File name:

mestermc.exe

Full analysis: https://app.any.run/tasks/1c8a1836-2ae4-4ba5-82d8-63ed40000f1b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 08, 2025, 20:46:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
inno
installer
qrcode
java
loader
antivm
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

DEB9C806AA00DE374FA78D5FFB02BA40

SHA1:

3FBDBB1B91E21475DD5A7E1DBA94A6EBAB771E71

SHA256:

58DE88C919C75751592A8ED36B280EC41837E30D0ECF9EFFBFB92232D584C42A

SSDEEP:

98304:jLVIF8P3n1BLHxtD59KEKjSvkyklAI6YFKUvguJZYsdgQsbh1vNIw1aYOtj7fQEy:6YDo2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 2220)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • mestermc.tmp (PID: 6668)
      • msiexec.exe (PID: 3000)

    • Executable content was dropped or overwritten

      • mestermc.exe (PID: 5768)
      • mestermc.exe (PID: 1380)
      • mestermc.tmp (PID: 5188)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3952)

    • Probably download files using WebClient

      • cmd.exe (PID: 3952)

    • Reads the Windows owner or organization settings

      • mestermc.tmp (PID: 5188)
      • msiexec.exe (PID: 5432)

    • Starts CMD.EXE for commands execution

      • mestermc.tmp (PID: 5188)

    • Application launched itself

      • msiexec.exe (PID: 5432)

    • Checks for Java to be installed

      • msiexec.exe (PID: 5116)
      • msiexec.exe (PID: 7620)
      • msiexec.exe (PID: 3000)
      • msiexec.exe (PID: 5432)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3048)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 3000)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 3000)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 3000)

    • Connects to unusual port

      • javaw.exe (PID: 7812)

    • There is functionality for VM detection VMWare (YARA)

      • javaw.exe (PID: 7812)

    • There is functionality for VM detection antiVM strings (YARA)

      • javaw.exe (PID: 7812)

    • There is functionality for VM detection VirtualBox (YARA)

      • javaw.exe (PID: 7812)

    • There is functionality for taking screenshot (YARA)

      • javaw.exe (PID: 7812)

    • Process requests binary or script from the Internet

      • javaw.exe (PID: 7812)

    • Potential Corporate Privacy Violation

      • javaw.exe (PID: 7812)

  • INFO

    • Create files in a temporary directory

      • mestermc.exe (PID: 5768)
      • mestermc.exe (PID: 1380)
      • mestermc.tmp (PID: 5188)
      • msiexec.exe (PID: 5116)
      • javaw.exe (PID: 7812)

    • Checks supported languages

      • mestermc.tmp (PID: 6668)
      • mestermc.exe (PID: 5768)
      • mestermc.exe (PID: 1380)
      • mestermc.tmp (PID: 5188)
      • msiexec.exe (PID: 5116)
      • msiexec.exe (PID: 5432)
      • identity_helper.exe (PID: 3620)
      • msiexec.exe (PID: 7620)
      • msiexec.exe (PID: 3000)
      • javaw.exe (PID: 7812)

    • Process checks computer location settings

      • mestermc.tmp (PID: 6668)
      • javaw.exe (PID: 7812)

    • Reads the computer name

      • mestermc.tmp (PID: 6668)
      • mestermc.exe (PID: 1380)
      • mestermc.tmp (PID: 5188)
      • identity_helper.exe (PID: 3620)
      • msiexec.exe (PID: 5432)
      • msiexec.exe (PID: 7620)
      • msiexec.exe (PID: 5116)
      • msiexec.exe (PID: 3000)
      • javaw.exe (PID: 7812)

    • Disables trace logs

      • powershell.exe (PID: 2220)

    • Checks proxy server information

      • powershell.exe (PID: 2220)
      • slui.exe (PID: 7820)

    • Compiled with Borland Delphi (YARA)

      • mestermc.exe (PID: 5768)
      • mestermc.tmp (PID: 6668)
      • mestermc.tmp (PID: 5188)
      • mestermc.exe (PID: 1380)

    • Detects InnoSetup installer (YARA)

      • mestermc.exe (PID: 5768)
      • mestermc.tmp (PID: 6668)
      • mestermc.exe (PID: 1380)
      • mestermc.tmp (PID: 5188)

    • Manual execution by a user

      • firefox.exe (PID: 4520)
      • msedge.exe (PID: 5908)

    • Application launched itself

      • firefox.exe (PID: 4520)
      • firefox.exe (PID: 2632)
      • msedge.exe (PID: 5908)

    • Reads Microsoft Office registry keys

      • firefox.exe (PID: 2632)
      • msedge.exe (PID: 5908)
      • OpenWith.exe (PID: 3388)

    • Creates files or folders in the user directory

      • mestermc.tmp (PID: 5188)
      • javaw.exe (PID: 7812)

    • Creates files in the program directory

      • mestermc.tmp (PID: 5188)

    • Creates a software uninstall entry

      • mestermc.tmp (PID: 5188)
      • msiexec.exe (PID: 5432)

    • Reads Environment values

      • identity_helper.exe (PID: 3620)

    • Reads the software policy settings

      • msiexec.exe (PID: 6220)
      • msiexec.exe (PID: 5432)
      • slui.exe (PID: 7820)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6220)
      • OpenWith.exe (PID: 3388)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6220)
      • msiexec.exe (PID: 5432)
      • msiexec.exe (PID: 3000)

    • Manages system restore points

      • SrTasks.exe (PID: 5560)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 5432)
      • javaw.exe (PID: 7812)

    • The sample compiled with english language support

      • msiexec.exe (PID: 5432)
      • msiexec.exe (PID: 6220)
      • msiexec.exe (PID: 3000)

    • Application based on Java

      • javaw.exe (PID: 7812)

    • Reads CPU info

      • javaw.exe (PID: 7812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:13 06:55:45+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 704512
InitializedDataSize: 223232
UninitializedDataSize: -
EntryPoint: 0xacfe0
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: MesterMC Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: MesterMC
ProductVersion: 1.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
230
Monitored processes
76
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start mestermc.exe no specs mestermc.tmp no specs mestermc.exe mestermc.tmp no specs cmd.exe no specs conhost.exe no specs powershell.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs msedge.exe slui.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msiexec.exe no specs msedge.exe no specs openwith.exe no specs javaw.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
684"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -prefsHandle 1980 -prefsLen 36520 -prefMapHandle 1984 -prefMapSize 272997 -ipcHandle 2056 -initialChannelId {aecad503-916a-47d7-84e2-d5f23c0fd2ca} -parentPid 2632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2632" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
1
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll
728"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=3772,i,2426296518231541681,2079724373613950041,262144 --variations-seed-version --mojo-platform-channel-handle=7968 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
868"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6528,i,2426296518231541681,2079724373613950041,262144 --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
952"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=5348,i,2426296518231541681,2079724373613950041,262144 --variations-seed-version --mojo-platform-channel-handle=6072 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1096"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=7880,i,2426296518231541681,2079724373613950041,262144 --variations-seed-version --mojo-platform-channel-handle=7892 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1324"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5692,i,2426296518231541681,2079724373613950041,262144 --variations-seed-version --mojo-platform-channel-handle=5684 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1380"C:\Users\admin\AppData\Local\Temp\mestermc.exe" /SPAWNWND=$702E4 /NOTIFYWND=$702BE C:\Users\admin\AppData\Local\Temp\mestermc.exe
mestermc.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
MesterMC Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\mestermc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
1752"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -sandboxingKind 1 -prefsHandle 5660 -prefsLen 45120 -prefMapHandle 5252 -prefMapSize 272997 -ipcHandle 6032 -initialChannelId {62914a78-518f-4d69-a2c9-bc8e6f24aea4} -parentPid 2632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 13 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
1
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
2040"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5960,i,2426296518231541681,2079724373613950041,262144 --variations-seed-version --mojo-platform-channel-handle=2376 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2124"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=7216,i,2426296518231541681,2079724373613950041,262144 --variations-seed-version --mojo-platform-channel-handle=7376 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
41 808
Read events
41 435
Write events
348
Delete events
25

Modification events

(PID) Process:(5188) mestermc.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MesterMC_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.4.2
(PID) Process:(5188) mestermc.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MesterMC_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Roaming\MesterMC
(PID) Process:(5188) mestermc.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MesterMC_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Roaming\MesterMC\
(PID) Process:(5188) mestermc.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MesterMC_is1
Operation:writeName:Inno Setup: Icon Group
Value:
(Default)
(PID) Process:(5188) mestermc.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MesterMC_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(5188) mestermc.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MesterMC_is1
Operation:writeName:Inno Setup: Selected Tasks
Value:
desktopicon,startmenuicon
(PID) Process:(5188) mestermc.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MesterMC_is1
Operation:writeName:Inno Setup: Deselected Tasks
Value:
(PID) Process:(5188) mestermc.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MesterMC_is1
Operation:writeName:Inno Setup: Language
Value:
hu
(PID) Process:(5188) mestermc.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MesterMC_is1
Operation:writeName:DisplayName
Value:
MesterMC, verzió: 1.0
(PID) Process:(5188) mestermc.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MesterMC_is1
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Roaming\MesterMC\unins000.exe"
Executable files
167
Suspicious files
968
Text files
452
Unknown types
297

Dropped files

PID
Process
Filename
Type
1380mestermc.exeC:\Users\admin\AppData\Local\Temp\is-BS9QB.tmp\mestermc.tmpexecutable
MD5:67F54AF2F8C4B38AC5428DF2B07B1916
SHA256:4CD975F8CDEE88A6D8D96A732D8A6386A79C2164F218F0355C4625A891EE8D6A
5188mestermc.tmpC:\Users\admin\AppData\Local\Temp\is-N50DL.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5188mestermc.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\MesterMC.lnklnk
MD5:1CDFFC2712B6A295CD02D28D91B0AF1B
SHA256:BFB79BAE58BFC07FBE6BB14DA2C535D78708D9F86E48662DD91D2996B650043B
2632firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
2632firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:2FD670934FEF0C60E2119BD874AAF470
SHA256:771A7C83CA015BDBC6AB86A7BD9B1D54E40062E28942D311A9178A0FE6433CF2
2632firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2220powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_irebf1pz.py0.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2632firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:3134ED3F12E4F4F8643DB90043B0FD7B
SHA256:26E4F122034D7A03F6DA0E707799B09CBEEBDAF8D7A3133A1F7BD894AC72EEA1
2220powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4gxrlyxy.iyi.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2632firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
63
TCP/UDP connections
276
DNS requests
382
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2632
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
3648
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2632
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
2632
firefox.exe
POST
200
172.217.18.3:80
http://o.pki.goog/we2
unknown
whitelisted
2632
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
2632
firefox.exe
POST
200
172.217.18.3:80
http://o.pki.goog/s/wr3/k58
unknown
whitelisted
2632
firefox.exe
POST
200
172.217.18.3:80
http://o.pki.goog/s/wr3/k58
unknown
whitelisted
2632
firefox.exe
POST
200
172.217.18.3:80
http://o.pki.goog/s/wr3/azY
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4400
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2220
powershell.exe
89.187.169.47:443
mestermc.b-cdn.net
Datacamp Limited
DE
whitelisted
2632
firefox.exe
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.22
  • 23.216.77.30
  • 23.216.77.13
  • 23.216.77.15
  • 23.216.77.18
  • 23.216.77.16
  • 23.216.77.21
  • 23.216.77.29
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
mestermc.b-cdn.net
  • 89.187.169.47
whitelisted
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
whitelisted
content-signature-chains.prod.autograph.services.mozaws.net
  • 34.160.144.191
  • 2600:1901:0:92a9::
whitelisted
login.live.com
  • 40.126.31.3
  • 20.190.159.68
  • 40.126.31.130
  • 20.190.159.64
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.128
  • 20.190.159.129
  • 20.190.160.132
  • 20.190.160.2
  • 20.190.160.5
  • 20.190.160.65
  • 20.190.160.22
  • 40.126.32.76
  • 40.126.32.68
  • 40.126.32.74
  • 40.126.32.134
  • 20.190.160.17
  • 20.190.160.130
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
contile.services.mozilla.com
  • 34.36.137.203
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Potentially Bad Traffic
ET INFO Possible Chrome Plugin install
7812
javaw.exe
Potential Corporate Privacy Violation
ET INFO User-Agent (Launcher)
7812
javaw.exe
Potential Corporate Privacy Violation
ET INFO User-Agent (Launcher)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
mestermc.exe