File name:

MegaCheat v8.0 New Design.exe

Full analysis: https://app.any.run/tasks/74d05304-f7cd-45df-938b-48856293b8b3
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: August 17, 2019, 20:00:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
adware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F52881EF96FE4329F4FF2815D46560EE

SHA1:

123E48E6790C57265491D1E98B1B95F0A7222C8A

SHA256:

A3F2BCF5DC1DF6DCF05A4492D456F247D7BFCC0A9983A6AA4F3BCABDCBD344CA

SSDEEP:

98304:IXo/k49UOT7jrNNUntyBRo4uyBNoGVyHZh5n/OachI6t:1ZzY6oOoGVyHxn/OachZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • megacheat v8.1.1 for flash-7bfee68e7b.exe (PID: 3868)
      • megacheat v8.1.1 for flash-7bfee68e7b.exe (PID: 776)
      • megacheat v8.1.1 for flash-7bfee68e7b.exe (PID: 2712)
      • megacheat v8.1.1 for flash-7bfee68e7b.exe (PID: 3740)
      • megacheat v8.1.1 for flash-7bfee68e7b.exe (PID: 3732)
      • megacheat v8.1.1 for flash-7bfee68e7b.exe (PID: 2956)

    • Connects to CnC server

      • hpplclgTBGRkVmj.exe (PID: 2700)

  • SUSPICIOUS

    • Starts Internet Explorer

      • MegaCheat v8.0 New Design.exe (PID: 3144)

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2808)

    • Executable content was dropped or overwritten

      • megacheat v8.1.1 for flash-7bfee68e7b.exe (PID: 3868)
      • megacheat v8.1.1 for flash-7bfee68e7b.exe (PID: 776)
      • megacheat v8.1.1 for flash-7bfee68e7b.tmp (PID: 3932)
      • yYPKpfIr.exe (PID: 2904)
      • megacheat v8.1.1 for flash-7bfee68e7b.exe (PID: 3732)
      • megacheat v8.1.1 for flash-7bfee68e7b.exe (PID: 2712)
      • megacheat v8.1.1 for flash-7bfee68e7b.exe (PID: 2956)
      • megacheat v8.1.1 for flash-7bfee68e7b.tmp (PID: 2104)
      • megacheat v8.1.1 for flash-7bfee68e7b.exe (PID: 3740)

    • Reads Windows owner or organization settings

      • megacheat v8.1.1 for flash-7bfee68e7b.tmp (PID: 3932)
      • megacheat v8.1.1 for flash-7bfee68e7b.tmp (PID: 2104)
      • megacheat v8.1.1 for flash-7bfee68e7b.tmp (PID: 2520)

    • Reads the Windows organization settings

      • megacheat v8.1.1 for flash-7bfee68e7b.tmp (PID: 2104)
      • megacheat v8.1.1 for flash-7bfee68e7b.tmp (PID: 2520)
      • megacheat v8.1.1 for flash-7bfee68e7b.tmp (PID: 3932)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2460)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1456)

    • Creates files in the user directory

      • iexplore.exe (PID: 2460)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2808)
      • iexplore.exe (PID: 1456)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1456)

    • Manual execution by user

      • megacheat v8.1.1 for flash-7bfee68e7b.exe (PID: 3868)
      • megacheat v8.1.1 for flash-7bfee68e7b.exe (PID: 3732)
      • megacheat v8.1.1 for flash-7bfee68e7b.exe (PID: 2712)

    • Application was dropped or rewritten from another process

      • megacheat v8.1.1 for flash-7bfee68e7b.tmp (PID: 3932)
      • yYPKpfIr.exe (PID: 2904)
      • hpplclgTBGRkVmj.exe (PID: 2700)
      • megacheat v8.1.1 for flash-7bfee68e7b.tmp (PID: 3388)
      • megacheat v8.1.1 for flash-7bfee68e7b.tmp (PID: 2664)
      • megacheat v8.1.1 for flash-7bfee68e7b.tmp (PID: 2476)
      • megacheat v8.1.1 for flash-7bfee68e7b.tmp (PID: 2520)
      • yYPKpfIr.exe (PID: 1304)
      • yYPKpfIr.exe (PID: 2980)
      • hpplclgTBGRkVmj.exe (PID: 2788)
      • hpplclgTBGRkVmj.exe (PID: 1400)
      • megacheat v8.1.1 for flash-7bfee68e7b.tmp (PID: 2104)

    • Changes internet zones settings

      • iexplore.exe (PID: 1456)

    • Application launched itself

      • iexplore.exe (PID: 1456)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:05:26 16:59:06+02:00
PEType: PE32
LinkerVersion: 2.25
CodeSize: 4608512
InitializedDataSize: 1967104
UninitializedDataSize: -
EntryPoint: 0x466804
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 8.0.0.0
ProductVersionNumber: 8.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Russian
CharacterSet: Windows, Cyrillic
CompanyName: www.mega-cheats.ru
FileDescription: www.mega-cheats.ru
FileVersion: 8.0.0.0
InternalName: MegaCheat
LegalCopyright: www.mega-cheats.ru
LegalTrademarks: www.mega-cheats.ru
OriginalFileName: MegaCheat v8.0
ProductName: MegaCheat
ProductVersion: 8.0.0.0
Comments: www.mega-cheats.ru
ProgramID: com.embarcadero.Cheat

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 26-May-2019 14:59:06
Detected languages:
  • English - United States
  • Russian - Russia
CompanyName: www.mega-cheats.ru
FileDescription: www.mega-cheats.ru
FileVersion: 8.0.0.0
InternalName: MegaCheat
LegalCopyright: www.mega-cheats.ru
LegalTrademarks: www.mega-cheats.ru
OriginalFilename: MegaCheat v8.0
ProductName: MegaCheat
ProductVersion: 8.0.0.0
Comments: www.mega-cheats.ru
ProgramID: com.embarcadero.Cheat

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 11
Time date stamp: 26-May-2019 14:59:06
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x004607F0
0x00460800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.46675
.itext
0x00462000
0x0000491C
0x00004A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.03512
.data
0x00467000
0x000114B8
0x00011600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.99962
.bss
0x00479000
0x000077EC
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x00481000
0x000042DE
0x00004400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.1338
.didata
0x00486000
0x00000A70
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.73874
.edata
0x00487000
0x00000097
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.83099
.tls
0x00488000
0x0000004C
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rdata
0x00489000
0x0000005D
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.38166
.reloc
0x0048A000
0x00056D54
0x00056E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.71627

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.26803
1488
UNKNOWN
English - United States
RT_MANIFEST
2
6.0292
2216
UNKNOWN
English - United States
RT_ICON
3
4.11799
1384
UNKNOWN
English - United States
RT_ICON
4
7.97751
50491
UNKNOWN
English - United States
RT_ICON
5
5.36814
67624
UNKNOWN
English - United States
RT_ICON
6
5.71212
9640
UNKNOWN
English - United States
RT_ICON
7
5.65227
4264
UNKNOWN
English - United States
RT_ICON
8
6.05661
1128
UNKNOWN
English - United States
RT_ICON
3682
2.04342
76
UNKNOWN
UNKNOWN
RT_STRING
3683
2.92331
170
UNKNOWN
UNKNOWN
RT_STRING

Imports

advapi32.dll
comctl32.dll
gdi32.dll
kernel32.dll
kernel32.dll (delay-loaded)
msvcrt.dll
netapi32.dll
ole32.dll
oleaut32.dll
shell32.dll

Exports

Title
Ordinal
Address
dbkFCallWrapperAddr
1
0x0047C5A8
__dbk_fcall_wrapper
2
0x000108B0
TMethodImplementationIntercept
3
0x00065808
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
70
Monitored processes
23
Malicious processes
5
Suspicious processes
6

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start megacheat v8.0 new design.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs winrar.exe no specs megacheat v8.1.1 for flash-7bfee68e7b.exe megacheat v8.1.1 for flash-7bfee68e7b.tmp no specs megacheat v8.1.1 for flash-7bfee68e7b.exe megacheat v8.1.1 for flash-7bfee68e7b.tmp yypkpfir.exe hpplclgtbgrkvmj.exe megacheat v8.1.1 for flash-7bfee68e7b.exe megacheat v8.1.1 for flash-7bfee68e7b.exe megacheat v8.1.1 for flash-7bfee68e7b.tmp no specs megacheat v8.1.1 for flash-7bfee68e7b.tmp no specs megacheat v8.1.1 for flash-7bfee68e7b.exe megacheat v8.1.1 for flash-7bfee68e7b.exe megacheat v8.1.1 for flash-7bfee68e7b.tmp megacheat v8.1.1 for flash-7bfee68e7b.tmp no specs yypkpfir.exe no specs yypkpfir.exe no specs hpplclgtbgrkvmj.exe no specs hpplclgtbgrkvmj.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
776"C:\Users\admin\Desktop\megacheat v8.1.1 for flash-7bfee68e7b.exe" /SPAWNWND=$2035C /NOTIFYWND=$40228 C:\Users\admin\Desktop\megacheat v8.1.1 for flash-7bfee68e7b.exe
megacheat v8.1.1 for flash-7bfee68e7b.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
OWkdkKJDs sd - 872ce0e8d610a63e46ee1c88a846fc72 | Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\megacheat v8.1.1 for flash-7bfee68e7b.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1304"C:\Users\admin\AppData\Local\Temp\is-O6NVJ.tmp\yYPKpfIr.exe" -P QHGdqnH "zSjCSFVpPkrxjpX.zip"C:\Users\admin\AppData\Local\Temp\is-O6NVJ.tmp\yYPKpfIr.exemegacheat v8.1.1 for flash-7bfee68e7b.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-o6nvj.tmp\yypkpfir.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1400"C:\Users\admin\AppData\Local\Temp\is-O6NVJ.tmp\hpplclgTBGRkVmj.exe" 872ce0e8d610a63e46ee1c88a846fc72C:\Users\admin\AppData\Local\Temp\is-O6NVJ.tmp\hpplclgTBGRkVmj.exemegacheat v8.1.1 for flash-7bfee68e7b.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
255
Modules
Images
c:\users\admin\appdata\local\temp\is-o6nvj.tmp\hpplclgtbgrkvmj.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1456"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
MegaCheat v8.0 New Design.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2104"C:\Users\admin\AppData\Local\Temp\is-VO1HE.tmp\megacheat v8.1.1 for flash-7bfee68e7b.tmp" /SL5="$4028A,3222141,733184,C:\Users\admin\Desktop\megacheat v8.1.1 for flash-7bfee68e7b.exe" /SPAWNWND=$2027A /NOTIFYWND=$302CE C:\Users\admin\AppData\Local\Temp\is-VO1HE.tmp\megacheat v8.1.1 for flash-7bfee68e7b.tmp
megacheat v8.1.1 for flash-7bfee68e7b.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
1
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-vo1he.tmp\megacheat v8.1.1 for flash-7bfee68e7b.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2288"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KPROQ0DI\MegaCheat_v8.1.1_for_Flash_(Password_1234)[1].zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\comdlg32.dll
2460"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1456 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2476"C:\Users\admin\AppData\Local\Temp\is-L1S0M.tmp\megacheat v8.1.1 for flash-7bfee68e7b.tmp" /SL5="$20286,3222141,733184,C:\Users\admin\Desktop\megacheat v8.1.1 for flash-7bfee68e7b.exe" C:\Users\admin\AppData\Local\Temp\is-L1S0M.tmp\megacheat v8.1.1 for flash-7bfee68e7b.tmpmegacheat v8.1.1 for flash-7bfee68e7b.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
1
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-l1s0m.tmp\megacheat v8.1.1 for flash-7bfee68e7b.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2520"C:\Users\admin\AppData\Local\Temp\is-MAN9O.tmp\megacheat v8.1.1 for flash-7bfee68e7b.tmp" /SL5="$40134,3222141,733184,C:\Users\admin\Desktop\megacheat v8.1.1 for flash-7bfee68e7b.exe" /SPAWNWND=$20292 /NOTIFYWND=$20286 C:\Users\admin\AppData\Local\Temp\is-MAN9O.tmp\megacheat v8.1.1 for flash-7bfee68e7b.tmpmegacheat v8.1.1 for flash-7bfee68e7b.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
1
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-man9o.tmp\megacheat v8.1.1 for flash-7bfee68e7b.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2664"C:\Users\admin\AppData\Local\Temp\is-VQ2KN.tmp\megacheat v8.1.1 for flash-7bfee68e7b.tmp" /SL5="$302CE,3222141,733184,C:\Users\admin\Desktop\megacheat v8.1.1 for flash-7bfee68e7b.exe" C:\Users\admin\AppData\Local\Temp\is-VQ2KN.tmp\megacheat v8.1.1 for flash-7bfee68e7b.tmpmegacheat v8.1.1 for flash-7bfee68e7b.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
1
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-vq2kn.tmp\megacheat v8.1.1 for flash-7bfee68e7b.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
1 650
Read events
1 433
Write events
201
Delete events
16

Modification events

(PID) Process:(1456) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1456) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1456) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1456) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(1456) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1456) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(1456) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{BE494FAD-C129-11E9-B86F-5254004A04AF}
Value:
0
(PID) Process:(1456) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(1456) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
2
(PID) Process:(1456) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E3070800060011001400010005000C02
Executable files
9
Suspicious files
16
Text files
38
Unknown types
12

Dropped files

PID
Process
Filename
Type
1456iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
1456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2460iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KPROQ0DI\t27eMa26n5[1].txt
MD5:
SHA256:
2460iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:
SHA256:
2460iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KPROQ0DI\t27eMa26n5[1].htmhtml
MD5:
SHA256:
2460iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\258C01MW\djv99sxoqpv11_cloudfront_net[1]text
MD5:
SHA256:
2460iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:
SHA256:
2460iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KPROQ0DI\js[1]text
MD5:
SHA256:
2460iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YJZ2VT8S\glyphicons-halflings-regular[1].eoteot
MD5:F4769F9BDB7466BE65088239C12046D1
SHA256:13634DA87D9E23F8C3ED9108CE1724D183A39AD072E73E1B3D8CBF646D2D0407
2460iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KPROQ0DI\app[1].jstext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
35
DNS requests
16
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3144
MegaCheat v8.0 New Design.exe
GET
200
87.236.16.18:80
http://f1-hack.ru/inc/update.megacheats
RU
text
32 b
malicious
2700
hpplclgTBGRkVmj.exe
POST
200
104.31.73.33:80
http://yorhenparty.com/v2/events
US
text
224 Kb
malicious
2460
iexplore.exe
GET
200
2.16.106.186:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
56.6 Kb
whitelisted
2460
iexplore.exe
GET
200
2.16.106.186:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
56.6 Kb
whitelisted
2460
iexplore.exe
GET
200
13.35.254.34:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
1456
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2460
iexplore.exe
GET
200
13.35.254.34:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
3144
MegaCheat v8.0 New Design.exe
GET
200
87.236.16.18:80
http://f1-hack.ru/inc/release.megacheats
RU
text
5 b
malicious
2700
hpplclgTBGRkVmj.exe
POST
200
104.31.73.33:80
http://yorhenparty.com/v2/events
US
text
224 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2460
iexplore.exe
52.202.159.120:443
deryjobmeetin.info
Amazon.com, Inc.
US
unknown
2460
iexplore.exe
151.101.2.217:443
vjs.zencdn.net
Fastly
US
suspicious
2460
iexplore.exe
13.35.254.29:443
djv99sxoqpv11.cloudfront.net
US
whitelisted
2460
iexplore.exe
194.32.146.59:443
anonfiles.com
unknown
2460
iexplore.exe
23.111.8.154:443
oss.maxcdn.com
netDNA
US
unknown
2460
iexplore.exe
216.58.208.46:443
www.google-analytics.com
Google Inc.
US
whitelisted
2460
iexplore.exe
13.35.254.34:80
x.ss2.us
US
suspicious
2460
iexplore.exe
193.187.91.104:443
cdn-17.anonfiles.com
unknown
1456
iexplore.exe
194.32.146.59:443
anonfiles.com
unknown
2460
iexplore.exe
2.16.106.186:80
www.download.windowsupdate.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
f1-hack.ru
  • 87.236.16.18
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
anonfiles.com
  • 194.32.146.59
  • 194.32.146.58
shared
vjs.zencdn.net
  • 151.101.2.217
  • 151.101.66.217
  • 151.101.130.217
  • 151.101.194.217
whitelisted
oss.maxcdn.com
  • 23.111.8.154
whitelisted
cdn-101.anonfile.com
suspicious
www.googletagmanager.com
  • 172.217.23.168
whitelisted
djv99sxoqpv11.cloudfront.net
  • 13.35.254.29
  • 13.35.254.12
  • 13.35.254.116
  • 13.35.254.127
shared
www.google-analytics.com
  • 216.58.208.46
whitelisted
deryjobmeetin.info
  • 52.202.159.120
  • 18.211.27.151
  • 54.209.40.52
  • 52.200.44.212
suspicious

Threats

PID
Process
Class
Message
2700
hpplclgTBGRkVmj.exe
Misc activity
ADWARE [PTsecurity] Win32/DownloadAssistant.F
2700
hpplclgTBGRkVmj.exe
Misc activity
ADWARE [PTsecurity] Win32/DownloadAssistant.F
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MegaCheat v8.0 New Design.exe