hxxps://drive[.]google[.]com/drive/folders/19CmcWNlrSWyM24gS-aNgJe0CMFxI_9vP

Analysis

max time kernel
107s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
11-04-2023 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/19CmcWNlrSWyM24gS-aNgJe0CMFxI_9vP

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\psapi.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\clbcatq.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\system32\shfolder.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\GDI32.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\shell32.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\imm32.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\ws2_32.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\Wldp.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\windows.storage.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\MSCTF.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\advapi32.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\shlwapi.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\shcore.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\wininet.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\imagehlp.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\opengl32.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\GLU32.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\oleaut32.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\RPCRT4.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\user32.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\win32u.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\comdlg32.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\profapi.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\sechost.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\system32\uxtheme.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\msimg32.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\bcryptPrimitives.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\hhctrl.ocx	cheatengine-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\kernel.appcore.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\PROPSYS.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\KERNEL32.DLL	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\KERNELBASE.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\apphelp.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\ole32.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\SYSTEM32\version.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\msvcp_win.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\ucrtbase.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\combase.dll	cheatengine-x86_64.exe
File opened for modification	C:\Windows\System32\msvcrt.dll	cheatengine-x86_64.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll	cheatengine-x86_64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133257303009485173"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	chrome.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	121	Cheat Engine 7.2 : luascript-ceshare

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2292	chrome.exe
2292	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
3092	cheatengine-x86_64.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4144	Cheat Engine.exe
3092	cheatengine-x86_64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1236	2292	chrome.exe	82
PID 2292 wrote to memory of 1236	2292	chrome.exe	82
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 2320	2292	chrome.exe	83
PID 2292 wrote to memory of 3416	2292	chrome.exe	84
PID 2292 wrote to memory of 3416	2292	chrome.exe	84
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85
PID 2292 wrote to memory of 2700	2292	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://drive.google.com/drive/folders/19CmcWNlrSWyM24gS-aNgJe0CMFxI_9vP
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8fd859758,0x7ff8fd859768,0x7ff8fd859778
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1800,i,13285053453671707709,9750625616744346426,131072 /prefetch:2
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1800,i,13285053453671707709,9750625616744346426,131072 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1800,i,13285053453671707709,9750625616744346426,131072 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3128 --field-trial-handle=1800,i,13285053453671707709,9750625616744346426,131072 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1800,i,13285053453671707709,9750625616744346426,131072 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1800,i,13285053453671707709,9750625616744346426,131072 /prefetch:8
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1800,i,13285053453671707709,9750625616744346426,131072 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2408 --field-trial-handle=1800,i,13285053453671707709,9750625616744346426,131072 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 --field-trial-handle=1800,i,13285053453671707709,9750625616744346426,131072 /prefetch:8
  2⤵
  PID:560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3192 --field-trial-handle=1800,i,13285053453671707709,9750625616744346426,131072 /prefetch:8
  2⤵
  PID:1332

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1036

C:\Users\Admin\Downloads\ch-20230411T214505Z-001\ch\Cheat Engine.exe
"C:\Users\Admin\Downloads\ch-20230411T214505Z-001\ch\Cheat Engine.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4144
- C:\Users\Admin\Downloads\ch-20230411T214505Z-001\ch\cheatengine-x86_64.exe
  "C:\Users\Admin\Downloads\ch-20230411T214505Z-001\ch\cheatengine-x86_64.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
912B

MD5
91ac35f09a9f54070b1b9dfab6defd7e

SHA1
77268088f25fa0a8b84341533310de452c019b09

SHA256
aff4ea27ed36aba23a6ab4f672c9ec900ea48336df74c7e89489be1054524735

SHA512
d62d7960afbf954ccabd20bbee77f38645e1bbd6a8d62992f6cd9339b2b9ebc8633754a3eb3af495a983cb9965a89bb6bbd7c218fd63c37e571cc8c9091921aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
8b7d8425c798f50072335c87165363d9

SHA1
1bc76cae3037940b095eaafaf370769fe5d518ee

SHA256
7e48b2f8a7b559eea59e2254a99160e9def672c81d7c8252890933dea1184b22

SHA512
e37ef24b106466a13322234474f390e25e389d7745d7cd0db5dd5cfe08b684cecf8bfe39c4d28ad12cb7cd95c084fb573f62ccda380a0c700e5e578c16910542

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
80eefbfb1875b2461b0286c5fe3998b8

SHA1
f3ac5cb00e5415853831dafd0dd8863284e4cbb2

SHA256
0dde599cc3a96e6ca4b1e7b0eea2cf295678d67a7b7899d6f8261810bf686e07

SHA512
75d717d7af4d397faf1468e2ae6b94995e67fdc5a7fe128021b47c3b261b39718cf54d460235ebd35b847dab0b05aa4316a949605e939048aff5a9627a854313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
06e8ca7af622f76a2d331dc035a49f21

SHA1
50a8451ed7eea2fe3ced426ee75d67f72c937aed

SHA256
61f51a8ef89fad46cc0909921b5ea2e1e322b88560dffe719a1b081e4a9d9b95

SHA512
8a820c50f955b8ac778fa79f8ca7c2da8ed53a9f290028af96229f6c82f725e8e7600721ae44dc81c957c7df6a15b9880727e1f0faae9f440117979359dd2a18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
036447e90768959f3a763a01529d3806

SHA1
3e8ba47af52a265a74f86daf62b5cf7d64dca4b5

SHA256
e8c9349ae35572f468f2f804a30b344e923952d7b04df1689b2ea8b3aaf75176

SHA512
ff9df715d2f9952d80062e3051861823ea73898a5193dd3d7dbba72dc270811ca9e1f4fdd03ffab80836972f9d3013330560a3ef583294fa47a0fc42f30b1c18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9f7078d4a87b0d050d6e9e2450983248

SHA1
d88c2e08e201814b0706e895a72e53c56a07f037

SHA256
fb06ccb17e492510757b16a729727da65acfd3cc006e4db6edb84d270f1c64b2

SHA512
ac02c808ace330acd62719bfc9cd1a499a6d98d276477a49239975601ddb589e4d1eefd78915dd2f800e4304a2c4aa40c102e22b6d1dd37e7f9e510b4d635867

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
690b8ed4496777598a2bd523c9e034e1

SHA1
d883a4743c2194d1f1030f1a4c45c15ee27e845f

SHA256
09a9132735af7ec2f9ce897803650ebce4df1411317e9590b3717133fa1cad1d

SHA512
1ab3e266a7d0bac9b93c46ce5079b57f026a182c7fcc7978e7a0edebb71f50d1ff695a0e754bc074463bf7a3f0ed1984e749d6fddb45ae8811625ac78d2bb958

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4b689ead21de05c3880d232e24f55ef5

SHA1
432bb750736bd92367747104f8e1e065e9ce207f

SHA256
a9e47643cce1455a3c999bb481f288dc8976789ce767965546d3fbea8d521e23

SHA512
06fd7d4515408abefdc04854d6f8bb9a070b7fdc6d4b0f6f4d017058ec682ee5058e41135135b28d0584f697e4a1b85e6ee4e2c2f605bc336c6416421158f1f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d7e0c1bc7415ec74f8ed651038cc187b

SHA1
2c88f51cbf0e45e8a4975bb70e44b751329c0e11

SHA256
2fc0840aae0a6e235905c44ba70185358f7ea240efcfa88f9249b5c0060fa4a9

SHA512
40ee7a4e6c2232d967210babae1923a2de5b0cf373a1ed02994f9e3bf42a75260955a4b29aff2b73f1421a7afb6a43abbec687afdb85c93df434f3a5c0bb9fd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
803de615271540ef50dfeb45ec6e00fe

SHA1
524e3ae665c520a5bd31102c695e7e52866e70d5

SHA256
39d0d757acb278809b66af1fa4e81fe2e6977d386a95868f6da0f368b420e116

SHA512
68beaa4ee44f844e6482cab2bfee03e32e244e4d01008efbb902734ff6cf1280ae8db31adcf9abf82e1231a126787117571f508115bd5a32193fe3b6625dcd1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
361d9ae618986d670c7aa2e5eaf81a42

SHA1
bc67371e47fe1ffcd02583d776477de637b37d76

SHA256
9265be63afc3b03c63a80a1aaea4ed6cec3a8c4e463b388577e9372442ef8fc7

SHA512
16b601b5a4edac5f264c4f3ecbe1fbae6bce58db7f1a5651e3fa3cbf32ce71fd84236cf9012288134ccf25530de656fae1f161d6e5b69975d33bf3acd63102d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
87f0a9f6fc1b7f21eb21fb7141e35c10

SHA1
f9b395d2d967b59ce332a8c030b0e5e893747957

SHA256
f56c5e94bd2314f774eb7f8b1f0be10829cd9c930c0ba51cb5c5f26dc89bac39

SHA512
cd6474f59ddf97b401c62fe6a7e16f409525cd569d1fcd11467dee977f046fcdc092f2bb25010ffccf74020cf9c7413376751bf4c6d95e3cf811aae52b2b568f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
89a68746c0f44458439c9d0dcebacfa8

SHA1
c6c12bafe88e356b7f5a76842c35df06000d5597

SHA256
24bfbbaf489ebacf1c2d5f7cb8845e8cc42b0b6b57357515377d05902b8d316a

SHA512
ea1c80b5d850cd6f9098ec084ff7ccf7b05fc60e7494e6597fa2d88fa4daa435f8b67803e7de0a676239b2a285843a601974fbf2e33ed20df7fc9307db16f0c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
e01e1bf17840a1354dfa9d4380bc5342

SHA1
5761179f2f95d71d04b230ec06571979a0e8e4d0

SHA256
eb624de388b68e8e0e1fb21bb364b9825872db138f828b7bc9b56ce2b2911fb9

SHA512
1befd65015a5e730e11a8ff4a25ab1d67f616492f28fe05f17989c0015b670613d9d4b5d8c246ebe4a0c56d79ca25a9eee44dd534e8a87f9be8998e9a62d9008

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
108KB

MD5
de80bbcb5c8c6cc00a774d14e85eba62

SHA1
2db894b35e75d7f7528fcbc6762bbd3abb97a550

SHA256
89a84dc55cea75aa0b005c58b814e62cd10f06c7828e411b6c087529ac1cf79d

SHA512
37478b0af51cef71ac5b5679055540510ac1509faf0205a90aabc82846a420a81108dfbfc8417dfdda95497b436c7bb7bd6a4239cc5f490092a692d513657de3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57bcc8.TMP

Filesize
99KB

MD5
1116978fe6818b9fff55eb1c98c189cf

SHA1
04ddda9f46132f670484d38c9c2afc01b101a5fe

SHA256
72af5592ecf78e2b6171b674f00ab64b0d959077d9d7d5417ca9ab9b2327ba3c

SHA512
97e8b2ae0ad33c89baca17beb9c7ce1c66e5aa39749d0bf73ba3f437fca2366b0670c2e951a8de3fc7f46d6c5be553d9ea1c293d79780d1a656f598dd2de14f1

Download Submit
C:\Users\Admin\Downloads\ch-20230411T214505Z-001.zip

Filesize
27.1MB

MD5
a2e16d964457844da49bc747dcd032d6

SHA1
ee2b25f903e2911b664afe4ecac2ec7796e5680d

SHA256
605aa4d6d8b48621a658241f21c78bd90883d91669c7508d6a921d5c693aceed

SHA512
2f8243b8e8c85e0fbd3a1761ee2d29f548f117abe9b3d81daa9faab4252dd2dd535cb246032b7bae14f29311b721bf13d7b08460c89846a8a6a468dda6f0ae31

Download Submit