File name: | MegaCheat v8.0 New Design.exe |
Full analysis: | https://app.any.run/tasks/74d05304-f7cd-45df-938b-48856293b8b3 |
Verdict: | Malicious activity |
Analysis date: | August 17, 2019, 20:00:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | F52881EF96FE4329F4FF2815D46560EE |
SHA1: | 123E48E6790C57265491D1E98B1B95F0A7222C8A |
SHA256: | A3F2BCF5DC1DF6DCF05A4492D456F247D7BFCC0A9983A6AA4F3BCABDCBD344CA |
SSDEEP: | 98304:IXo/k49UOT7jrNNUntyBRo4uyBNoGVyHZh5n/OachI6t:1ZzY6oOoGVyHxn/OachZ |
.exe | | | Inno Setup installer (67.7) |
---|---|---|
.exe | | | Win32 EXE PECompact compressed (generic) (25.6) |
.exe | | | Win32 Executable (generic) (2.7) |
.exe | | | Win16/32 Executable Delphi generic (1.2) |
.exe | | | Generic Win/DOS Executable (1.2) |
ProgramID: | com.embarcadero.Cheat |
---|---|
Comments: | www.mega-cheats.ru |
ProductVersion: | 8.0.0.0 |
ProductName: | MegaCheat |
OriginalFileName: | MegaCheat v8.0 |
LegalTrademarks: | www.mega-cheats.ru |
LegalCopyright: | www.mega-cheats.ru |
InternalName: | MegaCheat |
FileVersion: | 8.0.0.0 |
FileDescription: | www.mega-cheats.ru |
CompanyName: | www.mega-cheats.ru |
CharacterSet: | Windows, Cyrillic |
LanguageCode: | Russian |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 8.0.0.0 |
FileVersionNumber: | 8.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x466804 |
UninitializedDataSize: | - |
InitializedDataSize: | 1967104 |
CodeSize: | 4608512 |
LinkerVersion: | 2.25 |
PEType: | PE32 |
TimeStamp: | 2019:05:26 16:59:06+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 26-May-2019 14:59:06 |
Detected languages: |
|
CompanyName: | www.mega-cheats.ru |
FileDescription: | www.mega-cheats.ru |
FileVersion: | 8.0.0.0 |
InternalName: | MegaCheat |
LegalCopyright: | www.mega-cheats.ru |
LegalTrademarks: | www.mega-cheats.ru |
OriginalFilename: | MegaCheat v8.0 |
ProductName: | MegaCheat |
ProductVersion: | 8.0.0.0 |
Comments: | www.mega-cheats.ru |
ProgramID: | com.embarcadero.Cheat |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 11 |
Time date stamp: | 26-May-2019 14:59:06 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x004607F0 | 0x00460800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.46675 |
.itext | 0x00462000 | 0x0000491C | 0x00004A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.03512 |
.data | 0x00467000 | 0x000114B8 | 0x00011600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.99962 |
.bss | 0x00479000 | 0x000077EC | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x00481000 | 0x000042DE | 0x00004400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.1338 |
.didata | 0x00486000 | 0x00000A70 | 0x00000C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.73874 |
.edata | 0x00487000 | 0x00000097 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.83099 |
.tls | 0x00488000 | 0x0000004C | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x00489000 | 0x0000005D | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.38166 |
.reloc | 0x0048A000 | 0x00056D54 | 0x00056E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.71627 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.26803 | 1488 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 6.0292 | 2216 | UNKNOWN | English - United States | RT_ICON |
3 | 4.11799 | 1384 | UNKNOWN | English - United States | RT_ICON |
4 | 7.97751 | 50491 | UNKNOWN | English - United States | RT_ICON |
5 | 5.36814 | 67624 | UNKNOWN | English - United States | RT_ICON |
6 | 5.71212 | 9640 | UNKNOWN | English - United States | RT_ICON |
7 | 5.65227 | 4264 | UNKNOWN | English - United States | RT_ICON |
8 | 6.05661 | 1128 | UNKNOWN | English - United States | RT_ICON |
3682 | 2.04342 | 76 | UNKNOWN | UNKNOWN | RT_STRING |
3683 | 2.92331 | 170 | UNKNOWN | UNKNOWN | RT_STRING |
advapi32.dll |
comctl32.dll |
gdi32.dll |
kernel32.dll |
kernel32.dll (delay-loaded) |
msvcrt.dll |
netapi32.dll |
ole32.dll |
oleaut32.dll |
shell32.dll |
Title | Ordinal | Address |
---|---|---|
dbkFCallWrapperAddr | 1 | 0x0047C5A8 |
__dbk_fcall_wrapper | 2 | 0x000108B0 |
TMethodImplementationIntercept | 3 | 0x00065808 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3144 | "C:\Users\admin\AppData\Local\Temp\MegaCheat v8.0 New Design.exe" | C:\Users\admin\AppData\Local\Temp\MegaCheat v8.0 New Design.exe | explorer.exe | |
User: admin Company: www.mega-cheats.ru Integrity Level: MEDIUM Description: www.mega-cheats.ru Exit code: 0 Version: 8.0.0.0 | ||||
1456 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | MegaCheat v8.0 New Design.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2460 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1456 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2808 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Exit code: 0 Version: 26,0,0,131 | ||||
2288 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KPROQ0DI\MegaCheat_v8.1.1_for_Flash_(Password_1234)[1].zip" | C:\Program Files\WinRAR\WinRAR.exe | — | iexplore.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3868 | "C:\Users\admin\Desktop\megacheat v8.1.1 for flash-7bfee68e7b.exe" | C:\Users\admin\Desktop\megacheat v8.1.1 for flash-7bfee68e7b.exe | explorer.exe | |
User: admin Company: Integrity Level: MEDIUM Description: OWkdkKJDs sd - 872ce0e8d610a63e46ee1c88a846fc72 | Setup Version: | ||||
3388 | "C:\Users\admin\AppData\Local\Temp\is-KODN0.tmp\megacheat v8.1.1 for flash-7bfee68e7b.tmp" /SL5="$40228,3222141,733184,C:\Users\admin\Desktop\megacheat v8.1.1 for flash-7bfee68e7b.exe" | C:\Users\admin\AppData\Local\Temp\is-KODN0.tmp\megacheat v8.1.1 for flash-7bfee68e7b.tmp | — | megacheat v8.1.1 for flash-7bfee68e7b.exe |
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Version: 51.1052.0.0 | ||||
776 | "C:\Users\admin\Desktop\megacheat v8.1.1 for flash-7bfee68e7b.exe" /SPAWNWND=$2035C /NOTIFYWND=$40228 | C:\Users\admin\Desktop\megacheat v8.1.1 for flash-7bfee68e7b.exe | megacheat v8.1.1 for flash-7bfee68e7b.tmp | |
User: admin Company: Integrity Level: HIGH Description: OWkdkKJDs sd - 872ce0e8d610a63e46ee1c88a846fc72 | Setup Version: | ||||
3932 | "C:\Users\admin\AppData\Local\Temp\is-Q1R9T.tmp\megacheat v8.1.1 for flash-7bfee68e7b.tmp" /SL5="$70200,3222141,733184,C:\Users\admin\Desktop\megacheat v8.1.1 for flash-7bfee68e7b.exe" /SPAWNWND=$2035C /NOTIFYWND=$40228 | C:\Users\admin\AppData\Local\Temp\is-Q1R9T.tmp\megacheat v8.1.1 for flash-7bfee68e7b.tmp | megacheat v8.1.1 for flash-7bfee68e7b.exe | |
User: admin Integrity Level: HIGH Description: Setup/Uninstall Version: 51.1052.0.0 | ||||
2904 | "C:\Users\admin\AppData\Local\Temp\is-7O3OJ.tmp\yYPKpfIr.exe" -P QHGdqnH "zSjCSFVpPkrxjpX.zip" | C:\Users\admin\AppData\Local\Temp\is-7O3OJ.tmp\yYPKpfIr.exe | megacheat v8.1.1 for flash-7bfee68e7b.tmp | |
User: admin Integrity Level: HIGH Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1456 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
1456 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2460 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KPROQ0DI\t27eMa26n5[1].txt | — | |
MD5:— | SHA256:— | |||
2460 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:79A4278A054ECED0AC1865D229EFA21C | SHA256:D7C91356DE8FD2C58FF37F1A3F9C9D861ECF9C442AAD66F0B29D0D44BA999910 | |||
2460 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\258C01MW\anonfiles[1].css | text | |
MD5:FC056343EE59A457D68F2B59CB82F0C5 | SHA256:2C8C7E689A476BB3A2AA7403A2436BD1C7495484C2714B58CA7C14AF4F845EAF | |||
2460 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KPROQ0DI\app[1].js | text | |
MD5:54CFC945293FF769616451BABDCE038C | SHA256:232555C7291EC261A98090DF629D525090376774A511B438074A700D65D92537 | |||
2460 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KPROQ0DI\t27eMa26n5[1].htm | html | |
MD5:170DDC40136812C214D681CA8BA5C2BE | SHA256:AC8CD0D1D5DBCACBB8015F73062FD17793FE110A7B6D17EFB605FAB7077F6738 | |||
2460 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:C0894421C3FC89E218B729F32449B91E | SHA256:9459DD59EDA4618A2678C72C4AD90AAA2878A97715E8C86FAB2AD384E59465B0 | |||
2460 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KPROQ0DI\js[1] | text | |
MD5:F9724B985971774D40C1FD8BFB9BCCBA | SHA256:D994E1EE009664686351FA06B8EF77C4C597C635442F806C5BF35BFE3981C659 | |||
2460 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\258C01MW\djv99sxoqpv11_cloudfront_net[1] | text | |
MD5:C09EE6CCA5D9AF6CB93F1812C3D03F45 | SHA256:3049F20A7F7FD601D6401F0F92B10BAE8889A5A27FD5FDB13E7D236EB94B88D0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2460 | iexplore.exe | GET | 200 | 2.16.106.186:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | unknown | compressed | 56.6 Kb | whitelisted |
3144 | MegaCheat v8.0 New Design.exe | GET | 200 | 87.236.16.18:80 | http://f1-hack.ru/inc/update.megacheats | RU | text | 32 b | malicious |
3144 | MegaCheat v8.0 New Design.exe | GET | 200 | 87.236.16.18:80 | http://f1-hack.ru/inc/release.megacheats | RU | text | 5 b | malicious |
2460 | iexplore.exe | GET | 200 | 2.16.106.186:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | unknown | compressed | 56.6 Kb | whitelisted |
2700 | hpplclgTBGRkVmj.exe | POST | 200 | 104.31.73.33:80 | http://yorhenparty.com/v2/events | US | text | 224 Kb | malicious |
2460 | iexplore.exe | GET | 200 | 13.35.254.34:80 | http://x.ss2.us/x.cer | US | der | 1.27 Kb | whitelisted |
1456 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
2700 | hpplclgTBGRkVmj.exe | POST | 200 | 104.31.73.33:80 | http://yorhenparty.com/v2/events | US | text | 224 Kb | malicious |
2460 | iexplore.exe | GET | 200 | 13.35.254.34:80 | http://x.ss2.us/x.cer | US | der | 1.27 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1456 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2460 | iexplore.exe | 151.101.2.217:443 | vjs.zencdn.net | Fastly | US | suspicious |
2460 | iexplore.exe | 13.35.254.29:443 | djv99sxoqpv11.cloudfront.net | — | US | whitelisted |
2460 | iexplore.exe | 194.32.146.59:443 | anonfiles.com | — | — | unknown |
3144 | MegaCheat v8.0 New Design.exe | 87.236.16.18:80 | f1-hack.ru | Beget Ltd | RU | malicious |
2460 | iexplore.exe | 23.111.8.154:443 | oss.maxcdn.com | netDNA | US | unknown |
2460 | iexplore.exe | 52.202.159.120:443 | deryjobmeetin.info | Amazon.com, Inc. | US | unknown |
2460 | iexplore.exe | 216.58.208.46:443 | www.google-analytics.com | Google Inc. | US | whitelisted |
2460 | iexplore.exe | 13.35.254.34:80 | x.ss2.us | — | US | suspicious |
2460 | iexplore.exe | 172.217.23.168:443 | www.googletagmanager.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
f1-hack.ru |
| malicious |
www.bing.com |
| whitelisted |
anonfiles.com |
| shared |
vjs.zencdn.net |
| whitelisted |
oss.maxcdn.com |
| whitelisted |
cdn-101.anonfile.com |
| suspicious |
www.googletagmanager.com |
| whitelisted |
djv99sxoqpv11.cloudfront.net |
| shared |
www.google-analytics.com |
| whitelisted |
deryjobmeetin.info |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2700 | hpplclgTBGRkVmj.exe | Misc activity | ADWARE [PTsecurity] Win32/DownloadAssistant.F |
2700 | hpplclgTBGRkVmj.exe | Misc activity | ADWARE [PTsecurity] Win32/DownloadAssistant.F |