Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
10s -
max time network
13s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/05/2024, 17:35
Static task
static1
Behavioral task
behavioral1
Sample
CheatEngine75P.exe
Resource
win11-20240426-en
General
-
Target
CheatEngine75P.exe
-
Size
26.3MB
-
MD5
124e5ba725b21e8b9efc27a94a7c0e6b
-
SHA1
0c94aad1ba26b9f49814b949433488c7a2004054
-
SHA256
bc37bba7efe232feebe23a7152f8a7407e5f868e771a46bf67106e70f295cbc4
-
SHA512
a5260695ea7a27ad6a060809647fff447f51f8cec19f91568c37f4cc66278547fc41bb7c6b9f390c5d8f11f63df4c267b6e2cc0c56a87b363d9847bd945dfbb6
-
SSDEEP
786432:4ru6+EORu4HYTd1AEtHYzENmuF7oUNUQWQu7bZmhxZTtU:4coJTd1dtHkENvhoLXQNTu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4268 CheatEngine75P.tmp -
Loads dropped DLL 1 IoCs
pid Process 4268 CheatEngine75P.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4756 msedge.exe 4756 msedge.exe 3092 msedge.exe 3092 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 568 wrote to memory of 4268 568 CheatEngine75P.exe 78 PID 568 wrote to memory of 4268 568 CheatEngine75P.exe 78 PID 568 wrote to memory of 4268 568 CheatEngine75P.exe 78 PID 4268 wrote to memory of 3092 4268 CheatEngine75P.tmp 79 PID 4268 wrote to memory of 3092 4268 CheatEngine75P.tmp 79 PID 3092 wrote to memory of 2236 3092 msedge.exe 80 PID 3092 wrote to memory of 2236 3092 msedge.exe 80 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 2460 3092 msedge.exe 81 PID 3092 wrote to memory of 4756 3092 msedge.exe 82 PID 3092 wrote to memory of 4756 3092 msedge.exe 82 PID 3092 wrote to memory of 2964 3092 msedge.exe 83 PID 3092 wrote to memory of 2964 3092 msedge.exe 83 PID 3092 wrote to memory of 2964 3092 msedge.exe 83 PID 3092 wrote to memory of 2964 3092 msedge.exe 83 PID 3092 wrote to memory of 2964 3092 msedge.exe 83 PID 3092 wrote to memory of 2964 3092 msedge.exe 83 PID 3092 wrote to memory of 2964 3092 msedge.exe 83 PID 3092 wrote to memory of 2964 3092 msedge.exe 83 PID 3092 wrote to memory of 2964 3092 msedge.exe 83 PID 3092 wrote to memory of 2964 3092 msedge.exe 83 PID 3092 wrote to memory of 2964 3092 msedge.exe 83 PID 3092 wrote to memory of 2964 3092 msedge.exe 83 PID 3092 wrote to memory of 2964 3092 msedge.exe 83 PID 3092 wrote to memory of 2964 3092 msedge.exe 83 PID 3092 wrote to memory of 2964 3092 msedge.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\CheatEngine75P.exe"C:\Users\Admin\AppData\Local\Temp\CheatEngine75P.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Users\Admin\AppData\Local\Temp\is-93825.tmp\CheatEngine75P.tmp"C:\Users\Admin\AppData\Local\Temp\is-93825.tmp\CheatEngine75P.tmp" /SL5="$E0070,26635706,832512,C:\Users\Admin\AppData\Local\Temp\CheatEngine75P.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.patreon.com/oauth2/authorize?response_type=code&client_id=Ee5CBUULyVg9XvCXN5O4Ckb8scfLqvrS7ciLBTFDNOukA_rte9ln17e0ho3NV7ry&state=BxokcEAd4T8lApB6tnHpjG4kv3KWGNQikfCwTcKY&redirect_uri=https%3A%2F%2Fcheatengine.org%2Fpatreon%2FLogin2.php&scope=identity3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff899153cb8,0x7ff899153cc8,0x7ff899153cd84⤵PID:2236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:24⤵PID:2460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:84⤵PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:14⤵PID:2832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:14⤵PID:3444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13008600920463110597,11698472469764732178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:14⤵PID:3056
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:848
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58ff8bdd04a2da5ef5d4b6a687da23156
SHA1247873c114f3cc780c3adb0f844fc0bb2b440b6d
SHA25609b7b20bfec9608a6d737ef3fa03f95dcbeaca0f25953503a321acac82a5e5ae
SHA5125633ad84b5a003cd151c4c24b67c1e5de965fdb206b433ca759d9c62a4785383507cbd5aca92089f6e0a50a518c6014bf09a0972b4311464aa6a26f76648345e
-
Filesize
152B
MD51e4ed4a50489e7fc6c3ce17686a7cd94
SHA1eac4e98e46efc880605a23a632e68e2c778613e7
SHA256fc9e8224722cb738d8b32420c05006de87161e1d28bc729b451759096f436c1a
SHA5125c4e637ac4da37ba133cb1fba8fa2ff3e24fc4ca15433a94868f2b6e0259705634072e5563da5f7cf1fd783fa8fa0c584c00f319f486565315e87cdea8ed1c28
-
Filesize
206KB
MD5f998b8f6765b4c57936ada0bb2eb4a5a
SHA113fb29dc0968838653b8414a125c124023c001df
SHA256374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef
SHA512d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716
-
Filesize
5KB
MD524566540099cfdbb2f63ecbc70b9c068
SHA1a8fa7a78b8ce504f7532294aa237ff684b715e7f
SHA256d94e6186ee892792ed377fc902ae50555642e5d775132c6d810200491a7bbcba
SHA5121dc7a95e423f4306ace5e1404d42aa766ccb0732b5fa58cf012602b617dcb44c6200ae5d0627fe26ac61d4d7c5b2148c9b189260703bcc5e852ad64d686d7d0a
-
Filesize
3.1MB
MD5ce748c0283fa3fdbb974580ad37c6e71
SHA140118bd5160d4b9cfba97d51fd842a9421203111
SHA2564f807664e75665e2f4b46183327ce0125a9fc1d4e38f55a42113ecfa5c519847
SHA5124beafc83f4808bec3026b158ee11b3de8976e510d24a1b330cd01d9e864c11b11cee56b0f740e1c296be4ee572a3e63529c041503e9c46f17d805953a7d93f00
-
Filesize
347KB
MD55663d99464c96a2677bf7a37efbead5d
SHA1270520e3b3a30232109887213d25972c37677d3d
SHA256cab93d088904265378f94b9a3ad7f2f93480b4c3f645bd1627b259f0cffb5fa8
SHA512521ff832f662d4458114d17ffc7ae4e0bc66cbd06d2a676fb02acbf94cb8e86ba62aa7fe3901adac284080cebc5451750b91b7be3dd5422e1ef8a23603141a02