File name:

CheatEngine76.exe

Full analysis: https://app.any.run/tasks/a4374d6c-e910-45a9-8f3c-39574f4df7be
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 03, 2025, 21:31:02
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
adware
innosetup
inno
installer
delphi
loader
arch-exec
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

81F487F8A51713DED70994F3BDB01892

SHA1:

E9F7CEDF0CB6D04D337DD0BEFB450712F6D3F1AF

SHA256:

7F57AB6697F2D27604BE2D63D03768612E6022A1C3B708507AF8FB23D461428A

SSDEEP:

98304:qrq3BdwaTZwM9dHW9F1ya8U8qqgGPDiNoZA38EuSlNfdPI6bpEq8p8qnE5BFzfxs:eRdT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 2560)
      • CheatEngine76.tmp (PID: 2908)
      • net.exe (PID: 2268)
      • net.exe (PID: 3888)

    • Starts Visual C# compiler

      • WeatherZero.exe (PID: 6572)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • CheatEngine76.tmp (PID: 4688)
      • CheatEngine76.tmp (PID: 4408)
      • WZSetup.exe (PID: 3676)
      • saBSI.exe (PID: 1012)
      • saBSI.exe (PID: 5780)
      • WZSetup.exe (PID: 5360)
      • installer.exe (PID: 1532)
      • WeatherZero.exe (PID: 6572)

    • Executable content was dropped or overwritten

      • CheatEngine76.exe (PID: 1812)
      • CheatEngine76.exe (PID: 1056)
      • CheatEngine76.tmp (PID: 4408)
      • WZSetup.exe (PID: 3676)
      • CheatEngine76.exe (PID: 6004)
      • CheatEngine76.tmp (PID: 2908)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 3784)
      • saBSI.exe (PID: 5780)
      • saBSI.exe (PID: 1012)
      • WZSetup.exe (PID: 5360)
      • avast_free_antivirus_setup_online_x64.exe (PID: 5640)
      • Instup.exe (PID: 6824)
      • installer.exe (PID: 2136)
      • installer.exe (PID: 1532)
      • csc.exe (PID: 4448)
      • instup.exe (PID: 3024)
      • saBSI.exe (PID: 5084)
      • saBSI.exe (PID: 7836)

    • Reads the Windows owner or organization settings

      • CheatEngine76.tmp (PID: 4408)
      • CheatEngine76.tmp (PID: 2908)

    • There is functionality for taking screenshot (YARA)

      • CheatEngine76.tmp (PID: 4408)

    • Potential Corporate Privacy Violation

      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 3784)

    • Process requests binary or script from the Internet

      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 3784)

    • Starts SC.EXE for service management

      • CheatEngine76.tmp (PID: 2908)

    • Windows service management via SC.EXE

      • sc.exe (PID: 728)
      • sc.exe (PID: 5964)
      • sc.exe (PID: 6132)

    • Uses ICACLS.EXE to modify access control lists

      • CheatEngine76.tmp (PID: 2908)

    • Adds/modifies Windows certificates

      • saBSI.exe (PID: 1012)

    • Process drops legitimate windows executable

      • CheatEngine76.tmp (PID: 2908)
      • installer.exe (PID: 1532)
      • instup.exe (PID: 3024)

    • Process drops SQLite DLL files

      • CheatEngine76.tmp (PID: 2908)

    • Executes as Windows Service

      • WeatherZeroService.exe (PID: 5200)
      • PresentationFontCache.exe (PID: 5680)
      • servicehost.exe (PID: 7652)

    • Searches for installed software

      • WZSetup.exe (PID: 3676)

    • Creates a software uninstall entry

      • WZSetup.exe (PID: 3676)
      • WZSetup.exe (PID: 5360)

    • The process verifies whether the antivirus software is installed

      • saBSI.exe (PID: 5780)
      • installer.exe (PID: 2136)
      • installer.exe (PID: 1532)

    • The process creates files with name similar to system file names

      • WZSetup.exe (PID: 5360)
      • installer.exe (PID: 1532)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • WZSetup.exe (PID: 5360)

    • Creates/Modifies COM task schedule object

      • installer.exe (PID: 1532)

    • Starts itself from another location

      • Instup.exe (PID: 6824)

    • Uses .NET C# to load dll

      • WeatherZero.exe (PID: 6572)

    • Executes application which crashes

      • CheatEngine76.tmp (PID: 4408)

    • Checks for external IP

      • WeatherZero.exe (PID: 6572)
      • svchost.exe (PID: 2196)

    • Starts CMD.EXE for commands execution

      • updater.exe (PID: 5328)

  • INFO

    • Create files in a temporary directory

      • CheatEngine76.exe (PID: 1812)
      • CheatEngine76.exe (PID: 1056)
      • CheatEngine76.tmp (PID: 4408)
      • WZSetup.exe (PID: 3676)
      • CheatEngine76.exe (PID: 6004)
      • CheatEngine76.tmp (PID: 2908)
      • saBSI.exe (PID: 5780)
      • WZSetup.exe (PID: 5360)
      • installer.exe (PID: 1532)

    • Checks supported languages

      • CheatEngine76.exe (PID: 1812)
      • CheatEngine76.tmp (PID: 4688)
      • CheatEngine76.exe (PID: 1056)
      • CheatEngine76.tmp (PID: 4408)
      • saBSI.exe (PID: 1012)
      • saBSI.exe (PID: 5084)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 3784)
      • WZSetup.exe (PID: 3676)
      • CheatEngine76.exe (PID: 6004)
      • CheatEngine76.tmp (PID: 2908)
      • _setup64.tmp (PID: 2084)
      • saBSI.exe (PID: 5780)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6372)
      • avast_free_antivirus_setup_online_x64.exe (PID: 5640)
      • WZSetup.exe (PID: 5360)
      • WeatherZeroService.exe (PID: 5324)
      • WeatherZeroService.exe (PID: 2240)
      • WeatherZeroService.exe (PID: 5200)
      • Instup.exe (PID: 6824)
      • Kernelmoduleunloader.exe (PID: 5392)
      • WeatherZeroService.exe (PID: 5772)
      • WeatherZeroService.exe (PID: 2240)
      • installer.exe (PID: 2136)
      • installer.exe (PID: 1532)
      • instup.exe (PID: 3024)
      • WeatherZero.exe (PID: 6572)

    • Reads the computer name

      • CheatEngine76.tmp (PID: 4688)
      • CheatEngine76.exe (PID: 1056)
      • CheatEngine76.tmp (PID: 4408)
      • saBSI.exe (PID: 5084)
      • saBSI.exe (PID: 1012)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 3784)
      • CheatEngine76.exe (PID: 6004)
      • CheatEngine76.tmp (PID: 2908)
      • WZSetup.exe (PID: 3676)
      • saBSI.exe (PID: 5780)
      • avast_free_antivirus_setup_online_x64.exe (PID: 5640)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6372)
      • WeatherZeroService.exe (PID: 5324)
      • WeatherZeroService.exe (PID: 2240)
      • WeatherZeroService.exe (PID: 5200)
      • WZSetup.exe (PID: 5360)
      • Instup.exe (PID: 6824)
      • Kernelmoduleunloader.exe (PID: 5392)
      • WeatherZeroService.exe (PID: 2240)
      • WeatherZeroService.exe (PID: 5772)
      • installer.exe (PID: 1532)
      • instup.exe (PID: 3024)
      • WeatherZero.exe (PID: 6572)

    • Process checks computer location settings

      • CheatEngine76.tmp (PID: 4688)
      • CheatEngine76.tmp (PID: 4408)

    • The sample compiled with english language support

      • CheatEngine76.tmp (PID: 4408)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 3784)
      • WZSetup.exe (PID: 3676)
      • CheatEngine76.tmp (PID: 2908)
      • saBSI.exe (PID: 1012)
      • avast_free_antivirus_setup_online_x64.exe (PID: 5640)
      • WZSetup.exe (PID: 5360)
      • saBSI.exe (PID: 5780)
      • installer.exe (PID: 2136)
      • Instup.exe (PID: 6824)
      • installer.exe (PID: 1532)
      • saBSI.exe (PID: 5084)
      • instup.exe (PID: 3024)

    • Reads the software policy settings

      • CheatEngine76.tmp (PID: 4408)
      • saBSI.exe (PID: 1012)
      • WZSetup.exe (PID: 3676)
      • saBSI.exe (PID: 5780)
      • avast_free_antivirus_setup_online_x64.exe (PID: 5640)
      • Instup.exe (PID: 6824)
      • WZSetup.exe (PID: 5360)
      • installer.exe (PID: 1532)
      • WeatherZero.exe (PID: 6572)

    • Checks proxy server information

      • CheatEngine76.tmp (PID: 4408)
      • WZSetup.exe (PID: 3676)
      • saBSI.exe (PID: 1012)
      • avast_free_antivirus_setup_online_x64.exe (PID: 5640)
      • saBSI.exe (PID: 5780)
      • Instup.exe (PID: 6824)
      • WZSetup.exe (PID: 5360)
      • instup.exe (PID: 3024)
      • WeatherZero.exe (PID: 6572)

    • Reads the machine GUID from the registry

      • CheatEngine76.tmp (PID: 4408)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 3784)
      • saBSI.exe (PID: 1012)
      • WZSetup.exe (PID: 3676)
      • saBSI.exe (PID: 5780)
      • avast_free_antivirus_setup_online_x64.exe (PID: 5640)
      • WeatherZeroService.exe (PID: 2240)
      • Instup.exe (PID: 6824)
      • WZSetup.exe (PID: 5360)
      • WeatherZeroService.exe (PID: 5200)
      • WeatherZeroService.exe (PID: 5772)
      • instup.exe (PID: 3024)
      • installer.exe (PID: 1532)
      • WeatherZero.exe (PID: 6572)

    • Detects InnoSetup installer (YARA)

      • CheatEngine76.exe (PID: 1812)
      • CheatEngine76.tmp (PID: 4688)
      • CheatEngine76.exe (PID: 1056)
      • CheatEngine76.tmp (PID: 4408)

    • Compiled with Borland Delphi (YARA)

      • CheatEngine76.exe (PID: 1812)
      • CheatEngine76.tmp (PID: 4688)
      • CheatEngine76.exe (PID: 1056)
      • CheatEngine76.tmp (PID: 4408)

    • Creates files in the program directory

      • saBSI.exe (PID: 1012)
      • CheatEngine76.tmp (PID: 2908)
      • WZSetup.exe (PID: 3676)
      • avast_free_antivirus_setup_online_x64.exe (PID: 5640)
      • saBSI.exe (PID: 5780)
      • Instup.exe (PID: 6824)
      • installer.exe (PID: 2136)
      • installer.exe (PID: 1532)

    • Manual execution by a user

      • saBSI.exe (PID: 1568)
      • saBSI.exe (PID: 5084)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 5136)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 6372)
      • WZSetup.exe (PID: 6652)
      • WZSetup.exe (PID: 5360)

    • Reads CPU info

      • avast_free_antivirus_setup_online_x64.exe (PID: 5640)
      • Instup.exe (PID: 6824)
      • instup.exe (PID: 3024)

    • Reads Environment values

      • Instup.exe (PID: 6824)
      • instup.exe (PID: 3024)

    • Creates files or folders in the user directory

      • WeatherZero.exe (PID: 6572)

    • Creates a software uninstall entry

      • CheatEngine76.tmp (PID: 2908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:12 07:26:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 159744
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 7.6.0.0
ProductVersionNumber: 7.6.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: ЕngineGame Downloader
FileVersion: 7.6.0
LegalCopyright: © ЕngineGame
OriginalFileName:
ProductName: ЕngineGame
ProductVersion: 7.6.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
211
Monitored processes
74
Malicious processes
8
Suspicious processes
8

Behavior graph

Click at the process to see the details
start cheatengine76.exe cheatengine76.tmp no specs cheatengine76.exe cheatengine76.tmp sabsi.exe sabsi.exe no specs sabsi.exe cookie_mmm_irs_ppi_005_888_a.exe wzsetup.exe cheatengine76.exe cheatengine76.tmp net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs _setup64.tmp no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs sabsi.exe cookie_mmm_irs_ppi_005_888_a.exe no specs avast_free_antivirus_setup_online_x64.exe cookie_mmm_irs_ppi_005_888_a.exe wzsetup.exe no specs wzsetup.exe weatherzeroservice.exe no specs conhost.exe no specs weatherzeroservice.exe no specs conhost.exe no specs weatherzeroservice.exe no specs instup.exe kernelmoduleunloader.exe no specs weatherzeroservice.exe no specs conhost.exe no specs weatherzeroservice.exe no specs conhost.exe no specs installer.exe installer.exe slui.exe instup.exe weatherzero.exe windowsrepair.exe no specs icacls.exe no specs conhost.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs presentationfontcache.exe no specs cheat engine.exe no specs cheatengine-x86_64-sse4-avx2.exe werfault.exe no specs werfault.exe no specs tutorial-x86_64.exe no specs servicehost.exe uihost.exe no specs sbr.exe no specs updater.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sabsi.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
644C:\WINDOWS\system32\net1 stop BadlionAnticC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
672\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe_setup64.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
728"sc" delete BadlionAnticheatC:\Windows\System32\sc.exeCheatEngine76.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
920"icacls" "C:\Program Files\Cheat Engine" /grant *S-1-15-2-1:(OI)(CI)(RX)C:\Windows\System32\icacls.exeCheatEngine76.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1012"C:\Users\admin\AppData\Local\Temp\is-1F4T7.tmp\prod0_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=FRC:\Users\admin\AppData\Local\Temp\is-1F4T7.tmp\prod0_extract\saBSI.exe
CheatEngine76.tmp
User:
admin
Company:
McAfee, LLC
Integrity Level:
HIGH
Description:
McAfee WebAdvisor(bootstrap installer)
Exit code:
0
Version:
4,1,1,865
Modules
Images
c:\users\admin\appdata\local\temp\is-1f4t7.tmp\prod0_extract\sabsi.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1056"C:\Users\admin\Desktop\CheatEngine76.exe" /SPAWNWND=$60294 /NOTIFYWND=$902AE C:\Users\admin\Desktop\CheatEngine76.exe
CheatEngine76.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
ЕngineGame Downloader
Exit code:
3221226525
Version:
7.6.0
Modules
Images
c:\users\admin\desktop\cheatengine76.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
1128C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESC070.tmp" "c:\Users\admin\AppData\Local\Temp\CSCC06F.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.9672 (WinRelRS6.050727-9100)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1532"C:\Program Files\McAfee\Temp3717560890\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade C:\Program Files\McAfee\Temp3717560890\installer.exe
installer.exe
User:
admin
Company:
McAfee, LLC
Integrity Level:
HIGH
Description:
McAfee WebAdvisor(installer)
Exit code:
0
Version:
4,1,1,1022
Modules
Images
c:\program files\mcafee\temp3717560890\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\win32u.dll
1568"C:\Users\admin\Desktop\saBSI.exe" C:\Users\admin\Desktop\saBSI.exeexplorer.exe
User:
admin
Company:
McAfee, LLC
Integrity Level:
MEDIUM
Description:
McAfee WebAdvisor(bootstrap installer)
Exit code:
3221226540
Version:
4,1,1,865
Modules
Images
c:\users\admin\desktop\sabsi.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWeatherZeroService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
95 036
Read events
89 209
Write events
5 806
Delete events
21

Modification events

(PID) Process:(1012) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor
Operation:writeName:UUID
Value:
{82BFC697-BA2D-4A18-8CF1-25FB5A04E56B}
(PID) Process:(1012) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor
Operation:writeName:InstallerFlags
Value:
1
(PID) Process:(4408) CheatEngine76.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Operation:writeName:Implementing
Value:
1C00000001000000E90705000600030015001F0030005A00010000001E768127E028094199FEB9D127C57AFE
(PID) Process:(4408) CheatEngine76.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
0100000000000000B5B88BC672BCDB01
(PID) Process:(2908) CheatEngine76.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Owner
Value:
5C0B0000209DBEC772BCDB01
(PID) Process:(2908) CheatEngine76.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:SessionHash
Value:
54CFA2ED081E07C27637E4C77E237567E9EFA76CD14B623EDC2098ECBF9DEC93
(PID) Process:(2908) CheatEngine76.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Sequence
Value:
1
(PID) Process:(2908) CheatEngine76.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:RegFiles0000
Value:
C:\Program Files\Cheat Engine\windowsrepair.exe
(PID) Process:(2908) CheatEngine76.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:RegFilesHash
Value:
494B0DB1AB056F44BD1F6445B0BD1F91699EE68524F9C70023DD5A41083CFFB1
(PID) Process:(3676) WZSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
293
Suspicious files
411
Text files
1 295
Unknown types
0

Dropped files

PID
Process
Filename
Type
1056CheatEngine76.exeC:\Users\admin\AppData\Local\Temp\is-I4VCS.tmp\CheatEngine76.tmpexecutable
MD5:24F7AE63B369D26136574781735A2F6C
SHA256:CC34EC320B9C5DF608E9F7EEFFAD8C4885FCED83F9F41E66F4CB90EB3D9143B3
4408CheatEngine76.tmpC:\Users\admin\AppData\Local\Temp\is-1F4T7.tmp\is-T04RI.tmpimage
MD5:9AC6287111CB2B272561781786C46CDD
SHA256:AB99CDB7D798CB7B7D8517584D546AA4ED54ECA1B808DE6D076710C8A400C8C4
4408CheatEngine76.tmpC:\Users\admin\AppData\Local\Temp\is-1F4T7.tmp\error.pngimage
MD5:2C5238DA8AAF78FB2722F82435B59EB0
SHA256:1AEE87904EAAC431C564438807BDBD8FB34290831E7B3C0A502FDF1EF8EAA6A1
4408CheatEngine76.tmpC:\Users\admin\AppData\Local\Temp\is-1F4T7.tmp\AVAST.pngimage
MD5:378F74A0CBDD582D8B434B7B978FF375
SHA256:1225AFDA135B0BF3B5633595AF4096F8C6620EBB34AA5DF7C64253F03668B33D
4408CheatEngine76.tmpC:\Users\admin\AppData\Local\Temp\is-1F4T7.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
4408CheatEngine76.tmpC:\Users\admin\AppData\Local\Temp\is-1F4T7.tmp\zbShieldUtils.dllexecutable
MD5:3037E3D5409FB6A697F12ADDB01BA99B
SHA256:A860BD74595430802F4E2E7AD8FD1D31D3DA3B0C9FAF17AD4641035181A5CE9E
1812CheatEngine76.exeC:\Users\admin\AppData\Local\Temp\is-NK0HR.tmp\CheatEngine76.tmpexecutable
MD5:24F7AE63B369D26136574781735A2F6C
SHA256:CC34EC320B9C5DF608E9F7EEFFAD8C4885FCED83F9F41E66F4CB90EB3D9143B3
4408CheatEngine76.tmpC:\Users\admin\AppData\Local\Temp\is-1F4T7.tmp\logo.pngimage
MD5:9CC8A637A7DE5C9C101A3047C7FBBB33
SHA256:8C5C80BBC6B0FDB367EAB1253517D8B156C85545A2D37D1EE4B78F3041D9B5DB
4408CheatEngine76.tmpC:\Users\admin\AppData\Local\Temp\is-1F4T7.tmp\is-VFBAN.tmpimage
MD5:4CFFF8DC30D353CD3D215FD3A5DBAC24
SHA256:0C430E56D69435D8AB31CBB5916A73A47D11EF65B37D289EE7D11130ADF25856
4408CheatEngine76.tmpC:\Users\admin\AppData\Local\Temp\is-1F4T7.tmp\is-EFIPF.tmpimage
MD5:378F74A0CBDD582D8B434B7B978FF375
SHA256:1225AFDA135B0BF3B5633595AF4096F8C6620EBB34AA5DF7C64253F03668B33D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
182
TCP/UDP connections
140
DNS requests
268
Threats
48

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
2516
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
868 b
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
868 b
whitelisted
2516
RUXIMICS.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
GET
200
18.245.78.141:443
https://d37tdtb0ed9odn.cloudfront.net/f/WebAdvisor/images/943/EN.png
US
unknown
POST
200
20.190.159.73:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
POST
200
18.245.78.213:443
https://d37tdtb0ed9odn.cloudfront.net/o
US
binary
13.2 Kb
whitelisted
POST
400
20.190.159.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
POST
200
18.245.78.213:443
https://d37tdtb0ed9odn.cloudfront.net/zbd
US
whitelisted
POST
200
18.245.78.129:443
https://d37tdtb0ed9odn.cloudfront.net/zbd
US
binary
15 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2516
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2516
RUXIMICS.exe
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2516
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.48.23.194
  • 23.48.23.143
  • 23.48.23.176
  • 23.48.23.134
  • 23.48.23.185
  • 23.48.23.141
  • 23.48.23.138
  • 23.48.23.181
  • 23.48.23.191
  • 23.48.23.144
  • 23.48.23.164
  • 23.48.23.147
  • 23.48.23.166
  • 23.48.23.162
  • 23.48.23.160
  • 23.48.23.156
  • 23.48.23.148
  • 23.48.23.169
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.0
  • 20.190.159.2
  • 20.190.159.128
  • 40.126.31.71
  • 40.126.31.1
  • 40.126.31.3
  • 20.190.159.130
  • 20.190.159.73
whitelisted
d37tdtb0ed9odn.cloudfront.net
  • 18.245.78.200
  • 18.245.78.213
  • 18.245.78.141
  • 18.245.78.129
whitelisted
slscr.update.microsoft.com
  • 104.21.32.1
  • 104.21.96.1
  • 104.21.64.1
  • 104.21.112.1
  • 104.21.16.1
  • 104.21.48.1
  • 104.21.80.1
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
analytics.apis.mcafee.com
  • 35.82.248.58
  • 44.237.201.57
  • 52.41.208.175
  • 44.228.195.98
  • 34.215.236.100
  • 44.237.76.189
  • 35.163.32.10
  • 44.238.20.151
  • 54.200.83.119
  • 54.149.143.212
  • 44.240.248.156
  • 44.236.124.127
  • 52.42.74.50
unknown

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET ADWARE_PUP Win32/OfferCore Checkin M1
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
A Network Trojan was detected
ET ADWARE_PUP Win32/OfferCore Checkin M2
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
A Network Trojan was detected
ET ADWARE_PUP Win32/OfferCore Checkin M2
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
A Network Trojan was detected
ET ADWARE_PUP Win32/OfferCore Checkin M2
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CheatEngine76.exe