHelper.exe (PID: 7020)
  - OverwolfUpdater.exe (PID: 4220)
  - vcredist.exe (PID: 2192)
  - vcredist.exe (PID: 8084)
  - VC_redist.x64.exe (PID: 6208)
  - OverwolfLauncher.exe (PID: 7956)
  - Overwolf.exe (PID: 6032)
  - OverwolfLauncher.exe (PID: 3900)
  - msiexec.exe (PID: 4120)
  - OverwolfTSHelper.exe (PID: 6264)
  - OverwolfBrowser.exe (PID: 3124)
  - ShellExperienceHost.exe (PID: 2420)
  - OverwolfBrowser.exe (PID: 7772)
  - OverwolfBrowser.exe (PID: 2236)
  - OverwolfBrowser.exe (PID: 5680)
  - VC_redist.x64.exe (PID: 7396)
  - VC_redist.x64.exe (PID: 7468)
  - VC_redist.x64.exe (PID: 1672)
- Reads the computer name
  - Thunderstore Mod Manager - Installer.exe (PID: 7412)
  - Thunderstore Mod Manager - Installer.exe (PID: 7256)
  - OWInstaller.exe (PID: 7512)
  - OverwolfSetup.exe (PID: 8036)
  - OverwolfUpdater.exe (PID: 3784)
  - OverwolfUpdater.exe (PID: 4220)
  - OverwolfTSHelper.exe (PID: 7020)
  - vcredist.exe (PID: 2192)
  - vcredist.exe (PID: 8084)
  - VC_redist.x64.exe (PID: 6208)
  - OverwolfLauncher.exe (PID: 7956)
  - OverwolfLauncher.exe (PID: 3900)
  - Overwolf.exe (PID: 6032)
  - msiexec.exe (PID: 4120)
  - OverwolfTSHelper.exe (PID: 6264)
  - OverwolfBrowser.exe (PID: 3124)
  - ShellExperienceHost.exe (PID: 2420)
  - OverwolfBrowser.exe (PID: 7772)
  - OverwolfBrowser.exe (PID: 5680)
  - OverwolfBrowser.exe (PID: 2236)
  - VC_redist.x64.exe (PID: 7468)
  - VC_redist.x64.exe (PID: 1672)
- Checks proxy server information
  - Thunderstore Mod Manager - Installer.exe (PID: 7412)
  - OWInstaller.exe (PID: 7512)
  - dxdiag.exe (PID: 7752)
  - BackgroundTransferHost.exe (PID: 680)
  - OverwolfSetup.exe (PID: 8036)
  - OverwolfUpdater.exe (PID: 4220)
  - slui.exe (PID: 7464)
  - Overwolf.exe (PID: 6032)
- Creates files or folders in the user directory
  - Thunderstore Mod Manager - Installer.exe (PID: 7412)
  - OWInstaller.exe (PID: 7512)
  - dxdiag.exe (PID: 7752)
  - dxdiag.exe (PID: 5084)
  - OverwolfSetup.exe (PID: 8036)
  - OverwolfUpdater.exe (PID: 4220)
  - WerFault.exe (PID: 1660)
  - OverwolfLauncher.exe (PID: 7956)
  - Overwolf.exe (PID: 6032)
  - msiexec.exe (PID: 4120)
  - OverwolfBrowser.exe (PID: 3124)
  - BackgroundTransferHost.exe (PID: 680)
  - OverwolfBrowser.exe (PID: 2236)
- Reads product name
  - OWInstaller.exe (PID: 7512)
  - Overwolf.exe (PID: 6032)
- Reads the machine GUID from the registry
  - OWInstaller.exe (PID: 7512)
  - OverwolfSetup.exe (PID: 8036)
  - OverwolfUpdater.exe (PID: 4220)
  - Overwolf.exe (PID: 6032)
  - VC_redist.x64.exe (PID: 6208)
  - msiexec.exe (PID: 4120)
  - OverwolfBrowser.exe (PID: 3124)
  - OverwolfBrowser.exe (PID: 7772)
  - OverwolfBrowser.exe (PID: 5680)
  - OverwolfBrowser.exe (PID: 2236)
- Disables trace logs
  - OWInstaller.exe (PID: 7512)
  - Overwolf.exe (PID: 6032)
- Reads the software policy settings
  - OWInstaller.exe (PID: 7512)
  - dxdiag.exe (PID: 7752)
  - BackgroundTransferHost.exe (PID: 680)
  - dxdiag.exe (PID: 5640)
  - dxdiag.exe (PID: 5544)
  - dxdiag.exe (PID: 4428)
  - dxdiag.exe (PID: 2516)
  - dxdiag.exe (PID: 2284)
  - slui.exe (PID: 7556)
  - dxdiag.exe (PID: 7976)
  - dxdiag.exe (PID: 5968)
  - dxdiag.exe (PID: 5084)
  - OverwolfSetup.exe (PID: 8036)
  - OverwolfUpdater.exe (PID: 4220)
  - slui.exe (PID: 7464)
  - OverwolfLauncher.exe (PID: 3900)
  - OverwolfLauncher.exe (PID: 7956)
  - Overwolf.exe (PID: 6032)
  - msiexec.exe (PID: 4120)
- Reads security settings of Internet Explorer
  - BackgroundTransferHost.exe (PID: 2568)
  - dxdiag.exe (PID: 7752)
  - BackgroundTransferHost.exe (PID: 680)
  - BackgroundTransferHost.exe (PID: 1672)
  - dxdiag.exe (PID: 5640)
  - dxdiag.exe (PID: 5544)
  - dxdiag.exe (PID: 4428)
  - dxdiag.exe (PID: 2516)
  - dxdiag.exe (PID: 2284)
  - dxdiag.exe (PID: 7976)
  - dxdiag.exe (PID: 5968)
  - dxdiag.exe (PID: 5084)
  - BackgroundTransferHost.exe (PID: 4448)
  - BackgroundTransferHost.exe (PID: 6516)
- Creates files in the program directory
  - OWInstaller.exe (PID: 7512)
  - OverwolfSetup.exe (PID: 8036)
  - OverwolfUpdater.exe (PID: 3784)
  - OverwolfUpdater.exe (PID: 4220)
  - VC_redist.x64.exe (PID: 6208)
  - Overwolf.exe (PID: 6032)
- Manages system restore points
  - SrTasks.exe (PID: 7460)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 4120)
- Creates a software uninstall entry
  - msiexec.exe (PID: 4120)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:09:25 21:57:46+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	27136
InitializedDataSize:	186880
UninitializedDataSize:	2048
EntryPoint:	0x352d
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	2.266.0.11
ProductVersionNumber:	2.266.0.11
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
Comments:	-
CompanyName:	Overwolf Ltd.
FileDescription:	Overwolf
FileVersion:	2.266.0.11
LegalCopyright:	Copyright (C) 2021 Overwolf Ltd. All Rights Reserved.
LegalTrademarks:	-
ProductName:	Overwolf
ProductVersion:	2.266.0.11

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

220

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

660

"sc" sdshow OverwolfUpdater

C:\Windows\System32\sc.exe

—

OverwolfUpdater.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

680

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

960

"sc" sdshow OverwolfUpdater

C:\Windows\System32\sc.exe

—

OverwolfUpdater.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1040

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

sc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1628

"sc" sdshow OverwolfUpdater

C:\Windows\System32\sc.exe

—

OverwolfUpdater.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1660

C:\WINDOWS\system32\WerFault.exe -u -p 4284 -s 188

C:\Windows\System32\WerFault.exe

—

checkRedist.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll

1672

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

1672

"C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{6668B30E-9E48-485B-B960-35A22B525430} {C1920898-56A0-4BDD-AD6A-12FCF84BAF65} 7468

C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

VC_redist.x64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532

Exit code:

Version:

14.36.32532.0

Modules

Images
c:\programdata\package cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

2104

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

sc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2192

"C:\ProgramData\Overwolf\Setup\vcredist.exe" /q /norestart /repair

C:\ProgramData\Overwolf\Setup\vcredist.exe

OverwolfSetup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.42.34438

Exit code:

3010

Version:

14.42.34438.0

Modules

Images
c:\programdata\overwolf\setup\vcredist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

87 112

Read events

85 261

Write events

1 304

Delete events

547

Modification events


(PID) Process:	(7412) Thunderstore Mod Manager - Installer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7412) Thunderstore Mod Manager - Installer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7412) Thunderstore Mod Manager - Installer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7512) OWInstaller.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\OverwolfPersist
Operation:	write	Name:	MUIDV2
Value: 42d64580-5409-4eb3-8afd-2ed025ecbc02
(PID) Process:	(7512) OWInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\OverwolfPersist
Operation:	write	Name:	MUIDV2
Value: 42d64580-5409-4eb3-8afd-2ed025ecbc02
(PID) Process:	(7512) OWInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Overwolf
Operation:	write	Name:	MUID
Value: bb926e54-e3ca-40fd-ae90-2764341e7792
(PID) Process:	(7512) OWInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7512) OWInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7512) OWInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7512) OWInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:

Add for printing

Executable files

409

Suspicious files

1 215

Text files

1 649

Unknown types

Dropped files

PID	Process	Filename		Type
7256	Thunderstore Mod Manager - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsxCA86.tmp\nsProcess.dll		executable
		MD5:10E47E822B85D2A12FA4727001612182	SHA256:D530589A90918334B8E08D7355630892DD62F41333D948A860735D5BECFCB391
7256	Thunderstore Mod Manager - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsxCA86.tmp\OWInstaller.exe		executable
		MD5:D58D2772011C07E51FDDCB8D592F61FE	SHA256:9A737F35E38ABCB7E264DB5DEE7BE9E558492060B59BFB305D967F3960DD4D9F
7256	Thunderstore Mod Manager - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsxCA86.tmp\Newtonsoft.Json.dll		executable
		MD5:98CBB64F074DC600B23A2EE1A0F46448	SHA256:7B44639CBFBC8DDAC8C7A3DE8FFA97A7460BEBB0D54E9FF2E1CCDC3A742C2B13
7256	Thunderstore Mod Manager - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsxCA86.tmp\OWInstaller.exe.config		xml
		MD5:82D22E4E19E27E306317513B9BFA70FF	SHA256:272E4C5364193E73633CAA3793E07509A349B79314EA01808B24FDB12C51B827
7256	Thunderstore Mod Manager - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsxCA86.tmp\uac.dll		executable
		MD5:861F7E800BB28F68927E65719869409C	SHA256:10A0E8CF46038AB3B2C3CF5DCE407B9A043A631CBDE9A5C8BCF0A54B2566C010
7256	Thunderstore Mod Manager - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsxCA86.tmp\OverWolf.Client.CommonUtils.dll		executable
		MD5:4B85D50C14F6FC3318144CBFC50C7919	SHA256:2FF838143F0A8267836552D21F58F74D532663D8B3E3A9B806D1A55A900C5266
7256	Thunderstore Mod Manager - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsxCA86.tmp\websocket-sharp.dll		executable
		MD5:1B4FCDE3554ED9CA14E8E7C3A1706FB3	SHA256:B152284FD1EF5CEBEE56802F13B46DEF7C136F0C50FB173AE29CF0648BB4CB1F
7256	Thunderstore Mod Manager - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsxCA86.tmp\Microsoft.Win32.TaskScheduler.dll		executable
		MD5:198949A4C3E67B9EB916140DFF75C114	SHA256:0BDAD6DEB1B651E0A52BAB4DB2C7883C9332884AA37300B3439C69D85B054C7C
7256	Thunderstore Mod Manager - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsxCA86.tmp\SharpRaven.dll		executable
		MD5:271251960BF1D6A491803E15BD562E45	SHA256:776C6B0642F7A3F3F3AD3CC6BB5F1D528E90C6029B671D8F82B0320B185B92A7
7256	Thunderstore Mod Manager - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsxCA86.tmp\log4net.dll		executable
		MD5:F15C8A9E2876568B3910189B2D493706	SHA256:AE9C8073C3357C490F5D1C64101362918357C568F6B9380A60B09A4A4C1FF309

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7412	Thunderstore Mod Manager - Installer.exe	GET	200	18.244.18.46:80	http://analyticsnew.overwolf.com/analytics/Counter?Name=installer_uac_action&Value=1&&Extra=%5b%7b%22Name%22%3a%22installer_version%22%2c%22Value%22%3a%222.266.0.11%22%7d%5d	unknown	—	—	whitelisted
7512	OWInstaller.exe	GET	200	142.250.184.206:80	http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=371259971&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=468336481&utmr=/&utmp=/&utmac=UA-18298709-8&utmcc=__utma%3D0.1141985554.1740882645.1740882645.1740882645.2%3B%2B__utmz%3D0.1740882645.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28Funnel2%2AInstaller%20Launched%2A2.0.50727%20SP2%2C%203.0%20SP2%2C%203.5%20SP1%2C%204%20Client%2C%204%20Full%2C%204.0%20Client%29%28%29&gaq=1&utmt=event	unknown	—	—	whitelisted
7512	OWInstaller.exe	GET	200	142.250.184.206:80	http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=872910957&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=695032137&utmr=/&utmp=/&utmac=UA-80584726-1&utmcc=__utma%3D0.1141985554.1740882645.1740882645.1740882645.2%3B%2B__utmz%3D0.1740882645.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28Funnel2%2AInstaller%20Launched%2A2.0.50727%20SP2%2C%203.0%20SP2%2C%203.5%20SP1%2C%204%20Client%2C%204%20Full%2C%204.0%20Client%29%28%29&gaq=1&utmt=event	unknown	—	—	whitelisted
7512	OWInstaller.exe	GET	200	18.66.145.213:80	http://ocsp.rootca3.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRkNawYMzz%2BjKSfYbTyFR0AXuhs6QQUq7bb1waeN6wwhgeRcMecxBmxeMACEwdzEnA9eVH9TrLXPKuCavuqCA0%3D	unknown	—	—	whitelisted
7512	OWInstaller.exe	GET	200	18.66.145.213:80	http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D	unknown	—	—	whitelisted
7512	OWInstaller.exe	GET	200	18.66.145.213:80	http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D	unknown	—	—	whitelisted
7512	OWInstaller.exe	GET	200	142.250.186.131:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
7512	OWInstaller.exe	GET	200	142.250.186.131:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
7512	OWInstaller.exe	GET	200	142.250.186.163:80	http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQDoyTZyUm5zghCk1vB5odPo	unknown	—	—	whitelisted
7512	OWInstaller.exe	GET	200	142.250.186.163:80	http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQCub4hesQArQgquZ3VEkmb2	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
6544	svchost.exe	20.190.160.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2040	backgroundTaskHost.exe	20.103.156.88:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2040	backgroundTaskHost.exe	20.223.35.26:443	fd.api.iris.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3008	backgroundTaskHost.exe	2.23.227.208:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted
7412	Thunderstore Mod Manager - Installer.exe	18.244.18.46:80	analyticsnew.overwolf.com	—	US	whitelisted
7512	OWInstaller.exe	142.250.184.206:80	www.google-analytics.com	GOOGLE	US	whitelisted
7512	OWInstaller.exe	18.244.18.46:443	analyticsnew.overwolf.com	—	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	172.217.16.206	whitelisted
login.live.com	20.190.160.64 20.190.160.2 20.190.160.66 20.190.160.67 20.190.160.130 20.190.160.3 40.126.32.138 20.190.160.4	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
www.bing.com	2.23.227.208 2.23.227.215 23.15.178.147 23.15.178.200 23.15.178.226	whitelisted
arc.msn.com	20.103.156.88	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted
analyticsnew.overwolf.com	18.244.18.46 18.244.18.56 18.244.18.51 18.244.18.106	whitelisted
www.google-analytics.com	142.250.184.206	whitelisted
content.overwolf.com	18.245.86.39 18.245.86.110 18.245.86.78 18.245.86.117	whitelisted

Threats

PID	Process	Class	Message
7412	Thunderstore Mod Manager - Installer.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))

Add for printing

Process	Message
msiexec.exe	Failed to release Service

General Info

Thunderstore Mod Manager - Installer.exe

AD4EA7FCDEFBD8AF50D5EA432D4B9C22

A5828E81CCB4ED9E627916E5A29AD4AD4B3A3AEC

6097E551A21D28D5B774DD160B5FDCCD0908B8F43BE70F816E877DA35D30AA9E

98304:R//rhEGJ/A9nGcRa1xXcVsy3RxeLLCIJgap176MVhBIHtugzPFMNxs3JPAWQPIap:ZIYaROW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

Executable content was dropped or overwritten

Malware-specific behavior (creating "System.dll" in Temp)

Drops 7-zip archiver for unpacking

Reads security settings of Internet Explorer

Application launched itself

The process creates files with name similar to system file names

Reads the date of Windows installation

Creates/Modifies COM task schedule object

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

Checks Windows Trust Settings

There is functionality for taking screenshot (YARA)

Process drops legitimate windows executable

The process drops C-runtime libraries

Executes application which crashes

Creates a software uninstall entry

Windows service management via SC.EXE

Starts SC.EXE for service management

Starts a Microsoft application from unusual location

Searches for installed software

Starts itself from another location

Executes as Windows Service

The process executes via Task Scheduler

Reads the Windows owner or organization settings

The process checks if it is being run in the virtual environment

INFO

The sample compiled with english language support

Process checks computer location settings

Create files in a temporary directory

Checks supported languages

Reads the computer name

Checks proxy server information

Creates files or folders in the user directory

Reads product name

Reads the machine GUID from the registry

Disables trace logs

Reads the software policy settings

Reads security settings of Internet Explorer

Creates files in the program directory

Manages system restore points

Executable content was dropped or overwritten

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules