analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

cheat.exe

Full analysis: https://app.any.run/tasks/59a2b752-d906-401c-bf17-15fbf0e3e814
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Analysis date: May 30, 2020, 15:48:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
parasite
stealer
loader
evasion
sorano
arcane
rat
backdoor
dcrat
opendir
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

43851749EB45FF87BA649918295CAA8D

SHA1:

994352827BA0B233474A64C2B5BE1B3DE8D6CE27

SHA256:

C8683323F2FF88B519E7FF316F8A7898990B22DFC11298CE54868DAAE9C4D206

SSDEEP:

49152:I/x9LRodZcbGWEqysfKvedKarw3ZY+DcXAFpGDtu0C8dxAwn1JSJ:Ux9UZqG/q79EC+DcXAvH0C4xRn1Jw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • file0.exe (PID: 2296)
      • file1.exe (PID: 3916)
      • file2.exe (PID: 1564)
      • Starter.exe (PID: 3412)
      • nlHa4dneFyvW7t91tTqX.exe (PID: 2888)
      • savesref.exe (PID: 2548)
      • Adobe QuikInstall.exe (PID: 1708)
      • Decoder.exe (PID: 2968)
      • SecurityHealthService.exe (PID: 2380)
      • YourPhone.exe (PID: 4052)
      • Apimousecheck.exe (PID: 3160)
    • Stealing of credential data

      • cheat.exe (PID: 3192)
      • file1.exe (PID: 3916)
      • RegAsm.exe (PID: 3580)
    • PARASITE was detected

      • cheat.exe (PID: 3192)
    • Connects to CnC server

      • cheat.exe (PID: 3192)
      • RegAsm.exe (PID: 3580)
      • savesref.exe (PID: 2548)
    • Actions looks like stealing of personal data

      • cheat.exe (PID: 3192)
      • RegAsm.exe (PID: 3580)
      • file1.exe (PID: 3916)
    • Downloads executable files from the Internet

      • cheat.exe (PID: 3192)
    • SORANO was detected

      • RegAsm.exe (PID: 3580)
    • ARCANE was detected

      • RegAsm.exe (PID: 3580)
    • Loads dropped or rewritten executable

      • savesref.exe (PID: 2548)
    • Writes to a start menu file

      • cmd.exe (PID: 1080)
      • savesref.exe (PID: 2548)
    • Changes the autorun value in the registry

      • Starter.exe (PID: 3412)
    • DCRAT was detected

      • savesref.exe (PID: 2548)
    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3824)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2524)
    • Changes settings of System certificates

      • Apimousecheck.exe (PID: 3160)
  • SUSPICIOUS

    • Application launched itself

      • cheat.exe (PID: 2168)
    • Connects to server without host name

      • cheat.exe (PID: 3192)
    • Reads Internet Cache Settings

      • cheat.exe (PID: 3192)
    • Reads the cookies of Google Chrome

      • cheat.exe (PID: 3192)
      • RegAsm.exe (PID: 3580)
      • file1.exe (PID: 3916)
    • Executable content was dropped or overwritten

      • cheat.exe (PID: 3192)
      • file2.exe (PID: 1564)
      • nlHa4dneFyvW7t91tTqX.exe (PID: 2888)
      • file1.exe (PID: 3916)
      • Starter.exe (PID: 3412)
      • savesref.exe (PID: 2548)
      • Decoder.exe (PID: 2968)
      • chrome.exe (PID: 2944)
      • chrome.exe (PID: 2732)
    • Executes scripts

      • file2.exe (PID: 1564)
      • nlHa4dneFyvW7t91tTqX.exe (PID: 2888)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3140)
      • file1.exe (PID: 3916)
      • WScript.exe (PID: 2456)
      • Adobe QuikInstall.exe (PID: 1708)
      • Decoder.exe (PID: 2968)
    • Reads Environment values

      • RegAsm.exe (PID: 3580)
      • Apimousecheck.exe (PID: 3160)
    • Reads the cookies of Mozilla Firefox

      • file1.exe (PID: 3916)
    • Creates files in the user directory

      • cmd.exe (PID: 1080)
      • savesref.exe (PID: 2548)
      • Starter.exe (PID: 3412)
      • Decoder.exe (PID: 2968)
    • Searches for installed software

      • file1.exe (PID: 3916)
    • Checks for external IP

      • savesref.exe (PID: 2548)
      • file1.exe (PID: 3916)
    • Adds / modifies Windows certificates

      • Apimousecheck.exe (PID: 3160)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2944)
  • INFO

    • Manual execution by user

      • explorer.exe (PID: 2976)
      • opera.exe (PID: 2976)
      • chrome.exe (PID: 2944)
      • taskmgr.exe (PID: 4056)
    • Dropped object may contain TOR URL's

      • cheat.exe (PID: 3192)
    • Reads settings of System Certificates

      • RegAsm.exe (PID: 3580)
      • file1.exe (PID: 3916)
      • chrome.exe (PID: 2732)
      • chrome.exe (PID: 2944)
    • Creates files in the user directory

      • opera.exe (PID: 2976)
    • Reads the hosts file

      • chrome.exe (PID: 2944)
      • chrome.exe (PID: 2732)
    • Application launched itself

      • chrome.exe (PID: 2944)
    • Dropped object may contain Bitcoin addresses

      • file1.exe (PID: 3916)
      • cheat.exe (PID: 3192)
      • Decoder.exe (PID: 2968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

AssemblyVersion: 1.5.5.3
ProductVersion: 5.4.7.9
ProductName: Tuhuen Software
OriginalFileName: SRNeRTLWrxQLe.exe
LegalTrademarks: Tuhuen Software LTD
LegalCopyright: Tuhuen Software LTD
InternalName: SRNeRTLWrxQLe.exe
FileVersion: 5.4.7.9
FileDescription: Tuhuen Software
CompanyName: Tuhuen Software LTD
Comments: Tuhuen Software
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 5.4.7.9
FileVersionNumber: 5.4.7.9
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x248e32
UninitializedDataSize: -
InitializedDataSize: 105984
CodeSize: 2387968
LinkerVersion: 6
PEType: PE32
TimeStamp: 2020:05:23 21:15:56+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 23-May-2020 19:15:56
Comments: Tuhuen Software
CompanyName: Tuhuen Software LTD
FileDescription: Tuhuen Software
FileVersion: 5.4.7.9
InternalName: SRNeRTLWrxQLe.exe
LegalCopyright: Tuhuen Software LTD
LegalTrademarks: Tuhuen Software LTD
OriginalFilename: SRNeRTLWrxQLe.exe
ProductName: Tuhuen Software
ProductVersion: 5.4.7.9
Assembly Version: 1.5.5.3

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 23-May-2020 19:15:56
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x00246E38
0x00247000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.97563
.reloc
0x0024A000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191
.rsrc
0x0024C000
0x00019B6C
0x00019C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.3521

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.45681
940
UNKNOWN
UNKNOWN
RT_VERSION
2
3.00473
67624
UNKNOWN
UNKNOWN
RT_ICON
3
3.0904
16936
UNKNOWN
UNKNOWN
RT_ICON
4
3.29528
9640
UNKNOWN
UNKNOWN
RT_ICON
5
3.28249
4264
UNKNOWN
UNKNOWN
RT_ICON
6
3.28148
1128
UNKNOWN
UNKNOWN
RT_ICON

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
115
Monitored processes
65
Malicious processes
18
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start cheat.exe no specs explorer.exe no specs cheat.exe no specs #PARASITE cheat.exe file0.exe no specs file1.exe file2.exe wscript.exe no specs cmd.exe no specs nlha4dnefyvw7t91ttqx.exe wscript.exe no specs starter.exe #SORANO regasm.exe opera.exe cmd.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe #DCRAT savesref.exe decoder.exe adobe quikinstall.exe no specs cmd.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs cmd.exe no specs chrome.exe no specs securityhealthservice.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs yourphone.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs timeout.exe no specs schtasks.exe no specs apimousecheck.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2168"C:\Users\admin\AppData\Local\Temp\cheat.exe" C:\Users\admin\AppData\Local\Temp\cheat.exeexplorer.exe
User:
admin
Company:
Tuhuen Software LTD
Integrity Level:
MEDIUM
Description:
Tuhuen Software
Exit code:
0
Version:
5.4.7.9
2976"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2840"{path}"C:\Users\admin\AppData\Local\Temp\cheat.execheat.exe
User:
admin
Company:
Tuhuen Software LTD
Integrity Level:
MEDIUM
Description:
Tuhuen Software
Exit code:
4294967295
Version:
5.4.7.9
3192"{path}"C:\Users\admin\AppData\Local\Temp\cheat.exe
cheat.exe
User:
admin
Company:
Tuhuen Software LTD
Integrity Level:
MEDIUM
Description:
Tuhuen Software
Exit code:
0
Version:
5.4.7.9
2296"C:\Users\admin\Documents\file0.exe" C:\Users\admin\Documents\file0.execheat.exe
User:
admin
Company:
EduPrintProv
Integrity Level:
MEDIUM
Description:
capiprovider
Exit code:
0
Version:
918.733.140.535
3916"C:\Users\admin\Documents\file1.exe" C:\Users\admin\Documents\file1.exe
cheat.exe
User:
admin
Company:
Inc.Infrastructure
Integrity Level:
MEDIUM
Description:
Inc.Infrastructur Host Driver
Exit code:
0
Version:
2.0.0.0
1564"C:\Users\admin\Documents\file2.exe" C:\Users\admin\Documents\file2.exe
cheat.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3140"C:\Windows\System32\WScript.exe" "C:\fontcrt\MwNjvr88NQJRSWi19KqHvdvHPGxkRc.vbs" C:\Windows\System32\WScript.exefile2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2264cmd /c ""C:\fontcrt\f8IOiW4b1oJg0IdnBPNY1lP2Kk6HqE.bat" "C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2888nlHa4dneFyvW7t91tTqX.exe -pfc114bf1799a11cca515d4e7135dd097ec29a963C:\fontcrt\nlHa4dneFyvW7t91tTqX.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
3 405
Read events
3 022
Write events
0
Delete events
0

Modification events

No data
Executable files
29
Suspicious files
82
Text files
240
Unknown types
28

Dropped files

PID
Process
Filename
Type
3192cheat.exeC:\Users\admin\Documents\rr
MD5:
SHA256:
3916file1.exeC:\Users\admin\AppData\Local\Temp\Cab3C51.tmp
MD5:
SHA256:
3916file1.exeC:\Users\admin\AppData\Local\Temp\Tar3C52.tmp
MD5:
SHA256:
3916file1.exeC:\Users\admin\AppData\Local\Temp\Cab3C81.tmp
MD5:
SHA256:
3916file1.exeC:\Users\admin\AppData\Local\Temp\Tar3C82.tmp
MD5:
SHA256:
3192cheat.exeC:\Users\admin\Documents\{e29ac6c0-7037-11de-816d-806e6f6e6963}\screen.jpegimage
MD5:5A669BB107654EA00650D6E8E10C2A12
SHA256:86BE5EFBB7005773AB4A78023B0D9676C6FF584D101058BD7179C534C61238D6
3916file1.exeC:\Users\admin\AppData\Local\Temp\Cab3D6E.tmp
MD5:
SHA256:
3192cheat.exeC:\Users\admin\Documents\{e29ac6c0-7037-11de-816d-806e6f6e6963}\Browsers\Google\Autofill.logtext
MD5:63D4BEA5BF2E239193F40EFAF2A17657
SHA256:AF8965DC3ECC954D181239538809A25AC1305B3389E1D0199EBFE769252A0AFA
3192cheat.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\321[1].exeexecutable
MD5:621368F070A43B2B353275CC2C1D2A85
SHA256:83D04E3AC2A116805CEE01F0882B7745A94D11D27A1041D80DB1E40AE6F54B9E
3192cheat.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\751[1].exeexecutable
MD5:E9232CE72A3CF88A3D1442248275C797
SHA256:C991FE8C6D840624FBF7B46C88514FF6324FEA56997929B0A81D97B0F6EB7F88
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
459
TCP/UDP connections
82
DNS requests
34
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3192
cheat.exe
GET
200
81.16.28.176:80
http://polosatik.site/126.exe
unknown
executable
2.01 Mb
malicious
3916
file1.exe
GET
304
2.21.78.252:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
57.0 Kb
whitelisted
3916
file1.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
xml
461 b
shared
3192
cheat.exe
GET
200
81.16.28.176:80
http://polosatik.site/751.exe
unknown
executable
977 Kb
malicious
2548
savesref.exe
GET
200
81.16.28.176:80
http://polosatik.site/qnyfx6ftdd3rno199mxvktsxevpzuzu/eytdboy5szfe18nnmanpwvg692cnfa4lzel5i/5ec6a5b184b36667823aded56b8bb4a6fba22759.php?4ba60642483e6edded193f3eddb7d370=0940ad5e6d32b0f81cb79e230953bd92&e60ff182eb0c6968d20131f15b5573dd=529633998619a6068c1dc14fe9c1dd14a741b372
unknown
text
67 b
malicious
3192
cheat.exe
POST
200
188.225.33.242:80
http://188.225.33.242/gate.php
RU
malicious
3192
cheat.exe
POST
200
188.225.33.242:80
http://188.225.33.242/gate.php
RU
text
96 b
malicious
3192
cheat.exe
GET
200
81.16.28.176:80
http://polosatik.site/321.exe
unknown
executable
1.08 Mb
malicious
2548
savesref.exe
GET
81.16.28.176:80
http://polosatik.site/qnyfx6ftdd3rno199mxvktsxevpzuzu/eytdboy5szfe18nnmanpwvg692cnfa4lzel5i/8kgh087x1fgzjpaxwzd1xmstye4ynnxrib4tq9sx57rtw2ey1mtoc/fa0f471eaf400e7485e2cd28e62af714.php?823b821c9f8361b1d0fe2c0ddeda325c=%3DQDM1EWN0AjZyYGMyEGNzUDZlRTNlZ2YhdTN1EjYhR2YwYzYzYGMmRDM&c65f4611a8b807d0c3b2c24ef028946e=%3D%3DgY5ITN5UGZ3IjZwQ2YmJGMyU2NjJmZxAzMhRmYlBzMiJDZxQWZ1YWY&6ac56b5fa0bc520ed3722ada26977f74=lhXZuUGbklkPSR1U8UGel5SRTZncQlWbX5jUUNFPlhXZu0WZ0NXeT5jUUNFPlhXZuInbhRmbpdnPSR1U8UGel5SYyVGcv5jUUNFPlhXZuQ3cvh2Y2NnPSR1U8UGel5Cdz9GajZ3c%2BIFVTxTZ4VmLDZ1UTZlPSR1U8UGel5Cdz9GSyVGdslmRoNmchV2U%2BIFVTxTZ4VmL0N3bot2chRnPSR1U8UGel5SbzF0ZlJlPSR1U8UGel5yYlhXZpNXb%2BIFVTxTZ4VmL0N3bo52bj5jUUNFPlhXZuY3cs92bwNnPSR1U8UGel5iclRnchR3U%2BIFVTxTZ4VmLtdHZ%2BIFVTxTZ4VmL0lmbp5Wa35jUUNFPlhXZuQ3cvhEbvN2b09mcQh2YyFWZT5jUUNFPlhXZuMXZjlmdyV2c%2BIFVTxTZ4VmL0BXayN2c35jUUNFPlhXZucmblt2chRnPSR1U8UGel5Cdz9GajZ3c%2BIFVTxTZ4VmLzNnczNmPSR1U8UGel5SRUFERQVFVDlERF1US%2BIFVTxTZ4VmLzNXYzxmPSR1U8UGel5iclJ3bsBHel5jUUNFPlhXZu42btZGdj5jUUNFPlhXZuQ3cvh2Y2NnPSR1U8UGel5Cdz9GajZ3c%2BIFVTxTZ4VmLtNHb%2BIFVTxTZ4VmL0N3boNmdz5jUUNFPlhXZuQWbj5jUUNFPlhXZuQ3cvh2Y2NnPSR1U8UGel5Cdz9GajZ3c%2BIFVTxTZ4VmLyVGZvNWZE5jUUNFPlhXZuIXZ4VGZulEajJXYlNlPSR1U8UGel5iZlJ3clZXYz5jUUNFPlhXZu42bn9Gbul2d%2BIFVTxTZ4VmL0N3boNmdz5jUUNFPlhXZucGZvlGZ1FmPSR1U8UGel5Sc%2BIFVTxTZ4VmLzNnczNmPSR1U8UGel5ycz12c%2BIFVTxTZ4VmL0N3boNmdz5jUUNFP&9b0cc12a38836765288bc590f25fb6d8=%3D%3DgY2gzNjdTMkVzM3MWNzYWOjFGMhhjY0YTNidDZyYTN3YTZzEjYyUTN&a0c271d2fb34e59d44fb5ecdcf624ace=%3DUmN2gTMmdjZiJzN3QWM0MmYkVTZ1QDOykjM1YTZjRmM
unknown
malicious
2976
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
564 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3916
file1.exe
2.21.78.252:80
www.download.windowsupdate.com
Akamai International B.V.
whitelisted
3580
RegAsm.exe
88.99.66.31:443
iplogger.org
Hetzner Online GmbH
DE
malicious
3580
RegAsm.exe
172.217.18.4:443
www.google.com
Google Inc.
US
whitelisted
3192
cheat.exe
81.16.28.176:80
polosatik.site
malicious
2976
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3916
file1.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
3916
file1.exe
54.225.191.113:443
api.ipify.org
Amazon.com, Inc.
US
suspicious
3192
cheat.exe
188.225.33.242:80
TimeWeb Ltd.
RU
malicious
2976
opera.exe
185.26.182.94:443
certs.opera.com
Opera Software AS
whitelisted
3580
RegAsm.exe
172.67.194.33:443
arcane.es3n.in
US
malicious

DNS requests

Domain
IP
Reputation
polosatik.site
  • 81.16.28.176
malicious
api.ipify.org
  • 54.225.191.113
  • 54.225.182.172
  • 23.21.59.179
  • 54.221.234.156
  • 54.243.162.249
  • 54.225.66.103
  • 54.225.178.192
  • 50.19.115.217
shared
www.download.windowsupdate.com
  • 2.21.78.252
  • 2.21.78.185
whitelisted
www.google.com
  • 172.217.18.4
whitelisted
iplogger.org
  • 88.99.66.31
shared
certs.opera.com
  • 185.26.182.94
  • 185.26.182.93
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
ip-api.com
  • 208.95.112.1
shared
arcane.es3n.in
  • 172.67.194.33
  • 104.27.191.129
  • 104.27.190.129
malicious
ipinfo.io
  • 216.239.34.21
  • 216.239.32.21
  • 216.239.38.21
  • 216.239.36.21
shared

Threats

PID
Process
Class
Message
3192
cheat.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
3192
cheat.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no accept headers
3192
cheat.exe
A Network Trojan was detected
ET TROJAN Likely Zbot Generic Request to gate.php Dotted-Quad
3192
cheat.exe
A Network Trojan was detected
STEALER [PTsecurity] Parasite
3192
cheat.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (Client)
3192
cheat.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
3192
cheat.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no accept headers
3192
cheat.exe
A Network Trojan was detected
ET TROJAN Likely Zbot Generic Request to gate.php Dotted-Quad
3192
cheat.exe
A Network Trojan was detected
STEALER [PTsecurity] Parasite
3192
cheat.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (Client)
6 ETPRO signatures available at the full report
No debug info