File name:

Modrinth App_0.8.9_x64-setup.exe

Full analysis: https://app.any.run/tasks/ac7b9ba9-4b02-46a8-b656-e52e411502cc
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 19, 2024, 14:50:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

46AA1ECE5654D3494B107E233FF3B0C5

SHA1:

55B61B98C0B414EA9795C53753414534E364E0F0

SHA256:

6B54AB432656144FA76C1A7AB52F049F3FE0C7B73D3157629A1CD40F33BBB533

SSDEEP:

98304:ZJ8JUn4pwxuC8W8yuFB7GuQyISG7YkGzUXo5TeAOrr0gQsuoVYNm/+rYLrj9cJzf:Z5/Hgqb59lkwnI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Modrinth App_0.8.9_x64-setup.exe (PID: 5548)

    • Searches for installed software

      • Modrinth App_0.8.9_x64-setup.exe (PID: 5548)

    • The process creates files with name similar to system file names

      • Modrinth App_0.8.9_x64-setup.exe (PID: 5548)

    • Executable content was dropped or overwritten

      • Modrinth App_0.8.9_x64-setup.exe (PID: 5548)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6384)

    • Process drops legitimate windows executable

      • MicrosoftEdgeWebview2Setup.exe (PID: 6384)
      • Modrinth App_0.8.9_x64-setup.exe (PID: 5548)
      • MicrosoftEdgeUpdate.exe (PID: 6472)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 6384)
      • MicrosoftEdgeUpdate.exe (PID: 6472)

    • Potential Corporate Privacy Violation

      • Modrinth App_0.8.9_x64-setup.exe (PID: 5548)

    • Process requests binary or script from the Internet

      • Modrinth App_0.8.9_x64-setup.exe (PID: 5548)
      • Modrinth App_0.8.9_x64-setup.exe (PID: 5548)

  • INFO

    • Checks supported languages

      • Modrinth App_0.8.9_x64-setup.exe (PID: 5548)

    • Create files in a temporary directory

      • Modrinth App_0.8.9_x64-setup.exe (PID: 5548)

    • Reads the computer name

      • Modrinth App_0.8.9_x64-setup.exe (PID: 5548)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:56:47+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x3640
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.8.9.0
ProductVersionNumber: 0.8.9.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Modrinth App
FileVersion: 0.8.9
LegalCopyright: -
ProductName: Modrinth App
ProductVersion: 0.8.9
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start modrinth app_0.8.9_x64-setup.exe microsoftedgewebview2setup.exe microsoftedgeupdate.exe wermgr.exe modrinth app_0.8.9_x64-setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
376"C:\Users\admin\AppData\Local\Temp\Modrinth App_0.8.9_x64-setup.exe" C:\Users\admin\AppData\Local\Temp\Modrinth App_0.8.9_x64-setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Modrinth App
Exit code:
3221226540
Version:
0.8.9
Modules
Images
c:\users\admin\appdata\local\temp\modrinth app_0.8.9_x64-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5548"C:\Users\admin\AppData\Local\Temp\Modrinth App_0.8.9_x64-setup.exe" C:\Users\admin\AppData\Local\Temp\Modrinth App_0.8.9_x64-setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Modrinth App
Version:
0.8.9
Modules
Images
c:\users\admin\appdata\local\temp\modrinth app_0.8.9_x64-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6384C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe /silent /installC:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
Modrinth App_0.8.9_x64-setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge Update Setup
Exit code:
2147747592
Version:
1.3.195.31
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6472"C:\Program Files (x86)\Microsoft\Temp\EUF1DD.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"C:\Program Files (x86)\Microsoft\Temp\EUF1DD.tmp\MicrosoftEdgeUpdate.exe
MicrosoftEdgeWebview2Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge Update
Exit code:
2147747592
Version:
1.3.195.31
Modules
Images
c:\program files (x86)\microsoft\temp\euf1dd.tmp\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
6540"C:\WINDOWS\system32\wermgr.exe" "-outproc" "0" "6472" "1864" "1868" "1960" "0" "0" "0" "0" "0" "0" "0" "0" C:\Windows\SysWOW64\wermgr.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wermgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
4 257
Read events
4 223
Write events
32
Delete events
2

Modification events

(PID) Process:(6472) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe
Operation:writeName:DisableExceptionChainValidation
Value:
0
(PID) Process:(6472) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\PersistedPings\{A314AE7F-AF3E-4F92-AF4B-40C157CE623E}
Operation:writeName:PersistedPingString
Value:
<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" updater="Omaha" updaterversion="1.3.195.31" shell_version="1.3.147.37" ismachine="1" sessionid="{E9FB8F00-4A12-4755-95EF-153B16A5F655}" userid="{FD984739-A122-4DB0-BE5B-46E3E09D84E4}" installsource="otherinstallcmd" requestid="{A314AE7F-AF3E-4F92-AF4B-40C157CE623E}" dedup="cr" domainjoined="0"><hw logical_cpus="4" physmemory="4" disk_type="2" sse="1" sse2="1" sse3="1" ssse3="1" sse41="1" sse42="1" avx="1"/><os platform="win" version="10.0.19045.4046" sp="" arch="x64" product_type="48" is_wip="0" is_in_lockdown_mode="0"/><oem product_manufacturer="DELL" product_name="DELL"/><exp etag="&quot;r452t1+k2Tgq/HXzjvFNBRhopBWR9sbjXxqeUDH9uX0=&quot;"/><app appid="{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}" version="1.3.185.17" nextversion="1.3.195.31" lang="" brand="" client=""><event eventtype="2" eventresult="1" errorcode="0" extracode1="0" system_uptime_ticks="9837977650" install_time_ms="516"/></app></request>
(PID) Process:(6472) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\PersistedPings\{A314AE7F-AF3E-4F92-AF4B-40C157CE623E}
Operation:writeName:PersistedPingTime
Value:
133765014585806366
(PID) Process:(6472) MicrosoftEdgeUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\proxy
Operation:writeName:source
Value:
auto
(PID) Process:(6472) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\PersistedPings\{A314AE7F-AF3E-4F92-AF4B-40C157CE623E}
Operation:delete keyName:(default)
Value:
(PID) Process:(6472) MicrosoftEdgeUpdate.exeKey:\REGISTRY\A\{28e65d7f-9883-ef4a-7880-7f782c768f01}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(6472) MicrosoftEdgeUpdate.exeKey:\REGISTRY\A\{28e65d7f-9883-ef4a-7880-7f782c768f01}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(6540) wermgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:writeName:ClockTimeSeconds
Value:
D4A53C6700000000
(PID) Process:(6540) wermgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:writeName:TickCount
Value:
A2080F0000000000
(PID) Process:(6472) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Timings
Operation:writeName:setup_lock_acquire_ms
Value:
0300000000000000000000000000000000000000000000000000000000000000
Executable files
204
Suspicious files
5
Text files
6
Unknown types
2

Dropped files

PID
Process
Filename
Type
5548Modrinth App_0.8.9_x64-setup.exeC:\Users\admin\AppData\Local\Temp\nstAA57.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
6384MicrosoftEdgeWebview2Setup.exeC:\Program Files (x86)\Microsoft\Temp\EUF1DD.tmp\MicrosoftEdgeUpdate.exeexecutable
MD5:35A79BD6DE650D2C0988674344BF698B
SHA256:A79A81DA2B8DCBE39609A9E1B4E8C81AE0BC54195C0C854B77BEBE7BFA7F10C1
5548Modrinth App_0.8.9_x64-setup.exeC:\Users\admin\AppData\Local\Temp\nstAA57.tmp\nsDialogs.dllexecutable
MD5:6C3F8C94D0727894D706940A8A980543
SHA256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
6384MicrosoftEdgeWebview2Setup.exeC:\Program Files (x86)\Microsoft\Temp\EUF1DD.tmp\psmachine.dllexecutable
MD5:9121DE4CEB4F691C7E742A2175A983CC
SHA256:82305464577060796C89E2184D4EC9859A2053EE604676C5450DDE51804DF58B
6384MicrosoftEdgeWebview2Setup.exeC:\Program Files (x86)\Microsoft\Temp\EUF1DD.tmp\MicrosoftEdgeUpdateBroker.exeexecutable
MD5:6D805602CA06ADC5AE7464F47E654C28
SHA256:4DAD1176E59A3DB12D134252C4560F75EC907177CDE71389D2B44F245CCDE8F5
6384MicrosoftEdgeWebview2Setup.exeC:\Program Files (x86)\Microsoft\Temp\EUF1DD.tmp\psmachine_arm64.dllexecutable
MD5:E568A76471E3206C5D82619B7C0130C3
SHA256:3A80C699AB48F664FEE172B8E2ABF909D0E1DF65C952D42DCBBF804E295D48EF
6384MicrosoftEdgeWebview2Setup.exeC:\Program Files (x86)\Microsoft\Temp\EUF1DD.tmp\psuser.dllexecutable
MD5:0DCFC65DACEDF343AE71A0480E646535
SHA256:321FAD4F2F8E5FCB19D7E089F31BA2460C63B682DA7A4EA81D1578EC7436FE57
6384MicrosoftEdgeWebview2Setup.exeC:\Program Files (x86)\Microsoft\Temp\EUF1DD.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeexecutable
MD5:C55B37823A672C86BC19099633640EAB
SHA256:3DF9CD2FECF10E65BE13D4B61CA0A9185845F2CB04B872ADEAF41CA46AF39AA0
6384MicrosoftEdgeWebview2Setup.exeC:\Program Files (x86)\Microsoft\Temp\EUF1DD.tmp\psuser_64.dllexecutable
MD5:0EE07EE9B65A85DFD22A8B5D7488C7BD
SHA256:32CB22AC25721131E72C2213A107ED1EE9B7B2E8EDAAB3E6A4EC80E45A291DB4
6384MicrosoftEdgeWebview2Setup.exeC:\Program Files (x86)\Microsoft\Temp\EUF1DD.tmp\psmachine_64.dllexecutable
MD5:063BDED6FFDC9F5AF46016E7C3AC864D
SHA256:8214311AE362682C1EEFE022B875FC41A2FAE67FCE6642DFB980DEADBF71A7A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
39
DNS requests
23
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6620
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6620
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5548
Modrinth App_0.8.9_x64-setup.exe
GET
200
2.16.10.186:80
http://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/a81fb0da-2535-485a-a555-a665473e497e/MicrosoftEdgeWebview2Setup.exe
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4932
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4932
svchost.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5548
Modrinth App_0.8.9_x64-setup.exe
GET
301
23.213.166.81:80
http://go.microsoft.com/fwlink/p/?LinkId=2124703
unknown
whitelisted
2536
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6540
wermgr.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
908
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4932
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
92.123.104.13:443
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:137
whitelisted
4932
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4932
svchost.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4932
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
92.123.104.12:443
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.166
  • 23.48.23.156
  • 23.48.23.159
  • 23.48.23.141
  • 23.48.23.164
  • 23.48.23.167
  • 23.48.23.147
  • 23.48.23.145
  • 23.48.23.176
  • 23.48.23.194
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.23
  • 20.190.159.68
  • 20.190.159.71
  • 20.190.159.0
  • 20.190.159.64
  • 20.190.159.73
  • 20.190.159.2
  • 40.126.31.67
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 2.16.10.186
  • 2.16.10.185
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
5548
Modrinth App_0.8.9_x64-setup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Modrinth App_0.8.9_x64-setup.exe