File name:

Elscheat 68741.exe

Full analysis: https://app.any.run/tasks/2fc7d788-d573-4f58-94b0-252448bdab39
Verdict: Malicious activity
Analysis date: June 01, 2024, 19:19:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A0EF5190ACE83C1ACE9D069AECB3A04F

SHA1:

A878B5B2FA6F677A969FC1A35F12EF4F38E8768D

SHA256:

4039C72B48C98C324D6B2C2C0E0E65F955B522088D7322DD99A44FE1AE9AA502

SSDEEP:

98304:ZET9CppyGNKU6eo2JWCrli2VD6WwEbe9etCR1VVtB6POZ539V20xqU+0HHDwhlen:gEbERx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Elscheat 68741.exe (PID: 6632)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Elscheat 68741.exe (PID: 6632)

  • INFO

    • Checks supported languages

      • Elscheat 68741.exe (PID: 6632)

    • Checks proxy server information

      • Elscheat 68741.exe (PID: 6632)

    • Reads the computer name

      • Elscheat 68741.exe (PID: 6632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:08:24 22:07:02+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 5487616
InitializedDataSize: 3875328
UninitializedDataSize: -
EntryPoint: 0x53d48c
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 17.0.0.0
ProductVersionNumber: 17.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: ElsCheat
FileVersion: 17.0.0.0
ProductName: ElsCheat - 17.0
ProductVersion: 17
ProgramID: com.embarcadero.Project1
FileDescription: Project1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start elscheat 68741.exe elscheat 68741.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6584"C:\Users\admin\Desktop\Elscheat 68741.exe" C:\Users\admin\Desktop\Elscheat 68741.exeexplorer.exe
User:
admin
Company:
ElsCheat
Integrity Level:
MEDIUM
Description:
Project1
Exit code:
3221226540
Version:
17.0.0.0
Modules
Images
c:\users\admin\desktop\elscheat 68741.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6632"C:\Users\admin\Desktop\Elscheat 68741.exe" C:\Users\admin\Desktop\Elscheat 68741.exe
explorer.exe
User:
admin
Company:
ElsCheat
Integrity Level:
HIGH
Description:
Project1
Version:
17.0.0.0
Modules
Images
c:\users\admin\desktop\elscheat 68741.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Total events
1 514
Read events
1 514
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6632Elscheat 68741.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-msbinary
MD5:219A515AECCC41716ABA97B973E05809
SHA256:DF19EC5A2B0B68534C4C8EB03E4EDE8900562A737CEF54FBE1DDE5EBC4FB3F4F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
21
DNS requests
7
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
636
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
636
svchost.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
6632
Elscheat 68741.exe
GET
302
78.40.143.217:80
http://elscheat.com/elsgame/version.txt
unknown
unknown
6632
Elscheat 68741.exe
GET
200
78.40.143.217:80
http://elscheat.com/elsgame/64.txt
unknown
unknown
6632
Elscheat 68741.exe
GET
200
78.40.143.217:80
http://elscheat.com/elsgame/EU.txt
unknown
unknown
POST
200
20.189.173.25:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
636
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
239.255.255.250:1900
unknown
5656
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
636
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
636
svchost.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5140
MoUsoCoreWorker.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
unknown
6632
Elscheat 68741.exe
78.40.143.217:80
elscheat.com
Verdina Ltd.
BG
unknown
5456
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
elscheat.com
  • 78.40.143.217
unknown
self.events.data.microsoft.com
  • 52.168.117.174
whitelisted

Threats

PID
Process
Class
Message
6632
Elscheat 68741.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 9
6632
Elscheat 68741.exe
Potentially Bad Traffic
ET USER_AGENTS Suspicious User-Agent (Embarcadero URI Client/1.0)
6632
Elscheat 68741.exe
Potentially Bad Traffic
ET USER_AGENTS Suspicious User-Agent (Embarcadero URI Client/1.0)
Potentially Bad Traffic
ET HUNTING Suspicious Windows NT version 3 User-Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Elscheat 68741.exe