File name:

HOTGUY_3[1].EXE

Full analysis: https://app.any.run/tasks/95a43f02-7f56-43b2-be07-dee39838ba74
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: November 28, 2019, 11:45:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D7E34FE20F566CCBDCD6F67E8DFA21FE

SHA1:

5B289EE773D76D0DB0D444ADA7FDCDF4C232C2EA

SHA256:

910E5564E263F812996DCC68E22E581B1DB938F618DE6106B9716D80262283C4

SSDEEP:

6144:lDXOOA5JVko9hvHlhVb9dyImAaDzhOX7VvHCIHt+SMn6V5yBd+r:lDTAXT9xHD9+AaDtOLpEk5yir

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts Internet Explorer

      • HOTGUY_3[1].EXE (PID: 1956)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2000:05:09 17:09:48+02:00
PEType: PE32
LinkerVersion: 6
CodeSize: 20480
InitializedDataSize: 192512
UninitializedDataSize: -
EntryPoint: 0x351c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 09-May-2000 15:09:48
Detected languages:
  • English - United Kingdom

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 09-May-2000 15:09:48
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00004D56
0x00005000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.64495
.rdata
0x00006000
0x000007E6
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.13691
.data
0x00007000
0x00000C38
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.47726
.zexe
0x00008000
0x0001E55E
0x0001F000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.98676
.rsrc
0x00027000
0x0003E430
0x0003F000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.5026

Resources

Title
Entropy
Size
Codepage
Language
Type
1
2.25999
296
UNKNOWN
English - United Kingdom
RT_ICON
2
2.65021
744
UNKNOWN
English - United Kingdom
RT_ICON
100
7.90184
2109
UNKNOWN
English - United Kingdom
XML
101
7.9895
77154
UNKNOWN
English - United Kingdom
XML
102
1.92193
5
UNKNOWN
English - United Kingdom
TEXT
103
0.918296
3
UNKNOWN
English - United Kingdom
TEXT
129
6.27844
129
UNKNOWN
English - United Kingdom
TRACKINGDATA
140
0
16
UNKNOWN
English - United Kingdom
CRCDATA
200
2.37086
34
UNKNOWN
English - United Kingdom
RT_GROUP_ICON
301
6.41089
50778
UNKNOWN
English - United Kingdom
WAV

Imports

KERNEL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start hotguy_3[1].exe iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1552"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exeHOTGUY_3[1].EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
1956"C:\Users\admin\AppData\Local\Temp\HOTGUY_3[1].EXE" C:\Users\admin\AppData\Local\Temp\HOTGUY_3[1].EXE
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\hotguy_3[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
Total events
51
Read events
28
Write events
23
Delete events
0

Modification events

(PID) Process:(1956) HOTGUY_3[1].EXEKey:HKEY_CURRENT_USER\Software\AdTools, Inc.\Temp
Operation:writeName:Dir
Value:
C:\Users\admin\AppData\Local\Temp\A6CA\
(PID) Process:(1956) HOTGUY_3[1].EXEKey:HKEY_CURRENT_USER\Software\AdTools, Inc.\Connection
Operation:writeName:Installed
Value:
1
(PID) Process:(1956) HOTGUY_3[1].EXEKey:HKEY_CURRENT_USER\Software\AdTools, Inc.\UserInfo
Operation:writeName:Identifier
Value:
e66cecbe-841d-40d3-9401-81775b9f1e45
(PID) Process:(1956) HOTGUY_3[1].EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm
Operation:writeName:fdwSupport
Value:
1
(PID) Process:(1956) HOTGUY_3[1].EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm
Operation:writeName:cFormatTags
Value:
2
(PID) Process:(1956) HOTGUY_3[1].EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm
Operation:writeName:aFormatTagCache
Value:
01000000100000001100000014000000
(PID) Process:(1956) HOTGUY_3[1].EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm
Operation:writeName:cFilterTags
Value:
0
(PID) Process:(1956) HOTGUY_3[1].EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711
Operation:writeName:fdwSupport
Value:
1
(PID) Process:(1956) HOTGUY_3[1].EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711
Operation:writeName:cFormatTags
Value:
3
(PID) Process:(1956) HOTGUY_3[1].EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711
Operation:writeName:aFormatTagCache
Value:
010000001000000006000000120000000700000012000000
Executable files
0
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
1956HOTGUY_3[1].EXEC:\Users\admin\AppData\Local\Temp\A6CA\A709.tmp
MD5:
SHA256:
1956HOTGUY_3[1].EXEC:\Users\admin\AppData\Local\Temp\A6CA\A70A.tmp
MD5:
SHA256:
1956HOTGUY_3[1].EXEC:\Users\admin\AppData\Local\Temp\A6CA\A71C.tmp
MD5:
SHA256:
1956HOTGUY_3[1].EXEC:\Users\admin\AppData\Local\Temp\A6CA\A71D.tmp
MD5:
SHA256:
1956HOTGUY_3[1].EXEC:\Users\admin\AppData\Local\Temp\A6CA\A71E.tmp
MD5:
SHA256:
1956HOTGUY_3[1].EXEC:\Users\admin\AppData\Local\Temp\A6CA\htpA70B.tmptext
MD5:
SHA256:
1956HOTGUY_3[1].EXEC:\Users\admin\AppData\Local\Temp\BC8B.tmpmid
MD5:2811672238A294CB72BBA69F12A77998
SHA256:2E8FD89F8F4BF61D6014C641A71A2282371202594B91500EAD074B0B5E0DDD46
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
3
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1956
HOTGUY_3[1].EXE
GET
302
103.224.212.247:80
http://www.messagemates.com/AdPuller/adult_mature/adult_mature.xmls
AU
malicious
1956
HOTGUY_3[1].EXE
GET
185.53.179.29:80
http://ww38.messagemates.com/AdPuller/adult_mature/adult_mature.xmls?subid1=20191128-2246-09d8-b09d-d0d603ae2712
DE
malicious
1956
HOTGUY_3[1].EXE
POST
302
103.224.212.247:80
http://tracking.messagemates.com/acts/tracking/track.asp
AU
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1956
HOTGUY_3[1].EXE
185.53.179.29:80
ww38.messagemates.com
Team Internet AG
DE
malicious
1956
HOTGUY_3[1].EXE
103.224.212.247:80
www.messagemates.com
Trellian Pty. Limited
AU
malicious

DNS requests

Domain
IP
Reputation
www.messagemates.com
  • 103.224.212.247
malicious
ww38.messagemates.com
  • 185.53.179.29
malicious
tracking.messagemates.com
  • 103.224.212.247
malicious

Threats

PID
Process
Class
Message
1956
HOTGUY_3[1].EXE
Misc activity
ADWARE [PTsecurity] BehavesLike.Win32.BadFile.fc
1956
HOTGUY_3[1].EXE
Misc activity
ADWARE [PTsecurity] BehavesLike.Win32.BadFile.fc
3 ETPRO signatures available at the full report
Process
Message
HOTGUY_3[1].EXE
InitData tracking worked.
HOTGUY_3[1].EXE
Campaign ID: 10214. File ID: 420. Consumer ID: HOTGUY. Tracking server: http://tracking.messagemates.com/acts/tracking/track.asp.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HOTGUY_3[1].EXE