Resubmissions
23/02/2024, 13:44
240223-q11sxsbe2w 1023/02/2024, 00:09
240223-afkyzagg2w 122/02/2024, 20:24
240222-y68dyseg4w 10Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-uk -
resource tags
arch:x64arch:x86image:win10v2004-20240221-uklocale:uk-uaos:windows10-2004-x64systemwindows -
submitted
23/02/2024, 00:09
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.cheatengine.org/downloads.php
Resource
win10v2004-20240221-uk
General
-
Target
https://www.cheatengine.org/downloads.php
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4636 msedge.exe 4636 msedge.exe 2100 msedge.exe 2100 msedge.exe 1428 identity_helper.exe 1428 identity_helper.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 3436 2100 msedge.exe 84 PID 2100 wrote to memory of 3436 2100 msedge.exe 84 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 3080 2100 msedge.exe 85 PID 2100 wrote to memory of 4636 2100 msedge.exe 86 PID 2100 wrote to memory of 4636 2100 msedge.exe 86 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87 PID 2100 wrote to memory of 4640 2100 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cheatengine.org/downloads.php1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef83246f8,0x7ffef8324708,0x7ffef83247182⤵PID:3436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,2917447499688662169,15097873411666329859,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵PID:3080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,2917447499688662169,15097873411666329859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,2917447499688662169,15097873411666329859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:82⤵PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2917447499688662169,15097873411666329859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2917447499688662169,15097873411666329859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2917447499688662169,15097873411666329859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:12⤵PID:1444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2917447499688662169,15097873411666329859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,2917447499688662169,15097873411666329859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:82⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,2917447499688662169,15097873411666329859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2917447499688662169,15097873411666329859,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2917447499688662169,15097873411666329859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵PID:2828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2917447499688662169,15097873411666329859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵PID:4704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2917447499688662169,15097873411666329859,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,2917447499688662169,15097873411666329859,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1536
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3288
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD558670ac03d80eb4bd1cec7ac5672d2e8
SHA1276295d2f9e58fb0b8ef03bd9567227fb94e03f7
SHA25676e1645d9c4f363b34e554822cfe0d53ff1fce5e994acdf1edeff13ae8df30f8
SHA51299fe23263de36ec0c8b6b3b0205df264250392cc9c0dd8fa28cf954ff39f9541f722f96a84fbc0b4e42cfd042f064525a6be4b220c0180109f8b1d51bbdef8ff
-
Filesize
152B
MD53782686f747f4a85739b170a3898b645
SHA181ae1c4fd3d1fddb50b3773e66439367788c219c
SHA25667ee813be3c6598a8ea02cd5bb5453fc0aa114606e3fc7ad216f205fe46dfc13
SHA51254eb860107637a611150ff18ac57856257bf650f70dce822de234aee644423080b570632208d38e45e2f0d2bf60ca2684d3c3480f9637ea4ad81f2bcfb9f24d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD57d1d1c2a1310d2a33b56202efd4e2a01
SHA1b8af90732d1d58e41a9a9d7ff33d3482193bfa12
SHA256e1c15b06112c503cf9b80072e03670d01b37a82bbfe11f7f3caf4b73afc4bd0d
SHA51258a9df76fdb869d7f105af3e0d3c6f062e07f5d17821a74c7897e31142f158b885afba65cfd5a0d2c18656748445922ffadd6340e2126fce600e182069903a85
-
Filesize
2KB
MD5c6831528ad49d9ce24f75b2337a81c6a
SHA1aa5bf6c93b0e09414d33dfbd6e339857c5a8e655
SHA256b8efb6343d27ca352995dfe1129172945d04ad3f85c23af5662563a44a008bc5
SHA5125f28a9050ece81fb75b2dcfb4b81d0e7442c96e25dc3b68625a16330bf8727515c6ba2b83a4f3a1f8540b5d52219c5aee37c3f7c2760a516c6cca0a63a9327f9
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD566f725d8404083f9cc0eb5235984129f
SHA1321f74cdc19d9b55912dd92be3e15e457e648a6d
SHA25639be2b558a3897004bf5e624950324aef1d40aad227efd543dc086efc387f1fb
SHA5123187f8dfd61d87fc1434e8c654e91bb7f82d53412ebef03d9d9ce6e47e2efb14f888da05a1df887c546970005ff1041ad4fab52744c54546fc73466162d1b50b
-
Filesize
7KB
MD52a8819445df70293d9a6236352ed53f7
SHA193c9f6fff475a840341b5e0c4d4a7708b3a259ca
SHA256509963eb7a437b946ceaa817a8f8fd500b0e0c93227d34ff6ced193a53d2aa0b
SHA5122ca1c5789f4b5934c8574b518974d6cae075274a38d2d9cc9d5e79318728accd368346bdaf336c0704d142bb930d6d1458338b27d89f8c19dba7ed8707cbdcb0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD546dce7961cbbbfe8b11340650839e9bb
SHA14d2092ea8c24a6bc82bf927b3701bc2220fd2a86
SHA256e109f5369175a706c4ce6c3cfbe8072384f5d555d3bb64785905fd4a50c03435
SHA5124f3de89098e18a7223482a2c72cc7ca039f25052ba652aded2ec4ae076c332810a7dfb5ef2ee8f859a783fdc9f45a1cfdb9d88bd61e8bd170f28b631919c1fb6