File name:

AMCap v9.23 Full Version.rar

Full analysis: https://app.any.run/tasks/a48c2fb3-28a9-43c6-858f-976838aa1e53
Verdict: Malicious activity
Analysis date: March 04, 2024, 13:12:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

D20FD4CEA31FB188678BB04C0565EBA2

SHA1:

A4A8A3071E910D5555DF9BA62CC48C9F208062DA

SHA256:

7D8F222495E087F4EE999DA971A4D353BC8461EC9DE1B12FF7D07CBBAA330311

SSDEEP:

196608:oPvfohb0nyhBkb0laroCantEaFTPiPxrq:o3foJ0nZb0lAoCatEQTPiJrq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 4052)
      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • vcredist_x86.exe (PID: 2408)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)

    • Executable content was dropped or overwritten

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • vcredist_x86.exe (PID: 2408)

    • The process creates files with name similar to system file names

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)

    • Process drops legitimate windows executable

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • vcredist_x86.exe (PID: 2408)

    • Starts a Microsoft application from unusual location

      • vcredist_x86.exe (PID: 3996)
      • vcredist_x86.exe (PID: 2408)

    • Application launched itself

      • vcredist_x86.exe (PID: 3996)
      • WinRAR.exe (PID: 3396)

    • Searches for installed software

      • vcredist_x86.exe (PID: 2408)
      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2792)

    • Creates/Modifies COM task schedule object

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)

    • Creates a software uninstall entry

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)

    • Reads the Internet Settings

      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)

    • Checks Windows Trust Settings

      • MeGaHeRTZ.exe (PID: 2976)

    • Reads settings of System Certificates

      • MeGaHeRTZ.exe (PID: 2976)

    • Reads Microsoft Outlook installation path

      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)

    • Adds/modifies Windows certificates

      • MeGaHeRTZ.exe (PID: 2976)

    • Reads security settings of Internet Explorer

      • amcap.exe (PID: 2592)
      • WinRAR.exe (PID: 3396)
      • MeGaHeRTZ.exe (PID: 2976)

    • Reads Internet Explorer settings

      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)

  • INFO

    • Checks supported languages

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • vcredist_x86.exe (PID: 3996)
      • vcredist_x86.exe (PID: 2408)
      • amcap.exe (PID: 2728)
      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)

    • Manual execution by a user

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 3304)
      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • msedge.exe (PID: 1728)
      • MeGaHeRTZ.exe (PID: 2976)
      • MeGaHeRTZ.exe (PID: 3668)
      • amcap.exe (PID: 2592)
      • chrome.exe (PID: 3768)
      • WinRAR.exe (PID: 3396)

    • Reads the computer name

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • vcredist_x86.exe (PID: 3996)
      • vcredist_x86.exe (PID: 2408)
      • amcap.exe (PID: 2728)
      • amcap.exe (PID: 2592)
      • MeGaHeRTZ.exe (PID: 2976)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4052)

    • Create files in a temporary directory

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • vcredist_x86.exe (PID: 2408)
      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)

    • Reads the machine GUID from the registry

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • amcap.exe (PID: 2728)
      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)

    • Creates files in the program directory

      • AMCap v9.23 build 300.6 Demo Setup.exe (PID: 2232)
      • WinRAR.exe (PID: 3148)

    • Application launched itself

      • msedge.exe (PID: 2260)
      • msedge.exe (PID: 1728)
      • chrome.exe (PID: 3768)

    • Creates files or folders in the user directory

      • amcap.exe (PID: 2728)
      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)

    • Checks proxy server information

      • MeGaHeRTZ.exe (PID: 2976)
      • amcap.exe (PID: 2592)

    • Process checks whether UAC notifications are on

      • MeGaHeRTZ.exe (PID: 2976)

    • Reads the software policy settings

      • MeGaHeRTZ.exe (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
104
Monitored processes
48
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe amcap v9.23 build 300.6 demo setup.exe no specs amcap v9.23 build 300.6 demo setup.exe vcredist_x86.exe no specs vcredist_x86.exe vssvc.exe no specs amcap.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs megahertz.exe no specs megahertz.exe amcap.exe no specs winrar.exe no specs winrar.exe Copy/Move/Rename/Delete/Link Object no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
668"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6a648b38,0x6a648b48,0x6a648b54C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
848"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=3124 --field-trial-handle=1152,i,3429856264645971496,6644769175058411504,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
920"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1412 --field-trial-handle=1148,i,3375176476739027884,297027236399192885,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
924"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=1428 --field-trial-handle=1152,i,3429856264645971496,6644769175058411504,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1020"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=1616 --field-trial-handle=1152,i,3429856264645971496,6644769175058411504,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1216"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1216 --field-trial-handle=1148,i,3375176476739027884,297027236399192885,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1728"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --do-not-de-elevate "C:\Program Files\Noël Danjou\AMCap\readme.htm"C:\Program Files\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1992"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=2236 --field-trial-handle=1152,i,3429856264645971496,6644769175058411504,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2072"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=1496 --field-trial-handle=1152,i,3429856264645971496,6644769175058411504,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2232"C:\Users\admin\Desktop\AMCap v9.23 Full Version\AMCap v9.23 build 300.6 Demo Setup.exe" C:\Users\admin\Desktop\AMCap v9.23 Full Version\AMCap v9.23 build 300.6 Demo Setup.exe
explorer.exe
User:
admin
Company:
Noël Danjou
Integrity Level:
HIGH
Description:
AMCap Installer
Exit code:
0
Version:
9.23.94.1
Modules
Images
c:\users\admin\desktop\amcap v9.23 full version\amcap v9.23 build 300.6 demo setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
29 301
Read events
28 823
Write events
442
Delete events
36

Modification events

(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4052) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\AMCap v9.23 Full Version.rar
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
18
Suspicious files
73
Text files
166
Unknown types
57

Dropped files

PID
Process
Filename
Type
2232AMCap v9.23 build 300.6 Demo Setup.exeC:\Users\admin\AppData\Local\Temp\nsw372A.tmp\System.dllexecutable
MD5:9625D5B1754BC4FF29281D415D27A0FD
SHA256:C2F405D7402F815D0C3FADD9A50F0BBBB1BAB9AA38FE347823478A2587299448
2232AMCap v9.23 build 300.6 Demo Setup.exeC:\Users\admin\AppData\Local\Temp\nsw372A.tmp\LangDLL.dllexecutable
MD5:30B091668111AB1D6C19F16586A9EEE5
SHA256:331CA4B3A311324B463167EC43851146E57A2D90500AC3FD57A7683F6B777FFB
4052WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4052.47391\AMCap v9.23 Full Version\AMCap v9.23 build 300.6 Demo Setup.exeexecutable
MD5:6A8B7F9A8A67CBBAA0E9F5A4C9F3934A
SHA256:2E8C3D8D29C02B973F023F985B4F05FFFFE6B8E49429DC6C5C35A0A69C4D5EAE
4052WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4052.47391\AMCap v9.23 Full Version\MeGaHeRTZ.nfotext
MD5:2CB9A46472CA25CFBDCB6E8F7EE6BD59
SHA256:608AB119614811849F79717DE359CD95AF862D24603577B9D6075971402EB9B9
2232AMCap v9.23 build 300.6 Demo Setup.exeC:\Users\admin\AppData\Local\Temp\nsw372A.tmp\nsDialogs.dllexecutable
MD5:D2E45DD852A659E11897DF573832F381
SHA256:86C8EE210E6611383A634DCB8C60455063DDAE3D7ADCCBEACF3ADF7BF2A46676
4052WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4052.47391\AMCap v9.23 Full Version\MeGaHeRTZ.exeexecutable
MD5:CA3285CE0EB329AD0C0021B9531C54AF
SHA256:1F844241203232691F0E2B9E0C6A1FB5A52AAE81C3F60CAF74681D33A98C57B7
2408vcredist_x86.exeC:\Users\admin\AppData\Local\Temp\{404c9c27-8377-4fd1-b607-7ca635db4e49}\.ba1\wixstdba.dllexecutable
MD5:A973CFA4951D519E032F42DC98A198B0
SHA256:25EE85C14C9BE619B4F0BF783963ACE1DC0AF0E802014728C2A2CA8DA213D31D
2408vcredist_x86.exeC:\Users\admin\AppData\Local\Temp\{404c9c27-8377-4fd1-b607-7ca635db4e49}\.ba1\1040\license.rtftext
MD5:94D8385DC3A6F119957AB03BB9B7F4B6
SHA256:FA3C295F9CF4B2DDB046A9DF5EF23EDD412A8980DF52272F460FBB345260A134
2232AMCap v9.23 build 300.6 Demo Setup.exeC:\Users\admin\AppData\Local\Temp\nsw372A.tmp\LockedList.dllexecutable
MD5:CA238F4ABE4B70A4A85A9D2FBF5CA3D9
SHA256:6D0F6E9B326A4D3E249D728FC471681281855013094F337296F5B89D78303943
2408vcredist_x86.exeC:\Users\admin\AppData\Local\Temp\{404c9c27-8377-4fd1-b607-7ca635db4e49}\.ba1\1031\license.rtftext
MD5:3C9F6F7AA38511F964FFB18A9D96C95D
SHA256:442AD9E5B34D2A0AEE3CD0450AF51C6638A23EBD9771914428794BB8D4396A4D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
48
DNS requests
49
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2976
MeGaHeRTZ.exe
GET
301
3.96.23.237:80
http://beam.to/mhzstatistics
unknown
html
79 b
2976
MeGaHeRTZ.exe
GET
304
95.101.11.9:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b920279959cebafb
unknown
2976
MeGaHeRTZ.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
2976
MeGaHeRTZ.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEH1ZfRmkcbmIEJt1GKpWSOU%3D
unknown
binary
471 b
2976
MeGaHeRTZ.exe
GET
200
108.138.2.107:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
unknown
binary
2.02 Kb
GET
200
18.245.39.64:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEowz8xPdLX1MG5U07e%2BCsM%3D
unknown
binary
1.49 Kb
2976
MeGaHeRTZ.exe
GET
200
18.245.39.64:80
http://ocsp.rootca3.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRkNawYMzz%2BjKSfYbTyFR0AXuhs6QQUq7bb1waeN6wwhgeRcMecxBmxeMACEwdzEnA9eVH9TrLXPKuCavuqCA0%3D
unknown
binary
822 b
2976
MeGaHeRTZ.exe
GET
200
95.101.11.9:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ba800a0a96be5fde
unknown
compressed
67.5 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
920
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1728
msedge.exe
239.255.255.250:1900
unknown
920
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1728
msedge.exe
224.0.0.251:5353
unknown
920
msedge.exe
23.222.16.80:443
www.bing.com
Akamai International B.V.
US
unknown
920
msedge.exe
152.199.21.175:443
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
EDGECAST
DE
whitelisted
2976
MeGaHeRTZ.exe
3.96.23.237:80
beam.to
AMAZON-02
CA
unknown

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.42.16
unknown
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
unknown
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
  • 152.199.21.175
unknown
www.bing.com
  • 23.222.16.80
  • 23.222.16.16
  • 23.222.16.97
  • 23.222.16.40
  • 23.222.16.72
  • 23.222.16.56
  • 23.222.16.9
  • 23.222.16.90
  • 23.222.16.35
unknown
beam.to
  • 3.96.23.237
unknown
beings.com
  • 162.159.134.42
unknown
ctldl.windowsupdate.com
  • 95.101.11.9
  • 95.101.11.56
unknown
ocsp.pki.goog
  • 142.250.74.195
unknown
www.googletagmanager.com
  • 142.250.186.136
unknown
static.hotjar.com
  • 18.66.97.53
  • 18.66.97.49
  • 18.66.97.10
  • 18.66.97.37
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .to TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
AMCap v9.23 Full Version.rar