File name:

AMCap v9.23 Full Version.rar

Full analysis: https://app.any.run/tasks/a48c2fb3-28a9-43c6-858f-976838aa1e53
Verdict: Malicious activity
Analysis date: March 04, 2024, 13:12:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

D20FD4CEA31FB188678BB04C0565EBA2

SHA1:

A4A8A3071E910D5555DF9BA62CC48C9F208062DA

SHA256:

7D8F222495E087F4EE999DA971A4D353BC8461EC9DE1B12FF7D07CBBAA330311

SSDEEP:

196608:oPvfohb0nyhBkb0laroCantEaFTPiPxrq:o3foJ0nZb0lAoCatEQTPiJrq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 4052)
      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • vcredist_x86.exe (PID: 2408)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)

    • Executable content was dropped or overwritten

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • vcredist_x86.exe (PID: 2408)

    • The process creates files with name similar to system file names

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)

    • Process drops legitimate windows executable

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • vcredist_x86.exe (PID: 2408)

    • Starts a Microsoft application from unusual location

      • vcredist_x86.exe (PID: 3996)
      • vcredist_x86.exe (PID: 2408)

    • Application launched itself

      • vcredist_x86.exe (PID: 3996)
      • WinRAR.exe (PID: 3396)

    • Creates/Modifies COM task schedule object

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)

    • Searches for installed software

      • vcredist_x86.exe (PID: 2408)
      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2792)

    • Reads the Internet Settings

      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)

    • Reads security settings of Internet Explorer

      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)
      • WinRAR.exe (PID: 3396)

    • Reads Microsoft Outlook installation path

      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)

    • Checks Windows Trust Settings

      • MeGaHeRTZ.exe (PID: 2976)

    • Reads Internet Explorer settings

      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)

    • Reads settings of System Certificates

      • MeGaHeRTZ.exe (PID: 2976)

    • Adds/modifies Windows certificates

      • MeGaHeRTZ.exe (PID: 2976)

    • Creates a software uninstall entry

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4052)

    • Checks supported languages

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • vcredist_x86.exe (PID: 3996)
      • vcredist_x86.exe (PID: 2408)
      • amcap.exe (PID: 2728)
      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)

    • Reads the computer name

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • vcredist_x86.exe (PID: 2408)
      • vcredist_x86.exe (PID: 3996)
      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)
      • amcap.exe (PID: 2728)

    • Manual execution by a user

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 3304)
      • msedge.exe (PID: 1728)
      • MeGaHeRTZ.exe (PID: 3668)
      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)
      • WinRAR.exe (PID: 3396)
      • chrome.exe (PID: 3768)

    • Create files in a temporary directory

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • vcredist_x86.exe (PID: 2408)
      • amcap.exe (PID: 2592)
      • MeGaHeRTZ.exe (PID: 2976)

    • Application launched itself

      • msedge.exe (PID: 2260)
      • msedge.exe (PID: 1728)
      • chrome.exe (PID: 3768)

    • Creates files in the program directory

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • WinRAR.exe (PID: 3148)

    • Reads the machine GUID from the registry

      • amcap.exe (PID: 2728)
      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)

    • Checks proxy server information

      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)

    • Process checks whether UAC notifications are on

      • MeGaHeRTZ.exe (PID: 2976)

    • Creates files or folders in the user directory

      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2728)
      • amcap.exe (PID: 2592)

    • Reads the software policy settings

      • MeGaHeRTZ.exe (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
104
Monitored processes
48
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe amcap v9.23 build 300.6 demo setup.exe no specs amcap v9.23 build 300.6 demo setup.exe vcredist_x86.exe no specs vcredist_x86.exe vssvc.exe no specs amcap.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs megahertz.exe no specs megahertz.exe amcap.exe no specs winrar.exe no specs winrar.exe Copy/Move/Rename/Delete/Link Object no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
668"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6a648b38,0x6a648b48,0x6a648b54C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
848"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=3124 --field-trial-handle=1152,i,3429856264645971496,6644769175058411504,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
920"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1412 --field-trial-handle=1148,i,3375176476739027884,297027236399192885,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
924"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=1428 --field-trial-handle=1152,i,3429856264645971496,6644769175058411504,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1020"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=1616 --field-trial-handle=1152,i,3429856264645971496,6644769175058411504,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1216"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1216 --field-trial-handle=1148,i,3375176476739027884,297027236399192885,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1728"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --do-not-de-elevate "C:\Program Files\Noël Danjou\AMCap\readme.htm"C:\Program Files\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1992"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=2236 --field-trial-handle=1152,i,3429856264645971496,6644769175058411504,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2072"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=1496 --field-trial-handle=1152,i,3429856264645971496,6644769175058411504,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2232"C:\Users\admin\Desktop\AMCap v9.23 Full Version\AMCap v9.23 build 300.6 Demo Setup.exe" C:\Users\admin\Desktop\AMCap v9.23 Full Version\AMCap v9.23 build 300.6 Demo Setup.exe
explorer.exe
User:
admin
Company:
Noël Danjou
Integrity Level:
HIGH
Description:
AMCap Installer
Exit code:
0
Version:
9.23.94.1
Modules
Images
c:\users\admin\desktop\amcap v9.23 full version\amcap v9.23 build 300.6 demo setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
29 301
Read events
28 823
Write events
442
Delete events
36

Modification events

(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4052) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\AMCap v9.23 Full Version.rar
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
18
Suspicious files
73
Text files
166
Unknown types
57

Dropped files

PID
Process
Filename
Type
4052WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4052.47391\AMCap v9.23 Full Version\MeGaHeRTZ.exeexecutable
MD5:CA3285CE0EB329AD0C0021B9531C54AF
SHA256:1F844241203232691F0E2B9E0C6A1FB5A52AAE81C3F60CAF74681D33A98C57B7
2232AMCap v9.23 build 300.6 Demo Setup.exeC:\Users\admin\AppData\Local\Temp\nsw372A.tmp\LockedList.dllexecutable
MD5:CA238F4ABE4B70A4A85A9D2FBF5CA3D9
SHA256:6D0F6E9B326A4D3E249D728FC471681281855013094F337296F5B89D78303943
2232AMCap v9.23 build 300.6 Demo Setup.exeC:\Users\admin\AppData\Local\Temp\nsw372A.tmp\System.dllexecutable
MD5:9625D5B1754BC4FF29281D415D27A0FD
SHA256:C2F405D7402F815D0C3FADD9A50F0BBBB1BAB9AA38FE347823478A2587299448
2232AMCap v9.23 build 300.6 Demo Setup.exeC:\Users\admin\AppData\Local\Temp\nsw372A.tmp\nsDialogs.dllexecutable
MD5:D2E45DD852A659E11897DF573832F381
SHA256:86C8EE210E6611383A634DCB8C60455063DDAE3D7ADCCBEACF3ADF7BF2A46676
2232AMCap v9.23 build 300.6 Demo Setup.exeC:\Users\admin\AppData\Local\Temp\nsw372A.tmp\modern-wizard.bmpimage
MD5:2BE7498FCDAB7F7AAD95AA818E41DA2D
SHA256:13010BBBB7B4832E645CDB1CD2E837FB32339AE3E899E6B7653E80A8664BD889
4052WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4052.47391\AMCap v9.23 Full Version\MeGaHeRTZ.nfotext
MD5:2CB9A46472CA25CFBDCB6E8F7EE6BD59
SHA256:608AB119614811849F79717DE359CD95AF862D24603577B9D6075971402EB9B9
4052WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4052.47391\AMCap v9.23 Full Version\AMCap v9.23 build 300.6 Demo Setup.exeexecutable
MD5:6A8B7F9A8A67CBBAA0E9F5A4C9F3934A
SHA256:2E8C3D8D29C02B973F023F985B4F05FFFFE6B8E49429DC6C5C35A0A69C4D5EAE
2408vcredist_x86.exeC:\Users\admin\AppData\Local\Temp\{404c9c27-8377-4fd1-b607-7ca635db4e49}\.ba1\1036\license.rtftext
MD5:1DA77B492870266E67626CE000528425
SHA256:84CFC67F98D7553AB6AF43E9B8D89138A9F46D0FD9291A441D7FE73F5C1A9DC6
2408vcredist_x86.exeC:\Users\admin\AppData\Local\Temp\{404c9c27-8377-4fd1-b607-7ca635db4e49}\.ba1\1028\license.rtftext
MD5:CBEFFF78F4E80A5693DA65050A8A6E32
SHA256:CADA21198E68FAB0B914BCEB92EFE3475487596115D9C0C7C75CAAC0301004B2
2408vcredist_x86.exeC:\Users\admin\AppData\Local\Temp\{404c9c27-8377-4fd1-b607-7ca635db4e49}\.ba1\1046\license.rtftext
MD5:5A046E819DBB8725B348A7C267EF2C10
SHA256:1588C08EF3A4F8D67F179B83BB12378C2873B096496792F05615EC94DA3B5E83
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
48
DNS requests
49
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2976
MeGaHeRTZ.exe
GET
304
95.101.11.9:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b920279959cebafb
unknown
2976
MeGaHeRTZ.exe
GET
301
3.96.23.237:80
http://beam.to/mhzstatistics
unknown
html
79 b
2976
MeGaHeRTZ.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
2976
MeGaHeRTZ.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEH1ZfRmkcbmIEJt1GKpWSOU%3D
unknown
binary
471 b
2976
MeGaHeRTZ.exe
GET
200
108.138.2.107:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
unknown
binary
2.02 Kb
2976
MeGaHeRTZ.exe
GET
200
18.245.39.64:80
http://ocsp.rootca3.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRkNawYMzz%2BjKSfYbTyFR0AXuhs6QQUq7bb1waeN6wwhgeRcMecxBmxeMACEwdzEnA9eVH9TrLXPKuCavuqCA0%3D
unknown
binary
822 b
2976
MeGaHeRTZ.exe
GET
200
95.101.11.9:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ba800a0a96be5fde
unknown
compressed
67.5 Kb
GET
200
18.245.39.64:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEowz8xPdLX1MG5U07e%2BCsM%3D
unknown
binary
1.49 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
920
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1728
msedge.exe
239.255.255.250:1900
unknown
920
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1728
msedge.exe
224.0.0.251:5353
unknown
920
msedge.exe
23.222.16.80:443
www.bing.com
Akamai International B.V.
US
unknown
920
msedge.exe
152.199.21.175:443
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
EDGECAST
DE
unknown
2976
MeGaHeRTZ.exe
3.96.23.237:80
beam.to
AMAZON-02
CA
unknown

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.42.16
unknown
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
unknown
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
  • 152.199.21.175
unknown
www.bing.com
  • 23.222.16.80
  • 23.222.16.16
  • 23.222.16.97
  • 23.222.16.40
  • 23.222.16.72
  • 23.222.16.56
  • 23.222.16.9
  • 23.222.16.90
  • 23.222.16.35
unknown
beam.to
  • 3.96.23.237
unknown
beings.com
  • 162.159.134.42
unknown
ctldl.windowsupdate.com
  • 95.101.11.9
  • 95.101.11.56
unknown
ocsp.pki.goog
  • 142.250.74.195
unknown
www.googletagmanager.com
  • 142.250.186.136
unknown
static.hotjar.com
  • 18.66.97.53
  • 18.66.97.49
  • 18.66.97.10
  • 18.66.97.37
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .to TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
AMCap v9.23 Full Version.rar