File name:

DOTA2_MULTIHack.zip

Full analysis: https://app.any.run/tasks/422ab039-b01e-48f5-bca3-85b6ae808320
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 11, 2025, 17:38:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
loader
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

0FAA606474BA9E42105F6D8BDBC0F2F0

SHA1:

9C44CDD14965BA84ADD3314BED9207D441AF2A90

SHA256:

E14DB63DD6A915DC2D74A8D17ED5E5B48DE41B37BD9E94ED255F34CBDCBE1D25

SSDEEP:

24576:uGeYpXw3e+LvMQjKMsMtVLykfSI7UPcgtbv/4RHj:uGeYpXw3e+LvMQjrsMtVLykKI7UPcgtA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • player.exe (PID: 7056)

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • DOTA2_cheat_installer.exe (PID: 504)
      • player.exe (PID: 7056)

    • Reads security settings of Internet Explorer

      • DOTA2_cheat_installer.exe (PID: 504)
      • player.exe (PID: 7056)

    • There is functionality for taking screenshot (YARA)

      • DOTA2_cheat_installer.exe (PID: 504)

    • Executable content was dropped or overwritten

      • DOTA2_cheat_installer.exe (PID: 504)

    • Checks for external IP

      • svchost.exe (PID: 2200)
      • player.exe (PID: 7056)

  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 3820)
      • DOTA2_cheat_installer.exe (PID: 504)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3820)

    • Reads mouse settings

      • DOTA2_cheat_installer.exe (PID: 504)
      • player.exe (PID: 7056)

    • Manual execution by a user

      • DOTA2_cheat_installer.exe (PID: 504)

    • Checks supported languages

      • DOTA2_cheat_installer.exe (PID: 504)
      • player.exe (PID: 7056)

    • Reads the computer name

      • DOTA2_cheat_installer.exe (PID: 504)
      • player.exe (PID: 7056)

    • Checks proxy server information

      • DOTA2_cheat_installer.exe (PID: 504)
      • player.exe (PID: 7056)

    • The process uses AutoIt

      • DOTA2_cheat_installer.exe (PID: 504)

    • Create files in a temporary directory

      • DOTA2_cheat_installer.exe (PID: 504)

    • Creates files or folders in the user directory

      • DOTA2_cheat_installer.exe (PID: 504)
      • player.exe (PID: 7056)

    • Reads the machine GUID from the registry

      • DOTA2_cheat_installer.exe (PID: 504)
      • player.exe (PID: 7056)

    • Reads the software policy settings

      • DOTA2_cheat_installer.exe (PID: 504)
      • player.exe (PID: 7056)

    • Launching a file from a Registry key

      • player.exe (PID: 7056)

    • Creates files in the program directory

      • player.exe (PID: 7056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2017:10:06 09:18:08
ZipCRC: 0x3019efaf
ZipCompressedSize: 496929
ZipUncompressedSize: 999424
ZipFileName: DOTA2_cheat_installer.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe dota2_cheat_installer.exe player.exe slui.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
504"C:\Users\admin\Desktop\DOTA2_cheat_installer.exe" C:\Users\admin\Desktop\DOTA2_cheat_installer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\dota2_cheat_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3820"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\DOTA2_MULTIHack.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6368C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7056C:\Users\admin\AppData\Local\Temp\player.exeC:\Users\admin\AppData\Local\Temp\player.exe
DOTA2_cheat_installer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\player.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
Total events
6 765
Read events
6 737
Write events
28
Delete events
0

Modification events

(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\DOTA2_MULTIHack.zip
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
3
Suspicious files
7
Text files
2
Unknown types
5

Dropped files

PID
Process
Filename
Type
3820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3820.30258\DOTA2_cheat_installer.exeexecutable
MD5:E7EA2317DAE0743FC34D3AC423185B7C
SHA256:28CC3E1FAB7B5FDE7AC31BB52B06A1E3B45A133892CA189FF7C5F11C160D4EDB
504DOTA2_cheat_installer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\asacpiex[1].jpgexecutable
MD5:C3115AD8998EA2F45CECB5BBD0E0E409
SHA256:54DA37ACB182064571F6AC404E835D2F591DA5C5BDC8347890D8DC30EA38EFBE
504DOTA2_cheat_installer.exeC:\Users\admin\AppData\Local\Temp\player.exeexecutable
MD5:C3115AD8998EA2F45CECB5BBD0E0E409
SHA256:54DA37ACB182064571F6AC404E835D2F591DA5C5BDC8347890D8DC30EA38EFBE
504DOTA2_cheat_installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D1BF279D74F16871F9E2E56E6FE7A76Ader
MD5:F27CF3453DCFED57477E79F607ED1426
SHA256:49682A77641178FD7DEBCBA3507762BB212B13DF4EA83E439D524405E97F1523
504DOTA2_cheat_installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6F4A543C48A2B34A288DC6730CE73ABE_41B8BA2C5E97C795C709348404925A38binary
MD5:B5D127CA93DFFD3D488005FC91A306C1
SHA256:895F7E993DB19D936890F7153A58A013FABDAFBFB2C821A51A61DB6AC2273F4C
504DOTA2_cheat_installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\447C78F2162C3E594B83E5C23105EBC9_C7575302820A4C10A93FA7069539859Ebinary
MD5:85764FF144F1F1A2210FCEE528F78B3C
SHA256:7EB1B3E31341F592208B8A6F1A06595843B9C908857918317E0D443D22E9A49A
504DOTA2_cheat_installer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\store[1].htmtext
MD5:FDA44910DEB1A460BE4AC5D56D61D837
SHA256:933B971C6388D594A23FA1559825DB5BEC8ADE2DB1240AA8FC9D0C684949E8C9
504DOTA2_cheat_installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\447C78F2162C3E594B83E5C23105EBC9_C7575302820A4C10A93FA7069539859Eder
MD5:6BB6BF3C3112D7A0CFC79DE86F87644A
SHA256:6E65E4D50D38740135D6D0C696089297DAA4FAEE89E1B336F039816AA5905DFD
504DOTA2_cheat_installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24B1A339CE4003FF56D195584E8776B8_F03F053F6D04E206FF042E474F873B50binary
MD5:5BFA51F3A417B98E7443ECA90FC94703
SHA256:BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128
504DOTA2_cheat_installer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24B1A339CE4003FF56D195584E8776B8_F03F053F6D04E206FF042E474F873B50binary
MD5:0FE5DF19E36156A5936814FBD55B86DD
SHA256:697D229B72BEB7F22BEF1139BD46A46BF8141DAD249A5EFAFFB27E736BA45E8E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
32
DNS requests
24
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7056
player.exe
GET
200
142.250.185.227:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7056
player.exe
GET
404
210.59.228.45:80
http://taiwantreasure.com.tw/images/company/DSC-38173.jpg
unknown
unknown
1268
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
504
DOTA2_cheat_installer.exe
GET
404
60.199.172.227:80
http://www.ucctw.com/ucctw/tmp/stat2.php
unknown
unknown
504
DOTA2_cheat_installer.exe
GET
200
203.69.43.202:80
http://www.jilgauges.com/includes/asacpiex.jpg
unknown
malicious
504
DOTA2_cheat_installer.exe
GET
301
203.69.43.202:80
http://www.jilgauges.com/includes/store.jpg
unknown
unknown
6656
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6656
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
504
DOTA2_cheat_installer.exe
GET
200
210.71.154.6:80
http://ocsp.eca.hinet.net/OCSP/ocspG1sha2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTD33bcZS4QyYncaWyxSG9NpqAFzgQUHgz3tmfy4ZImCUXAVTkudz9CSqICECP7pkg2DhXpK6eK7bZ6CuU%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3788
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
504
DOTA2_cheat_installer.exe
60.199.172.227:80
www.ucctw.com
Taiwan Fixed Network, Telco and Network Service Provider.
TW
unknown
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 2.16.241.14
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.35.229.160
whitelisted
www.ucctw.com
  • 60.199.172.227
unknown
www.jilgauges.com
  • 203.69.43.202
malicious
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
ocsp.eca.hinet.net
  • 210.71.154.6
whitelisted
eca.hinet.net
  • 210.71.154.6
whitelisted

Threats

PID
Process
Class
Message
504
DOTA2_cheat_installer.exe
Potential Corporate Privacy Violation
ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
504
DOTA2_cheat_installer.exe
Potential Corporate Privacy Violation
ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
504
DOTA2_cheat_installer.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
504
DOTA2_cheat_installer.exe
A Network Trojan was detected
ET MALWARE Possible Banload Downloading Executable
504
DOTA2_cheat_installer.exe
Potential Corporate Privacy Violation
ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
7056
player.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
7056
player.exe
Potential Corporate Privacy Violation
ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
7056
player.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.tw domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DOTA2_MULTIHack.zip