Malware analysis CurseForge Windows - Installer.exe Malicious activity

Add for printing

File name:	CurseForge Windows - Installer.exe
Full analysis:	https://app.any.run/tasks/4a0b92e6-44ab-4386-ad86-dcaf1fa6b3bd
Verdict:	Malicious activity
Analysis date:	September 06, 2025, 00:16:11
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec arch-scr arch-html
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	B14F85AFA6E8584BBF8C376F08DD1344
SHA1:	4DB186912083937CFD981A377F4DB5AEC3711E0C
SHA256:	889DA00684AAE2536FDFDFF746C61C6F727CADF75A140DB1F9FCBB53B31CFBE1
SSDEEP:	98304:A/DiTyNJ/A9nGcRa1xXcVsy3RxeLLCIJgap176MVhBIHsCE+1mcMRwSMRwgF9RPi:dYARi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes powershell execution policy (Unrestricted)
  - CurseForge.exe (PID: 6360)
- Changes the autorun value in the registry
  - CurseForge.exe (PID: 6360)
SUSPICIOUS
- Malware-specific behavior (creating "System.dll" in Temp)
  - CurseForge Windows - Installer.exe (PID: 6340)
  - ow-electron-setup.exe (PID: 6180)
- The process creates files with name similar to system file names
  - CurseForge Windows - Installer.exe (PID: 6340)
  - ow-electron-setup.exe (PID: 6180)
- Executable content was dropped or overwritten
  - CurseForge Windows - Installer.exe (PID: 6340)
  - ow-electron-setup.exe (PID: 6180)
  - CurseForge.exe (PID: 7268)
  - Curse.Agent.Host.exe (PID: 7236)
- Drops 7-zip archiver for unpacking
  - CurseForge Windows - Installer.exe (PID: 6340)
  - ow-electron-setup.exe (PID: 6180)
- Reads Microsoft Outlook installation path
  - OWInstaller.exe (PID: 4724)
- Reads Internet Explorer settings
  - OWInstaller.exe (PID: 4724)
- Reads security settings of Internet Explorer
  - OWInstaller.exe (PID: 4724)
  - ow-electron-setup.exe (PID: 6180)
- There is functionality for taking screenshot (YARA)
  - CurseForge Windows - Installer.exe (PID: 6340)
- Starts CMD.EXE for commands execution
  - ow-electron-setup.exe (PID: 6180)
  - CurseForge.exe (PID: 7268)
- Get information on the list of running processes
  - ow-electron-setup.exe (PID: 6180)
  - cmd.exe (PID: 4088)
- Process drops legitimate windows executable
  - ow-electron-setup.exe (PID: 6180)
- Creates a software uninstall entry
  - ow-electron-setup.exe (PID: 6180)
- Application launched itself
  - CurseForge.exe (PID: 6360)
- The process bypasses the loading of PowerShell profile settings
  - CurseForge.exe (PID: 6360)
- The process hides Powershell's copyright startup banner
  - CurseForge.exe (PID: 6360)
- Starts POWERSHELL.EXE for commands execution
  - CurseForge.exe (PID: 6360)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 7824)
- Reads the date of Windows installation
  - OWInstaller.exe (PID: 4724)
INFO
- Creates files or folders in the user directory
  - CurseForge Windows - Installer.exe (PID: 6340)
  - OWInstaller.exe (PID: 4724)
  - dxdiag.exe (PID: 3768)
  - ow-electron-setup.exe (PID: 6180)
  - CurseForge.exe (PID: 6360)
  - CurseForge.exe (PID: 1712)
  - CurseForge.exe (PID: 7268)
  - CurseForge.exe (PID: 7436)
  - Curse.Agent.Host.exe (PID: 7236)
- Checks supported languages
  - CurseForge Windows - Installer.exe (PID: 6340)
  - OWInstaller.exe (PID: 4724)
  - ow-electron-setup.exe (PID: 6180)
  - CurseForge.exe (PID: 6172)
  - CurseForge.exe (PID: 6360)
  - CurseForge.exe (PID: 1712)
  - CurseForge.exe (PID: 5684)
  - CurseForge.exe (PID: 4084)
  - CurseForge.exe (PID: 1204)
  - CurseForge.exe (PID: 7268)
  - Curse.Agent.Host.exe (PID: 7236)
  - CurseForge.exe (PID: 7436)
- The sample compiled with english language support
  - CurseForge Windows - Installer.exe (PID: 6340)
  - ow-electron-setup.exe (PID: 6180)
  - CurseForge.exe (PID: 7268)
  - Curse.Agent.Host.exe (PID: 7236)
- Reads the computer name
  - OWInstaller.exe (PID: 4724)
  - ow-electron-setup.exe (PID: 6180)
  - CurseForge.exe (PID: 6360)
  - CurseForge.exe (PID: 1712)
  - CurseForge.exe (PID: 6172)
  - CurseForge.exe (PID: 5684)
  - CurseForge.exe (PID: 7268)
  - Curse.Agent.Host.exe (PID: 7236)
  - CurseForge.exe (PID: 7436)
- Create files in a temporary directory
  - CurseForge Windows - Installer.exe (PID: 6340)
  - OWInstaller.exe (PID: 4724)
  - ow-electron-setup.exe (PID: 6180)
  - CurseForge.exe (PID: 6360)
- Reads the machine GUID from the registry
  - OWInstaller.exe (PID: 4724)
  - CurseForge.exe (PID: 6360)
  - CurseForge.exe (PID: 6172)
  - CurseForge.exe (PID: 7436)
- Reads Environment values
  - OWInstaller.exe (PID: 4724)
  - CurseForge.exe (PID: 6360)
  - CurseForge.exe (PID: 7268)
  - CurseForge.exe (PID: 6172)
- Disables trace logs
  - OWInstaller.exe (PID: 4724)
- Reads product name
  - OWInstaller.exe (PID: 4724)
  - CurseForge.exe (PID: 6360)
  - CurseForge.exe (PID: 7268)
- Reads the software policy settings
  - OWInstaller.exe (PID: 4724)
  - dxdiag.exe (PID: 3768)
  - CurseForge.exe (PID: 5684)
  - Curse.Agent.Host.exe (PID: 7236)
- Process checks computer location settings
  - OWInstaller.exe (PID: 4724)
  - CurseForge.exe (PID: 6360)
  - CurseForge.exe (PID: 1204)
  - CurseForge.exe (PID: 4084)
  - CurseForge.exe (PID: 7268)
- Checks proxy server information
  - OWInstaller.exe (PID: 4724)
  - dxdiag.exe (PID: 3768)
  - CurseForge.exe (PID: 6360)
  - Curse.Agent.Host.exe (PID: 7236)
- Reads security settings of Internet Explorer
  - dxdiag.exe (PID: 3768)
- Manual execution by a user
  - CurseForge.exe (PID: 6360)
- Reads CPU info
  - CurseForge.exe (PID: 6360)
- Creates files in the program directory
  - Curse.Agent.Host.exe (PID: 7236)
- Launching a file from a Registry key
  - CurseForge.exe (PID: 6360)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:09:25 21:57:46+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	27136
InitializedDataSize:	186880
UninitializedDataSize:	2048
EntryPoint:	0x352d
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	2.282.0.1
ProductVersionNumber:	2.282.0.1
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
Comments:	-
CompanyName:	Overwolf Ltd.
FileDescription:	Curseforge
FileVersion:	2.282.0.1
LegalCopyright:	Copyright (C) 2021 Overwolf Ltd. All Rights Reserved.
LegalTrademarks:	-
ProductName:	Curseforge
ProductVersion:	2.282.0.1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

167

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

684

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

CurseForge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

828

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1204

"C:\Users\admin\AppData\Local\Programs\CurseForge Windows\CurseForge.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\CurseForge" --standard-schemes=owepm --secure-schemes=owepm --bypasscsp-schemes=owepm --fetch-schemes=owepm --streaming-schemes=owepm --app-path="C:\Users\admin\AppData\Local\Programs\CurseForge Windows\resources\app.asar" --enable-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1757116150744892 --launch-time-ticks=1681394742 --field-trial-handle=1812,i,15678328909215686320,15627309996040637967,262144 --enable-features=EnableTransparentHwndEnlargement,PdfUseShowSaveFilePicker --disable-features=ScreenAIOCREnabled,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit --variations-seed-version --mojo-platform-channel-handle=3776 disableSentry=false /prefetch:1

C:\Users\admin\AppData\Local\Programs\CurseForge Windows\CurseForge.exe

—

CurseForge.exe

User:

admin

Company:

Overwolf

Integrity Level:

LOW

Description:

CurseForge

Version:

1.287.0-28081.28081

Modules

Images
c:\users\admin\appdata\local\programs\curseforge windows\curseforge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll

1712

"C:\Users\admin\AppData\Local\Programs\CurseForge Windows\CurseForge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\CurseForge" --standard-schemes=owepm --secure-schemes=owepm --bypasscsp-schemes=owepm --fetch-schemes=owepm --streaming-schemes=owepm --field-trial-handle=1812,i,15678328909215686320,15627309996040637967,262144 --enable-features=EnableTransparentHwndEnlargement,PdfUseShowSaveFilePicker --disable-features=ScreenAIOCREnabled,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit --variations-seed-version --mojo-platform-channel-handle=1420 /prefetch:3

C:\Users\admin\AppData\Local\Programs\CurseForge Windows\CurseForge.exe

CurseForge.exe

User:

admin

Company:

Overwolf

Integrity Level:

MEDIUM

Description:

CurseForge

Version:

1.287.0-28081.28081

Modules

Images
c:\users\admin\appdata\local\programs\curseforge windows\curseforge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3768

"C:\WINDOWS\System32\DxDiag.exe" /xC:\Users\admin\AppData\Local\Overwolf\Temp\DxDiagOutput.xml

C:\Windows\System32\dxdiag.exe

OWInstaller.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft DirectX Diagnostic Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dxdiag.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

4084

"C:\Users\admin\AppData\Local\Programs\CurseForge Windows\CurseForge.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\CurseForge" --standard-schemes=owepm --secure-schemes=owepm --bypasscsp-schemes=owepm --fetch-schemes=owepm --streaming-schemes=owepm --app-path="C:\Users\admin\AppData\Local\Programs\CurseForge Windows\resources\app.asar" --enable-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1757116150744892 --launch-time-ticks=1681290562 --field-trial-handle=1812,i,15678328909215686320,15627309996040637967,262144 --enable-features=EnableTransparentHwndEnlargement,PdfUseShowSaveFilePicker --disable-features=ScreenAIOCREnabled,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit --variations-seed-version --mojo-platform-channel-handle=3364 /prefetch:1

C:\Users\admin\AppData\Local\Programs\CurseForge Windows\CurseForge.exe

—

CurseForge.exe

User:

admin

Company:

Overwolf

Integrity Level:

LOW

Description:

CurseForge

Exit code:

Version:

1.287.0-28081.28081

Modules

Images
c:\users\admin\appdata\local\programs\curseforge windows\curseforge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll

4088

"C:\WINDOWS\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq CurseForge.exe" /FO csv | "C:\WINDOWS\system32\find.exe" "CurseForge.exe"

C:\Windows\SysWOW64\cmd.exe

—

ow-electron-setup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

4648

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

CurseForge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

4724

"C:\Users\admin\AppData\Local\Temp\nsfD82C.tmp\OWinstaller.exe" Sel=0&Extension=cfiahnpaolfnlgaihhmobmnjdafknjnjdpdabpcm&Name=CurseForge%20Windows&UtmTerm=eyJkb21haW4iOiJjZi13ZWIifQ%3D%3D&Referer=www.curseforge.com&Browser=firefox -partnerCustomizationLevel 1 -customPromoPages --owelectronUrl=https://download.overwolf.com/setup/electron/cfiahnpaolfnlgaihhmobmnjdafknjnjdpdabpcm -AllowWindowsInsider --disable-change-location --disable-ow-shortcut-ui --disable-app-shortcut-ui --enable-app-shortcut --silent-setup --app-name="Curseforge" --auto-close -exepath C:\Users\admin\AppData\Local\Temp\CurseForge Windows - Installer.exe

C:\Users\admin\AppData\Local\Temp\nsfD82C.tmp\OWInstaller.exe

CurseForge Windows - Installer.exe

User:

admin

Company:

Overwolf

Integrity Level:

MEDIUM

Description:

Curseforge Installer

Exit code:

Version:

2.282.0.1

Modules

Images
c:\users\admin\appdata\local\temp\nsfd82c.tmp\owinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

4932

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

26 854

Read events

26 678

Write events

134

Delete events

Modification events


(PID) Process:	(4724) OWInstaller.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\OverwolfPersist
Operation:	write	Name:	MUIDV2
Value: 696eafc2-8be5-466c-8ad9-ea8fe4cf967c
(PID) Process:	(4724) OWInstaller.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\OverwolfElectron
Operation:	write	Name:	MUID
Value: bb926e54-e3ca-40fd-ae90-2764341e7792
(PID) Process:	(4724) OWInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4724) OWInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(4724) OWInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(4724) OWInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(4724) OWInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(4724) OWInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(4724) OWInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(4724) OWInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OWinstaller_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0

Add for printing

Executable files

Suspicious files

300

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6340	CurseForge Windows - Installer.exe	C:\Users\admin\AppData\Local\Overwolf\OWInstall.log		text
		MD5:07E605D2D7609CF336EA1708E86B5A0C	SHA256:C69AD6C6A1D6D89336E18DB86A6C852AB60C0CEB367C79922807E55DE7BE49DD
6340	CurseForge Windows - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsfD82C.tmp\OWInstaller.exe.config		xml
		MD5:82D22E4E19E27E306317513B9BFA70FF	SHA256:272E4C5364193E73633CAA3793E07509A349B79314EA01808B24FDB12C51B827
6340	CurseForge Windows - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsfD82C.tmp\utils.dll		executable
		MD5:C6B46A5FCDCCBF3AEFF930B1E5B383D4	SHA256:251AB3E2690562DCFCD510642607F206E6DCF626D06D94B74E1FA8297B1050A0
6340	CurseForge Windows - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsfD82C.tmp\nsProcess.dll		executable
		MD5:10E47E822B85D2A12FA4727001612182	SHA256:D530589A90918334B8E08D7355630892DD62F41333D948A860735D5BECFCB391
6340	CurseForge Windows - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsfD82C.tmp\System.dll		executable
		MD5:51BD16A2EA23AE1E7A92CEDC6785C82E	SHA256:4DBC79D2B1C7987CC64BB5D014DB81BB5108BDD6D8BF3A5F820FAC1DED62BE33
6340	CurseForge Windows - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsfD82C.tmp\OWInstaller.exe		executable
		MD5:3227EF39A4227820E3FDAA92B7880738	SHA256:C26748BD25C4100D2031BB0D2E868CBD6347F65D5B840ADAC4FFCE8CE09C23D5
6340	CurseForge Windows - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsfD82C.tmp\DotNetZip.dll		executable
		MD5:190E712F2E3B065BA3D5F63CB9B7725E	SHA256:6C512D9943A225D686B26FC832589E4C8BEF7C4DD0A8BDFD557D5D27FE5BBA0F
6340	CurseForge Windows - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsfD82C.tmp\Newtonsoft.Json.dll		executable
		MD5:98CBB64F074DC600B23A2EE1A0F46448	SHA256:7B44639CBFBC8DDAC8C7A3DE8FFA97A7460BEBB0D54E9FF2E1CCDC3A742C2B13
6340	CurseForge Windows - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsfD82C.tmp\uac.dll		executable
		MD5:861F7E800BB28F68927E65719869409C	SHA256:10A0E8CF46038AB3B2C3CF5DCE407B9A043A631CBDE9A5C8BCF0A54B2566C010
6340	CurseForge Windows - Installer.exe	C:\Users\admin\AppData\Local\Temp\nsfD82C.tmp\Microsoft.Win32.TaskScheduler.dll		executable
		MD5:198949A4C3E67B9EB916140DFF75C114	SHA256:0BDAD6DEB1B651E0A52BAB4DB2C7883C9332884AA37300B3439C69D85B054C7C

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4724	OWInstaller.exe	GET	200	142.250.186.174:80	http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=775714462&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=454688362&utmr=/&utmp=/&utmac=UA-80584726-1&utmcc=__utma%3D0.1766214910.1757117780.1757117780.1757117780.2%3B%2B__utmz%3D0.1757117780.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28Funnel2%2AInstaller%20Launched%2A%29%28%29&gaq=1&utmt=event	US	image	35 b	whitelisted
4724	OWInstaller.exe	GET	200	142.250.186.174:80	http://www.google-analytics.com/__utm.gif?utmwv=4.7.2&utmn=469248215&utmhn=&utmcs=UTF-8&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=&utmhid=323969851&utmr=/&utmp=/&utmac=UA-18298709-8&utmcc=__utma%3D0.1766214910.1757117780.1757117780.1757117780.2%3B%2B__utmz%3D0.1757117780.1.1.utmcsr%3D%28direct%29%7Cutmccn%3D%7Cutmcmd%3D%3B&utme=5%28Funnel2%2AInstaller%20Launched%2A%29%28%29&gaq=1&utmt=event	US	image	35 b	whitelisted
4724	OWInstaller.exe	GET	200	18.245.38.41:80	http://ocsp.rootca3.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRkNawYMzz%2BjKSfYbTyFR0AXuhs6QQUq7bb1waeN6wwhgeRcMecxBmxeMACEwdzEnA9eVH9TrLXPKuCavuqCA0%3D	US	binary	851 b	whitelisted
4724	OWInstaller.exe	GET	200	142.250.185.99:80	http://c.pki.goog/r/gsr1.crl	US	binary	1.70 Kb	whitelisted
4724	OWInstaller.exe	GET	200	142.250.185.99:80	http://c.pki.goog/r/r4.crl	US	binary	530 b	whitelisted
4724	OWInstaller.exe	GET	200	18.245.38.41:80	http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D	US	binary	1.40 Kb	whitelisted
4724	OWInstaller.exe	GET	200	142.250.185.99:80	http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQCI6mHCdFWRJRAo5PR4%2Fqn6	US	binary	281 b	whitelisted
4724	OWInstaller.exe	GET	200	142.250.185.99:80	http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQCxXblMd1Bh9glV8CviEWkb	US	binary	281 b	whitelisted
3768	dxdiag.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	DE	binary	824 b	whitelisted
3768	dxdiag.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl%20	QA	binary	564 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6012	RUXIMICS.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4724	OWInstaller.exe	142.250.186.174:80	www.google-analytics.com	GOOGLE	US	whitelisted
4724	OWInstaller.exe	18.244.18.106:443	analyticsnew.overwolf.com	—	US	unknown
4724	OWInstaller.exe	18.245.86.78:443	content.overwolf.com	—	US	whitelisted
4724	OWInstaller.exe	18.245.38.41:80	ocsp.rootca3.amazontrust.com	—	US	whitelisted
4724	OWInstaller.exe	18.172.112.84:443	storeapi.overwolf.com	—	US	shared

DNS requests

Domain	IP	Reputation
google.com	142.250.185.206	whitelisted
www.google-analytics.com	142.250.186.174	whitelisted
analyticsnew.overwolf.com	18.244.18.106 18.244.18.51 18.244.18.46 18.244.18.56 13.227.219.10 13.227.219.31 13.227.219.33 13.227.219.51	unknown
content.overwolf.com	18.245.86.78 18.245.86.117 18.245.86.110 18.245.86.39	whitelisted
ocsp.rootca3.amazontrust.com	18.245.38.41	whitelisted
storeapi.overwolf.com	18.172.112.84 18.172.112.62 18.172.112.117 18.172.112.72	shared
console-apps.overwolf.com	18.66.122.9 18.66.122.63 18.66.122.24 18.66.122.107	unknown
fonts.googleapis.com	142.250.186.74	whitelisted
c.pki.goog	142.250.185.99	unknown
ocsp.rootca1.amazontrust.com	18.245.38.41	whitelisted

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO Observed UA-CPU Header
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
1712	CurseForge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
1712	CurseForge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
1712	CurseForge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt

Add for printing

No debug info

General Info

CurseForge Windows - Installer.exe

B14F85AFA6E8584BBF8C376F08DD1344

4DB186912083937CFD981A377F4DB5AEC3711E0C

889DA00684AAE2536FDFDFF746C61C6F727CADF75A140DB1F9FCBB53B31CFBE1

98304:A/DiTyNJ/A9nGcRa1xXcVsy3RxeLLCIJgap176MVhBIHsCE+1mcMRwSMRwgF9RPi:dYARi

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Unrestricted)

Changes the autorun value in the registry

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Drops 7-zip archiver for unpacking

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

Reads security settings of Internet Explorer

There is functionality for taking screenshot (YARA)

Starts CMD.EXE for commands execution

Get information on the list of running processes

Process drops legitimate windows executable

Creates a software uninstall entry

Application launched itself

The process bypasses the loading of PowerShell profile settings

The process hides Powershell's copyright startup banner

Starts POWERSHELL.EXE for commands execution

Uses REG/REGEDIT.EXE to modify registry

Reads the date of Windows installation

INFO

Creates files or folders in the user directory

Checks supported languages

The sample compiled with english language support

Reads the computer name

Create files in a temporary directory

Reads the machine GUID from the registry

Reads Environment values

Disables trace logs

Reads product name

Reads the software policy settings

Process checks computer location settings

Checks proxy server information

Reads security settings of Internet Explorer

Manual execution by a user

Reads CPU info

Creates files in the program directory

Launching a file from a Registry key

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information