File name:

CheatEngine.exe

Full analysis: https://app.any.run/tasks/3bd83eb5-0d5e-4c8f-9493-0f5bd300f427
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: March 19, 2025, 08:18:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
inno
installer
delphi
adware
innosetup
loader
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

0F10EFD429002675B2F379C91C586CB3

SHA1:

0762C73C82FA0DC69C74134975232B607EE97953

SHA256:

5D76032509857FA5A319991A13ABF6BF65BD08FB1985C4B96BE62A7E4D291432

SSDEEP:

196608:vRXJdzilKhUDeZZpOE0p85WdouXZ6hq9ANJqSUjWsV5C9r4LHP:vlgeipmrAQhReXjfVMR4LHP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 920)
      • CheatEngine76_Updated_4.tmp (PID: 1532)
      • net.exe (PID: 6656)
      • net.exe (PID: 660)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • CheatEngine.tmp (PID: 6068)
      • CheatEngine.tmp (PID: 4608)
      • Cheat Engine.exe (PID: 5800)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 2772)

    • Executable content was dropped or overwritten

      • CheatEngine.exe (PID: 3176)
      • CheatEngine.exe (PID: 6640)
      • CheatEngine.tmp (PID: 4608)
      • CheatEngine76_Updated_4.exe (PID: 1452)
      • CheatEngine76_Updated_4.tmp (PID: 1532)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6644)
      • avast_free_antivirus_setup_online_x64.exe (PID: 6676)
      • Instup.exe (PID: 1040)

    • Reads the Windows owner or organization settings

      • CheatEngine.tmp (PID: 4608)
      • CheatEngine76_Updated_4.tmp (PID: 1532)

    • Process requests binary or script from the Internet

      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6644)

    • Potential Corporate Privacy Violation

      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6644)

    • Starts SC.EXE for service management

      • CheatEngine76_Updated_4.tmp (PID: 1532)

    • Uses ICACLS.EXE to modify access control lists

      • CheatEngine76_Updated_4.tmp (PID: 1532)

    • Windows service management via SC.EXE

      • sc.exe (PID: 2240)
      • sc.exe (PID: 3180)
      • sc.exe (PID: 6592)

    • There is functionality for taking screenshot (YARA)

      • CheatEngine.tmp (PID: 4608)

    • Process drops legitimate windows executable

      • CheatEngine76_Updated_4.tmp (PID: 1532)

    • Process drops SQLite DLL files

      • CheatEngine76_Updated_4.tmp (PID: 1532)

    • Detected use of alternative data streams (AltDS)

      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 2772)

    • Executes application which crashes

      • CheatEngine.tmp (PID: 4608)

    • Reads the date of Windows installation

      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 2772)

    • Starts itself from another location

      • Instup.exe (PID: 1040)

    • Process checks presence of unattended files

      • instup.exe (PID: 4696)

    • The process verifies whether the antivirus software is installed

      • instup.exe (PID: 4696)

  • INFO

    • Checks supported languages

      • CheatEngine.exe (PID: 3176)
      • CheatEngine.tmp (PID: 6068)
      • CheatEngine.exe (PID: 6640)
      • CheatEngine.tmp (PID: 4608)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6644)
      • CheatEngine76_Updated_4.exe (PID: 1452)
      • CheatEngine76_Updated_4.tmp (PID: 1532)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 1276)
      • avast_free_antivirus_setup_online_x64.exe (PID: 6676)
      • Instup.exe (PID: 1040)
      • Kernelmoduleunloader.exe (PID: 5528)
      • windowsrepair.exe (PID: 5744)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 2772)
      • Cheat Engine.exe (PID: 5800)
      • _setup64.tmp (PID: 6660)
      • Tutorial-x86_64.exe (PID: 6136)
      • instup.exe (PID: 4696)
      • sbr.exe (PID: 4024)

    • Reads the computer name

      • CheatEngine.tmp (PID: 6068)
      • CheatEngine.exe (PID: 6640)
      • CheatEngine.tmp (PID: 4608)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6644)
      • CheatEngine76_Updated_4.tmp (PID: 1532)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 1276)
      • avast_free_antivirus_setup_online_x64.exe (PID: 6676)
      • Instup.exe (PID: 1040)
      • Kernelmoduleunloader.exe (PID: 5528)
      • Cheat Engine.exe (PID: 5800)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 2772)
      • Tutorial-x86_64.exe (PID: 6136)
      • instup.exe (PID: 4696)

    • Process checks computer location settings

      • CheatEngine.tmp (PID: 6068)
      • CheatEngine.tmp (PID: 4608)
      • Cheat Engine.exe (PID: 5800)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 2772)

    • Create files in a temporary directory

      • CheatEngine.exe (PID: 3176)
      • CheatEngine.exe (PID: 6640)
      • CheatEngine.tmp (PID: 4608)
      • CheatEngine76_Updated_4.exe (PID: 1452)
      • CheatEngine76_Updated_4.tmp (PID: 1532)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 2772)

    • The sample compiled with english language support

      • CheatEngine.tmp (PID: 4608)
      • CheatEngine76_Updated_4.tmp (PID: 1532)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6644)
      • avast_free_antivirus_setup_online_x64.exe (PID: 6676)
      • Instup.exe (PID: 1040)

    • Reads the machine GUID from the registry

      • CheatEngine.tmp (PID: 4608)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6644)
      • avast_free_antivirus_setup_online_x64.exe (PID: 6676)
      • Instup.exe (PID: 1040)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 2772)
      • instup.exe (PID: 4696)

    • Detects InnoSetup installer (YARA)

      • CheatEngine.exe (PID: 3176)
      • CheatEngine.exe (PID: 6640)
      • CheatEngine.tmp (PID: 6068)
      • CheatEngine.tmp (PID: 4608)
      • CheatEngine76_Updated_4.exe (PID: 1452)
      • CheatEngine76_Updated_4.tmp (PID: 1532)

    • Reads the software policy settings

      • CheatEngine.tmp (PID: 4608)
      • avast_free_antivirus_setup_online_x64.exe (PID: 6676)
      • Instup.exe (PID: 1040)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 2772)
      • slui.exe (PID: 4740)
      • instup.exe (PID: 4696)

    • Compiled with Borland Delphi (YARA)

      • CheatEngine.exe (PID: 3176)
      • CheatEngine.tmp (PID: 6068)
      • CheatEngine.tmp (PID: 4608)
      • CheatEngine.exe (PID: 6640)
      • CheatEngine76_Updated_4.exe (PID: 1452)
      • CheatEngine76_Updated_4.tmp (PID: 1532)

    • Checks proxy server information

      • CheatEngine.tmp (PID: 4608)
      • avast_free_antivirus_setup_online_x64.exe (PID: 6676)
      • Instup.exe (PID: 1040)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 2772)
      • instup.exe (PID: 4696)
      • slui.exe (PID: 4740)

    • Creates files in the program directory

      • CheatEngine76_Updated_4.tmp (PID: 1532)
      • avast_free_antivirus_setup_online_x64.exe (PID: 6676)
      • Instup.exe (PID: 1040)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 2772)
      • instup.exe (PID: 4696)

    • Manual execution by a user

      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 5892)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 1276)

    • Reads CPU info

      • avast_free_antivirus_setup_online_x64.exe (PID: 6676)
      • Instup.exe (PID: 1040)
      • instup.exe (PID: 4696)

    • Reads Environment values

      • Instup.exe (PID: 1040)
      • instup.exe (PID: 4696)

    • Creates a software uninstall entry

      • CheatEngine76_Updated_4.tmp (PID: 1532)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5408)
      • WerFault.exe (PID: 6988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:09 11:07:51+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 90112
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 7.6.0.0
ProductVersionNumber: 7.6.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: ЕngineGame Downloader
FileVersion: 7.6.0
LegalCopyright: © ЕngineGame
OriginalFileName:
ProductName: ЕngineGame
ProductVersion: 7.6.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
42
Malicious processes
7
Suspicious processes
4

Behavior graph

Click at the process to see the details
start cheatengine.exe cheatengine.tmp no specs cheatengine.exe cheatengine.tmp cookie_mmm_irs_ppi_005_888_a.exe cheatengine76_updated_4.exe cheatengine76_updated_4.tmp net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs _setup64.tmp no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs cookie_mmm_irs_ppi_005_888_a.exe no specs cookie_mmm_irs_ppi_005_888_a.exe avast_free_antivirus_setup_online_x64.exe instup.exe kernelmoduleunloader.exe no specs windowsrepair.exe no specs icacls.exe no specs conhost.exe no specs cheat engine.exe no specs cheatengine-x86_64-sse4-avx2.exe werfault.exe no specs werfault.exe no specs slui.exe tutorial-x86_64.exe no specs instup.exe sbr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
660"net" stop vgkC:\Windows\System32\net.exeCheatEngine76_Updated_4.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wkscli.dll
920"net" stop BadlionAnticC:\Windows\System32\net.exeCheatEngine76_Updated_4.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1040"C:\WINDOWS\Temp\asw.38c56290d62b7183\instup.exe" /sfx:lite /sfxstorage:C:\WINDOWS\Temp\asw.38c56290d62b7183 /edition:1 /prod:ais /stub_context:88757309-d080-414f-aa14-41bd65416a11:11229128 /guid:161c9d36-5c90-443a-b6a2-0eb468ba62ac /ga_clientid:70af17b0-45b6-433d-8c94-cb36b8134c7d /silent /ws /psh:2bJ1koXNksG5FaPVN6LgBQM6IND9EMDZDwc9kksvP9MbsNatpXzeWOAWN8Jae7rQKecmHT8raErWW /cookie:mmm_irs_ppi_005_888_a /ga_clientid:70af17b0-45b6-433d-8c94-cb36b8134c7d /edat_dir:C:\WINDOWS\Temp\asw.d5c06ed459968893C:\Windows\Temp\asw.38c56290d62b7183\Instup.exe
avast_free_antivirus_setup_online_x64.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Version:
25.2.9898.0
Modules
Images
c:\windows\temp\asw.38c56290d62b7183\instup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
1276"C:\Users\admin\Desktop\cookie_mmm_irs_ppi_005_888_a.exe" C:\Users\admin\Desktop\cookie_mmm_irs_ppi_005_888_a.exe
explorer.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Exit code:
0
Version:
2.1.1286.0
Modules
Images
c:\users\admin\desktop\cookie_mmm_irs_ppi_005_888_a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1388C:\WINDOWS\system32\net1 stop BadlionAnticheatC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\netutils.dll
c:\windows\system32\samcli.dll
1452"C:\Users\admin\AppData\Local\Temp\is-GU6BM.tmp\CheatEngine76_Updated_4.exe" /VERYSILENT /ZBDISTC:\Users\admin\AppData\Local\Temp\is-GU6BM.tmp\CheatEngine76_Updated_4.exe
CheatEngine.tmp
User:
admin
Company:
Cheat Engine
Integrity Level:
HIGH
Description:
Cheat Engine Setup
Exit code:
0
Version:
7.6.0.4
Modules
Images
c:\users\admin\appdata\local\temp\is-gu6bm.tmp\cheatengine76_updated_4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1532"C:\Users\admin\AppData\Local\Temp\is-N2OV9.tmp\CheatEngine76_Updated_4.tmp" /SL5="$20254,28639323,832512,C:\Users\admin\AppData\Local\Temp\is-GU6BM.tmp\CheatEngine76_Updated_4.exe" /VERYSILENT /ZBDISTC:\Users\admin\AppData\Local\Temp\is-N2OV9.tmp\CheatEngine76_Updated_4.tmp
CheatEngine76_Updated_4.exe
User:
admin
Company:
Cheat Engine
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-n2ov9.tmp\cheatengine76_updated_4.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
2240"sc" delete BadlionAnticC:\Windows\System32\sc.exeCheatEngine76_Updated_4.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2552\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2644\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
33 941
Read events
30 076
Write events
3 855
Delete events
10

Modification events

(PID) Process:(4608) CheatEngine.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Operation:writeName:Implementing
Value:
1C00000001000000E907030003001300080013001600A102010000001E768127E028094199FEB9D127C57AFE
(PID) Process:(4608) CheatEngine.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
01000000000000003A2AAE9EA798DB01
(PID) Process:(1532) CheatEngine76_Updated_4.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Owner
Value:
FC0500003A6CC69FA798DB01
(PID) Process:(1532) CheatEngine76_Updated_4.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:SessionHash
Value:
08FB6531A68B83B25CBDD8D4DCC849A9B60A2AFB99789EA4D89076AA64FD1CB1
(PID) Process:(1532) CheatEngine76_Updated_4.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Sequence
Value:
1
(PID) Process:(1532) CheatEngine76_Updated_4.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:RegFiles0000
Value:
C:\Program Files\Cheat Engine\windowsrepair.exe
(PID) Process:(1532) CheatEngine76_Updated_4.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:RegFilesHash
Value:
4DB2DF5FFD9FB69DC8B8DED5F884CBBCBC13A807B3B979FFC98756174A63893C
(PID) Process:(6676) avast_free_antivirus_setup_online_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Avast Software
Operation:delete keyName:(default)
Value:
(PID) Process:(6676) avast_free_antivirus_setup_online_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Avast Software
Operation:writeName:SymbolicLinkValue
Value:
\Registry\MACHINE\SOFTWARE\Avast Software
(PID) Process:(6676) avast_free_antivirus_setup_online_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:writeName:SfxInstProgress
Value:
7
Executable files
168
Suspicious files
115
Text files
502
Unknown types
0

Dropped files

PID
Process
Filename
Type
4608CheatEngine.tmpC:\Users\admin\AppData\Local\Temp\is-GU6BM.tmp\error.pngimage
MD5:2C5238DA8AAF78FB2722F82435B59EB0
SHA256:1AEE87904EAAC431C564438807BDBD8FB34290831E7B3C0A502FDF1EF8EAA6A1
6640CheatEngine.exeC:\Users\admin\AppData\Local\Temp\is-5L1VB.tmp\CheatEngine.tmpexecutable
MD5:B8170FD7B6479C8D0A8BB85CC3C12440
SHA256:0BCEB84A797FDE214452ECDDA8E0CEFC0C5814EE811DCF9F6E1720E051BB43D2
4608CheatEngine.tmpC:\Users\admin\AppData\Local\Temp\is-GU6BM.tmp\zbShieldUtils.dllexecutable
MD5:3037E3D5409FB6A697F12ADDB01BA99B
SHA256:A860BD74595430802F4E2E7AD8FD1D31D3DA3B0C9FAF17AD4641035181A5CE9E
4608CheatEngine.tmpC:\Users\admin\AppData\Local\Temp\is-GU6BM.tmp\prod0_extract\cookie_mmm_irs_ppi_005_888_a.exeexecutable
MD5:31208B48ACFE1C6E1D5CD1BCB63CCB4D
SHA256:2F4085CDABD5066BEA81DC18AC026F71D3BF61765D174229DFF39203516E2BF3
4608CheatEngine.tmpC:\Users\admin\AppData\Local\Temp\is-GU6BM.tmp\finish.pngimage
MD5:B24E872BD8F92295273197602AAC8352
SHA256:41031EFC4F7E322DC5FFACC94B9296FB28B9B922B1CE3B3DA13BF659A5FD2985
4608CheatEngine.tmpC:\Users\admin\AppData\Local\Temp\is-GU6BM.tmp\prod0compressed
MD5:C0526C31262A1C5BCC1F0DE4838A65E8
SHA256:4248B397B4ADEE48F749F004B8233FD41ECCEF3A0417CB7655070A875EA0CF74
3176CheatEngine.exeC:\Users\admin\AppData\Local\Temp\is-2BQSE.tmp\CheatEngine.tmpexecutable
MD5:B8170FD7B6479C8D0A8BB85CC3C12440
SHA256:0BCEB84A797FDE214452ECDDA8E0CEFC0C5814EE811DCF9F6E1720E051BB43D2
4608CheatEngine.tmpC:\Users\admin\AppData\Local\Temp\is-GU6BM.tmp\prod0.zipcompressed
MD5:C0526C31262A1C5BCC1F0DE4838A65E8
SHA256:4248B397B4ADEE48F749F004B8233FD41ECCEF3A0417CB7655070A875EA0CF74
4608CheatEngine.tmpC:\Users\admin\AppData\Local\Temp\is-GU6BM.tmp\logo.pngimage
MD5:9CC8A637A7DE5C9C101A3047C7FBBB33
SHA256:8C5C80BBC6B0FDB367EAB1253517D8B156C85545A2D37D1EE4B78F3041D9B5DB
1452CheatEngine76_Updated_4.exeC:\Users\admin\AppData\Local\Temp\is-N2OV9.tmp\CheatEngine76_Updated_4.tmpexecutable
MD5:8845A84A93A95BE050A791399C0CCBC5
SHA256:A2AF056F652428F230C34EE17D8FCA4136EEF6D69FC049D2B3CAB5FCAB5D1EEE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
54
TCP/UDP connections
65
DNS requests
251
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6644
cookie_mmm_irs_ppi_005_888_a.exe
POST
200
216.239.36.178:80
http://www.google-analytics.com/collect
unknown
whitelisted
6644
cookie_mmm_irs_ppi_005_888_a.exe
GET
200
23.50.131.71:80
http://iavs9x.u.avast.com/iavs9x/avast_free_antivirus_setup_online_x64.exe
unknown
whitelisted
1276
cookie_mmm_irs_ppi_005_888_a.exe
POST
204
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
whitelisted
1276
cookie_mmm_irs_ppi_005_888_a.exe
POST
200
216.239.36.178:80
http://www.google-analytics.com/collect
unknown
whitelisted
6644
cookie_mmm_irs_ppi_005_888_a.exe
POST
200
216.239.36.178:80
http://www.google-analytics.com/collect
unknown
whitelisted
6644
cookie_mmm_irs_ppi_005_888_a.exe
POST
204
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
whitelisted
6676
avast_free_antivirus_setup_online_x64.exe
GET
200
216.239.36.178:80
http://www.google-analytics.com/collect?aiid=mmm_irs_ppi_005_888_a&an=Free&av=25.2.9898&cd=stub-extended&cd3=Online&cid=161c9d36-5c90-443a-b6a2-0eb468ba62ac&dt=Installation&t=screenview&tid=UA-58120669-3&v=1
unknown
whitelisted
6644
cookie_mmm_irs_ppi_005_888_a.exe
POST
204
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
whitelisted
1040
Instup.exe
GET
200
23.50.131.71:80
http://y8002308.iavs9x.u.avast.com/iavs9x/avbugreport_x64_ais-a5f.vpx
unknown
whitelisted
1040
Instup.exe
GET
200
23.50.131.91:80
http://s1843811.iavs9x.u.avast.com/iavs9x/servers.def.vpx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4608
CheatEngine.tmp
13.33.216.45:443
d3tn3h2ei7fa3l.cloudfront.net
US
whitelisted
4608
CheatEngine.tmp
65.9.7.219:443
d31tu1fsc224h4.cloudfront.net
AMAZON-02
US
whitelisted
6644
cookie_mmm_irs_ppi_005_888_a.exe
216.239.36.178:80
www.google-analytics.com
GOOGLE
US
whitelisted
6644
cookie_mmm_irs_ppi_005_888_a.exe
23.50.131.71:80
iavs9x.u.avast.com
Akamai International B.V.
DE
whitelisted
6644
cookie_mmm_irs_ppi_005_888_a.exe
34.117.223.223:80
v7event.stats.avast.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted
1276
cookie_mmm_irs_ppi_005_888_a.exe
216.239.36.178:80
www.google-analytics.com
GOOGLE
US
whitelisted
1276
cookie_mmm_irs_ppi_005_888_a.exe
34.117.223.223:80
v7event.stats.avast.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 172.217.18.14
whitelisted
d3tn3h2ei7fa3l.cloudfront.net
  • 13.33.216.45
  • 13.33.216.155
  • 13.33.216.86
  • 13.33.216.196
whitelisted
d31tu1fsc224h4.cloudfront.net
  • 65.9.7.219
  • 65.9.7.228
  • 65.9.7.29
  • 65.9.7.97
whitelisted
v7event.stats.avast.com
  • 34.117.223.223
whitelisted
iavs9x.u.avast.com
  • 23.50.131.71
  • 23.50.131.91
whitelisted
www.google-analytics.com
  • 216.239.36.178
  • 216.239.32.178
  • 216.239.34.178
  • 216.239.38.178
whitelisted
analytics.avcdn.net
  • 34.117.223.223
whitelisted
shepherd.ff.avast.com
  • 34.160.176.28
whitelisted
f3461309.iavs9x.u.avast.com
  • 23.50.131.91
  • 23.50.131.71
  • 2a02:26f0:3500:f::1732:8316
  • 2a02:26f0:3500:f::1732:831c
  • 2.22.242.225
  • 2.22.242.137
  • 2a02:26f0:780::5f65:36c8
  • 2a02:26f0:780::5f65:3663
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET ADWARE_PUP Win32/OfferCore Checkin M1
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
6644
cookie_mmm_irs_ppi_005_888_a.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CheatEngine.exe