File name:

Download This First - CheatEngine.exe

Full analysis: https://app.any.run/tasks/cbf1f532-1f5d-4f8f-b6fa-3b5eb294e7a2
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: June 15, 2025, 08:37:02
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
cheatengine
tool
bundleinstaller
adware
delphi
inno
installer
lua
qrcode
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

609FEA742D34DC1D53F0EEB4873B1A0A

SHA1:

3232C52DA3CB8F47A870162A35CDD75FCAE60AEA

SHA256:

E2E15826B69778E381F25AC8F2B109A377B23F7CF79B5F482E81F4D28C30F95E

SSDEEP:

98304:wSiW4opH4opH4op4U9tNz9RGa/xlbLP/h4:ZDBDBD1t3Hbb+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bundleinstaller mutex has been found

      • Download This First - CheatEngine.tmp (PID: 3148)

    • Starts NET.EXE for service management

      • CheatEngine75.tmp (PID: 4120)
      • net.exe (PID: 1936)
      • net.exe (PID: 3048)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Download This First - CheatEngine.tmp (PID: 7100)
      • Cheat Engine.exe (PID: 3100)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 5600)

    • Executable content was dropped or overwritten

      • Download This First - CheatEngine.exe (PID: 3656)
      • Download This First - CheatEngine.exe (PID: 5172)
      • Download This First - CheatEngine.tmp (PID: 3148)
      • CheatEngine75.exe (PID: 2648)
      • icacls.exe (PID: 3620)
      • CheatEngine75.tmp (PID: 4120)

    • Reads the Windows owner or organization settings

      • Download This First - CheatEngine.tmp (PID: 3148)
      • CheatEngine75.tmp (PID: 4120)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6304)
      • sc.exe (PID: 5928)

    • Starts SC.EXE for service management

      • CheatEngine75.tmp (PID: 4120)

    • Uses ICACLS.EXE to modify access control lists

      • CheatEngine75.tmp (PID: 4120)

    • Process drops legitimate windows executable

      • CheatEngine75.tmp (PID: 4120)

    • Process drops SQLite DLL files

      • CheatEngine75.tmp (PID: 4120)

    • There is functionality for taking screenshot (YARA)

      • Download This First - CheatEngine.tmp (PID: 3148)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 5600)

    • There is functionality for communication over UDP network (YARA)

      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 5600)

    • Detected use of alternative data streams (AltDS)

      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 5600)

    • Uses RUNDLL32.EXE to load library

      • msedge.exe (PID: 7772)

  • INFO

    • Create files in a temporary directory

      • Download This First - CheatEngine.exe (PID: 3656)
      • Download This First - CheatEngine.exe (PID: 5172)
      • Download This First - CheatEngine.tmp (PID: 3148)
      • CheatEngine75.exe (PID: 2648)
      • CheatEngine75.tmp (PID: 4120)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 5600)

    • Checks supported languages

      • Download This First - CheatEngine.exe (PID: 3656)
      • Download This First - CheatEngine.tmp (PID: 7100)
      • Download This First - CheatEngine.exe (PID: 5172)
      • Download This First - CheatEngine.tmp (PID: 3148)
      • CheatEngine75.exe (PID: 2648)
      • CheatEngine75.tmp (PID: 4120)
      • _setup64.tmp (PID: 6772)
      • Kernelmoduleunloader.exe (PID: 1204)
      • windowsrepair.exe (PID: 1052)
      • Cheat Engine.exe (PID: 3100)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 5600)

    • Reads the computer name

      • Download This First - CheatEngine.tmp (PID: 7100)
      • Download This First - CheatEngine.tmp (PID: 3148)
      • CheatEngine75.tmp (PID: 4120)
      • Kernelmoduleunloader.exe (PID: 1204)
      • Cheat Engine.exe (PID: 3100)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 5600)

    • Checks proxy server information

      • Download This First - CheatEngine.tmp (PID: 3148)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 5600)

    • Process checks computer location settings

      • Download This First - CheatEngine.tmp (PID: 7100)
      • Cheat Engine.exe (PID: 3100)

    • The sample compiled with russian language support

      • Download This First - CheatEngine.tmp (PID: 3148)

    • The sample compiled with english language support

      • Download This First - CheatEngine.tmp (PID: 3148)
      • CheatEngine75.tmp (PID: 4120)

    • Reads the machine GUID from the registry

      • Download This First - CheatEngine.tmp (PID: 3148)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 5600)

    • CHEATENGINE mutex has been found

      • Download This First - CheatEngine.tmp (PID: 3148)

    • Reads the software policy settings

      • Download This First - CheatEngine.tmp (PID: 3148)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 5600)

    • Creates files in the program directory

      • CheatEngine75.tmp (PID: 4120)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 5600)

    • Detects InnoSetup installer (YARA)

      • Download This First - CheatEngine.exe (PID: 3656)
      • Download This First - CheatEngine.tmp (PID: 7100)
      • Download This First - CheatEngine.exe (PID: 5172)
      • Download This First - CheatEngine.tmp (PID: 3148)

    • Compiled with Borland Delphi (YARA)

      • Download This First - CheatEngine.exe (PID: 3656)
      • Download This First - CheatEngine.tmp (PID: 7100)
      • Download This First - CheatEngine.exe (PID: 5172)
      • Download This First - CheatEngine.tmp (PID: 3148)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 5600)

    • Creates a software uninstall entry

      • CheatEngine75.tmp (PID: 4120)

    • The process uses Lua

      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 5600)

    • Creates files or folders in the user directory

      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 5600)

    • Manual execution by a user

      • firefox.exe (PID: 1880)
      • msedge.exe (PID: 7772)

    • Application launched itself

      • firefox.exe (PID: 1880)
      • msedge.exe (PID: 7420)
      • msedge.exe (PID: 7400)
      • msedge.exe (PID: 7772)
      • firefox.exe (PID: 4648)

    • Reads Microsoft Office registry keys

      • firefox.exe (PID: 4648)

    • Launching a file from the Downloads directory

      • msedge.exe (PID: 7772)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 4648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (51.8)
.exe | InstallShield setup (20.3)
.exe | Win32 EXE PECompact compressed (generic) (19.6)
.dll | Win32 Dynamic Link Library (generic) (3.1)
.exe | Win32 Executable (generic) (2.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:11:15 09:48:30+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741376
InitializedDataSize: 38400
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 7.5.0.0
ProductVersionNumber: 7.5.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: EngineGame Installer
FileVersion: 7.5.0
LegalCopyright: © EngineGame
OriginalFileName:
ProductName: EngineGame
ProductVersion: 7.5.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
221
Monitored processes
77
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start download this first - cheatengine.exe download this first - cheatengine.tmp no specs download this first - cheatengine.exe #BUNDLEINSTALLER download this first - cheatengine.tmp cheatengine75.exe cheatengine75.tmp net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs _setup64.tmp no specs conhost.exe no specs icacls.exe conhost.exe no specs kernelmoduleunloader.exe windowsrepair.exe no specs icacls.exe no specs conhost.exe no specs cheat engine.exe no specs cheatengine-x86_64-sse4-avx2.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs firefox.exe no specs firefox.exe no specs msedge.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
472"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -prefsHandle 1980 -prefsLen 36520 -prefMapHandle 1984 -prefMapSize 272997 -ipcHandle 2044 -initialChannelId {8830dd75-6835-4d94-8394-e23c4d7e5066} -parentPid 4648 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4648" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll
768"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5132 -prefsLen 39068 -prefMapHandle 5128 -prefMapSize 272997 -jsInitHandle 5184 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 5192 -initialChannelId {3ceb4829-0280-46e9-bee3-39ac2ab7ba0b} -parentPid 4648 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4648" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
1052"C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /sC:\Program Files\Cheat Engine 7.5\windowsrepair.exeCheatEngine75.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\cheat engine 7.5\windowsrepair.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1080\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -prefsHandle 2208 -prefsLen 36520 -prefMapHandle 2212 -prefMapSize 272997 -ipcHandle 2220 -initialChannelId {7a84bbbe-666b-4812-b514-8a82575a5f85} -parentPid 4648 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4648" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\bcrypt.dll
1204"C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUPC:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
CheatEngine75.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\cheat engine 7.5\kernelmoduleunloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1440"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=5252,i,16323245997790987190,9527421088914376941,262144 --variations-seed-version --mojo-platform-channel-handle=5236 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1496"icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)C:\Windows\System32\icacls.exeCheatEngine75.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1880"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\windows\system32\bcrypt.dll
1936"net" stop BadlionAnticC:\Windows\System32\net.exeCheatEngine75.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
Total events
21 589
Read events
21 520
Write events
63
Delete events
6

Modification events

(PID) Process:(4120) CheatEngine75.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Owner
Value:
181000008C4684B7D0DDDB01
(PID) Process:(4120) CheatEngine75.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:SessionHash
Value:
5BF432F1B4558ED1A53BE8F8184B90389DA8D0CB617A21AB9498E94AA0F9F107
(PID) Process:(4120) CheatEngine75.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Sequence
Value:
1
(PID) Process:(4120) CheatEngine75.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:RegFiles0000
Value:
C:\Program Files\Cheat Engine 7.5\windowsrepair.exe
(PID) Process:(4120) CheatEngine75.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:RegFilesHash
Value:
359B3EE4E50913D5E48BE85DD61B4569DF3886D1ADCA8E1F81F7F86AACC1FA65
(PID) Process:(4120) CheatEngine75.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cheat Engine_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.2.1
(PID) Process:(4120) CheatEngine75.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cheat Engine_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\Cheat Engine 7.5
(PID) Process:(4120) CheatEngine75.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cheat Engine_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\Cheat Engine 7.5\
(PID) Process:(4120) CheatEngine75.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cheat Engine_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Cheat Engine 7.5
(PID) Process:(4120) CheatEngine75.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cheat Engine_is1
Operation:writeName:Inno Setup: User
Value:
admin
Executable files
164
Suspicious files
917
Text files
531
Unknown types
0

Dropped files

PID
Process
Filename
Type
3656Download This First - CheatEngine.exeC:\Users\admin\AppData\Local\Temp\is-2P1EA.tmp\Download This First - CheatEngine.tmpexecutable
MD5:1CDBF6DA4DEFE32C9CB5908968A02FAB
SHA256:87C1BB2236A874C97369B2CCA0D55559FA917707CEBDDF7A5EABC691F8302487
5172Download This First - CheatEngine.exeC:\Users\admin\AppData\Local\Temp\is-DD9Q0.tmp\Download This First - CheatEngine.tmpexecutable
MD5:1CDBF6DA4DEFE32C9CB5908968A02FAB
SHA256:87C1BB2236A874C97369B2CCA0D55559FA917707CEBDDF7A5EABC691F8302487
3148Download This First - CheatEngine.tmpC:\Users\admin\AppData\Local\Temp\is-EQCMM.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
3148Download This First - CheatEngine.tmpC:\Users\admin\AppData\Local\Temp\is-EQCMM.tmp\zbShieldUtils.dllexecutable
MD5:FAD0877741DA31AB87913EF1F1F2EB1A
SHA256:73FF938887449779E7A9D51100D7BE2195198A5E2C4C7DE5F93CEAC7E98E3E02
3148Download This First - CheatEngine.tmpC:\Users\admin\AppData\Local\Temp\is-EQCMM.tmp\logo.pngimage
MD5:6B7CB2A5A8B301C788C3792802696FE8
SHA256:3EED2E41BC6CA0AE9A5D5EE6D57CA727E5CBA6AC8E8C5234AC661F9080CEDADF
3148Download This First - CheatEngine.tmpC:\Users\admin\AppData\Local\Temp\is-EQCMM.tmp\botva2.dllexecutable
MD5:67965A5957A61867D661F05AE1F4773E
SHA256:450B9B0BA25BF068AFBC2B23D252585A19E282939BF38326384EA9112DFD0105
3148Download This First - CheatEngine.tmpC:\Users\admin\AppData\Local\Temp\is-EQCMM.tmp\finish.pngimage
MD5:6B7CB2A5A8B301C788C3792802696FE8
SHA256:3EED2E41BC6CA0AE9A5D5EE6D57CA727E5CBA6AC8E8C5234AC661F9080CEDADF
3148Download This First - CheatEngine.tmpC:\Users\admin\AppData\Local\Temp\is-EQCMM.tmp\error.pngimage
MD5:6B7CB2A5A8B301C788C3792802696FE8
SHA256:3EED2E41BC6CA0AE9A5D5EE6D57CA727E5CBA6AC8E8C5234AC661F9080CEDADF
2648CheatEngine75.exeC:\Users\admin\AppData\Local\Temp\is-DV401.tmp\CheatEngine75.tmpexecutable
MD5:9AA2ACD4C96F8BA03BB6C3EA806D806F
SHA256:1B81562FDAEAA1BC22CBAA15C92BAB90A12080519916CFA30C843796021153BB
3148Download This First - CheatEngine.tmpC:\Users\admin\AppData\Local\Temp\is-EQCMM.tmp\CheatEngine75.exeexecutable
MD5:E0F666FE4FF537FB8587CCD215E41E5F
SHA256:F88B0E5A32A395AB9996452D461820679E55C19952EFFE991DEE8FEDEA1968AF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
174
DNS requests
271
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1380
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5952
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5600
cheatengine-x86_64-SSE4-AVX2.exe
GET
200
142.250.185.67:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
5600
cheatengine-x86_64-SSE4-AVX2.exe
GET
200
142.250.185.67:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
5952
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4648
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
4648
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
4648
firefox.exe
POST
200
142.250.186.99:80
http://o.pki.goog/s/wr3/3H4
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5116
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3148
Download This First - CheatEngine.tmp
18.66.137.70:443
d2oq4dwfbh6gxl.cloudfront.net
AMAZON-02
US
whitelisted
2336
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1380
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1380
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.110
whitelisted
d2oq4dwfbh6gxl.cloudfront.net
  • 18.66.137.70
  • 18.66.137.45
  • 18.66.137.198
  • 18.66.137.114
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.32.68
  • 20.190.160.22
  • 20.190.160.130
  • 40.126.32.138
  • 40.126.32.76
  • 20.190.160.20
  • 20.190.160.2
  • 20.190.160.5
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 95.101.149.131
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

PID
Process
Class
Message
8100
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
8100
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
8100
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8100
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
8100
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
8100
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8100
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
8100
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
Process
Message
Kernelmoduleunloader.exe
Running in wow64
Kernelmoduleunloader.exe
Kernelmodule unloader
Kernelmoduleunloader.exe
attempting to unload
Kernelmoduleunloader.exe
SCManager opened
Kernelmoduleunloader.exe
setup=true
Kernelmoduleunloader.exe
count=0
Kernelmoduleunloader.exe
Setup. So do not show messages
cheatengine-x86_64-SSE4-AVX2.exe
Lua thread terminated
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Download This First - CheatEngine.exe