URL:

https://romsmania.com/roms/gameboy-advance/pokemon-fire-red-version-v1-1-225039

Full analysis: https://app.any.run/tasks/88805b7d-14cc-424c-b751-c813ebd3b342
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 02, 2020, 06:07:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

C392C38490CEF052299A1D1AC0EB479F

SHA1:

C1057507E377B4E1FD2AC561A5C923A2F51C8264

SHA256:

EF7B6C9C8ED118F84FE5E3331917372E216D3FCAE30F45655398A4CF5EC34839

SSDEEP:

3:N8RW5uKdn5BWZCMXA7BuAbK8TRm:2RW5uPZCWA7sAFM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exe (PID: 1848)
      • Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exe (PID: 4008)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3352)

    • Loads dropped or rewritten executable

      • Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exe (PID: 4008)

    • Changes settings of System certificates

      • Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exe (PID: 4008)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3172)
      • iexplore.exe (PID: 3352)
      • Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exe (PID: 4008)

    • Cleans NTFS data-stream (Zone Identifier)

      • Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exe (PID: 1848)

    • Reads Environment values

      • Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exe (PID: 4008)

    • Application launched itself

      • Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exe (PID: 1848)

    • Reads internet explorer settings

      • Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exe (PID: 4008)

    • Creates files in the user directory

      • Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exe (PID: 4008)

    • Adds / modifies Windows certificates

      • Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exe (PID: 4008)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3172)
      • iexplore.exe (PID: 3352)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3172)

    • Changes internet zones settings

      • iexplore.exe (PID: 3172)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3352)

    • Creates files in the user directory

      • iexplore.exe (PID: 3352)

    • Reads settings of System Certificates

      • Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exe (PID: 4008)
      • iexplore.exe (PID: 3172)
      • iexplore.exe (PID: 3352)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3172)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe pokemon jupiter - 6.04 (ruby hack)_0314012723.exe no specs pokemon jupiter - 6.04 (ruby hack)_0314012723.exe

Process information

PID
CMD
Path
Indicators
Parent process
1848"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exeiexplore.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
File Prog Setup
Exit code:
0
Version:
5.3.5.2
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\6z2bcoul\pokemon jupiter - 6.04 (ruby hack)_0314012723.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3172"C:\Program Files\Internet Explorer\iexplore.exe" https://romsmania.com/roms/gameboy-advance/pokemon-fire-red-version-v1-1-225039C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3352"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3172 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
4008"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exe" RSF /ppn:YWV4dQ0KChAjb3J1FQUI /ads:1 /mnlC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exe
Pokemon Jupiter - 6.04 (Ruby Hack)_0314012723.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
File Prog Setup
Exit code:
0
Version:
5.3.5.2
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\6z2bcoul\pokemon jupiter - 6.04 (ruby hack)_0314012723.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
9 203
Read events
1 909
Write events
5 446
Delete events
1 848

Modification events

(PID) Process:(3172) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
549036616
(PID) Process:(3172) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30792079
(PID) Process:(3172) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3172) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3172) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3172) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3172) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3172) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A1000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3172) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3172) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
5
Suspicious files
215
Text files
414
Unknown types
101

Dropped files

PID
Process
Filename
Type
3352iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab6F0E.tmp
MD5:
SHA256:
3352iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar6F0F.tmp
MD5:
SHA256:
3352iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\PGXAICWX.txt
MD5:
SHA256:
3352iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\3PCSQWH5.txt
MD5:
SHA256:
3352iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1der
MD5:
SHA256:
3352iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9EC3B71635F8BA3FC68DE181A104A0EF_F6C39EF89D8A3A72327D8412589658B2der
MD5:
SHA256:
3352iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\style[1].csstext
MD5:
SHA256:
3352iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\pokemon%20-%20sapphire-%20version-gameboy-advance_mini[1].jpgimage
MD5:
SHA256:
3352iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\back-to-stone-eu-gba_mini[1].jpgimage
MD5:
SHA256:
3352iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\BFNULQTW.txttext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
131
TCP/UDP connections
248
DNS requests
101
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3352
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.trust-provider.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEENSAj%2F6qJAfE5%2Fj9OXBRE4%3D
US
der
471 b
whitelisted
3352
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
3352
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.trust-provider.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEENSAj%2F6qJAfE5%2Fj9OXBRE4%3D
US
der
471 b
whitelisted
3352
iexplore.exe
GET
200
172.217.22.99:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3352
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
3352
iexplore.exe
GET
200
172.217.22.99:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQD95YlrUDdnAggAAAAAKZZ%2B
US
der
472 b
whitelisted
3352
iexplore.exe
GET
200
172.217.22.99:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEAPoFgPzPCkjAgAAAABVfSU%3D
US
der
471 b
whitelisted
3352
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
3352
iexplore.exe
GET
200
13.32.118.94:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
3352
iexplore.exe
GET
200
13.32.118.167:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3352
iexplore.exe
104.24.96.73:443
romsmania.cc
Cloudflare Inc
US
shared
3352
iexplore.exe
151.139.128.14:80
ocsp.trust-provider.com
Highwinds Network Group, Inc.
US
suspicious
3352
iexplore.exe
2.18.234.190:443
widgets.outbrain.com
Akamai International B.V.
whitelisted
3352
iexplore.exe
172.217.18.2:443
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
3352
iexplore.exe
172.217.18.110:443
www.google-analytics.com
Google Inc.
US
whitelisted
3352
iexplore.exe
87.250.250.119:443
mc.yandex.ru
YANDEX LLC
RU
whitelisted
3352
iexplore.exe
13.32.99.171:443
m2d.m2.ai
Amazon.com, Inc.
US
unknown
3352
iexplore.exe
172.217.22.99:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3352
iexplore.exe
13.32.118.167:80
o.ss2.us
Amazon.com, Inc.
US
malicious
3352
iexplore.exe
13.32.118.94:80
ocsp.rootg2.amazontrust.com
Amazon.com, Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
romsmania.com
  • 169.54.206.44
  • 169.44.99.105
  • 169.54.204.231
  • 169.54.204.232
  • 169.44.99.100
suspicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
romsmania.cc
  • 104.24.96.73
  • 104.24.97.73
malicious
ocsp.trust-provider.com
  • 151.139.128.14
whitelisted
ocsp.comodoca4.com
  • 151.139.128.14
whitelisted
widgets.outbrain.com
  • 2.18.234.190
whitelisted
pagead2.googlesyndication.com
  • 172.217.18.2
whitelisted
m2d.m2.ai
  • 13.32.99.171
  • 13.32.99.51
  • 13.32.99.195
  • 13.32.99.75
shared
www.google-analytics.com
  • 172.217.18.110
whitelisted
mc.yandex.ru
  • 87.250.250.119
  • 77.88.21.119
  • 93.158.134.119
  • 87.250.251.119
whitelisted

Threats

PID
Process
Class
Message
1052
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
3352
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3352
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1052
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://romsmania.com/roms/gameboy-advance/pokemon-fire-red-version-v1-1-225039