Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
5Static
static
3install/Ch...67.exe
windows7-x64
4install/Ch...67.exe
windows10-2004-x64
4noinstall/...ne.exe
windows7-x64
5noinstall/...ne.exe
windows10-2004-x64
5noinstall/...ne.chm
windows7-x64
1noinstall/...ne.chm
windows10-2004-x64
1noinstall/...32.exe
windows7-x64
3noinstall/...32.exe
windows10-2004-x64
3noinstall/...64.exe
windows7-x64
1noinstall/...64.exe
windows10-2004-x64
1noinstall/...er.exe
windows7-x64
3noinstall/...er.exe
windows10-2004-x64
3noinstall/...86.exe
windows7-x64
3noinstall/...86.exe
windows10-2004-x64
3noinstall/...64.exe
windows7-x64
1noinstall/...64.exe
windows10-2004-x64
1noinstall/...86.dll
windows7-x64
3noinstall/...86.dll
windows10-2004-x64
3noinstall/...64.dll
windows7-x64
1noinstall/...64.dll
windows10-2004-x64
1noinstall/...TI.dll
windows7-x64
3noinstall/...TI.dll
windows10-2004-x64
3noinstall/...TI.dll
windows7-x64
1noinstall/...TI.dll
windows10-2004-x64
1noinstall/...32.dll
windows7-x64
5noinstall/...32.dll
windows10-2004-x64
5noinstall/...64.dll
windows7-x64
5noinstall/...64.dll
windows10-2004-x64
5noinstall/...ver.js
windows7-x64
3noinstall/...ver.js
windows10-2004-x64
3noinstall/...ver.js
windows7-x64
3noinstall/...ver.js
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2024, 06:30
Static task
static1
Behavioral task
behavioral1
Sample
install/CheatEngine67.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
install/CheatEngine67.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
noinstall/Cheat Engine.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral4
Sample
noinstall/Cheat Engine.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
noinstall/CheatEngine.chm
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
noinstall/CheatEngine.chm
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
noinstall/DotNetDataCollector32.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
noinstall/DotNetDataCollector32.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
noinstall/DotNetDataCollector64.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
noinstall/DotNetDataCollector64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
noinstall/Kernelmoduleunloader.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
noinstall/Kernelmoduleunloader.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
noinstall/Tutorial-i386.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral14
Sample
noinstall/Tutorial-i386.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
noinstall/Tutorial-x86_64.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral16
Sample
noinstall/Tutorial-x86_64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
noinstall/allochook-i386.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
noinstall/allochook-i386.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
noinstall/allochook-x86_64.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
noinstall/allochook-x86_64.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
noinstall/autorun/dlls/32/CEJVMTI.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral22
Sample
noinstall/autorun/dlls/32/CEJVMTI.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
noinstall/autorun/dlls/64/CEJVMTI.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral24
Sample
noinstall/autorun/dlls/64/CEJVMTI.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
noinstall/autorun/dlls/MonoDataCollector32.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
noinstall/autorun/dlls/MonoDataCollector32.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
noinstall/autorun/dlls/MonoDataCollector64.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral28
Sample
noinstall/autorun/dlls/MonoDataCollector64.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
noinstall/autorun/dlls/src/Java/CEJVMTI/CEJVMTI/JavaEventServer.js
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral30
Sample
noinstall/autorun/dlls/src/Java/CEJVMTI/CEJVMTI/JavaEventServer.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
noinstall/autorun/dlls/src/Java/CEJVMTI/CEJVMTI/JavaServer.js
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral32
Sample
noinstall/autorun/dlls/src/Java/CEJVMTI/CEJVMTI/JavaServer.js
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
noinstall/Cheat Engine.exe
-
Size
330KB
-
MD5
137a55c26e9ae8a92bf8cbee0b70ef61
-
SHA1
32fab66aa6acb3cd130f92991d64d65ba1045fa6
-
SHA256
6b4b25165fb825ca82a774413263bfe5c4840dcde9eb9efc1470c6d8a9554857
-
SHA512
83187a7a4099006bda6f14b5a5525cd1e7b6e791c159958721c23007ed51e6a39c66a6cfcca2769df5c08c4a99da1c8d81b6c527e1bbe13d2e9148937a4b1a2e
-
SSDEEP
6144:fjpISCLahZZvkSadUSjngHRjPYvv2tUrdgugEkkoSE5m2uw:VIBLMT7EgHRYGtUrdgugEnoSE5t
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation Cheat Engine.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File opened for modification C:\Windows\System32\msvcp_win.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\ucrtbase.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\user32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\msvcrt.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\hhctrl.ocx cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\GLU32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\msimg32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\shfolder.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\SHLWAPI.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\clbcatq.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\windows.storage.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\Wldp.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\MSCTF.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\KERNEL32.DLL cheatengine-x86_64.exe File opened for modification C:\Windows\System32\KERNELBASE.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\gdi32full.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\ole32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\ws2_32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\wsock32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\uxtheme.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\kernel.appcore.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\bcryptPrimitives.dll cheatengine-x86_64.exe File opened for modification C:\Windows\system32\explorerframe.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\profapi.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\GDI32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\sechost.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\imagehlp.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\ntdll.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\shcore.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\imm32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\version.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\PROPSYS.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\oleaut32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\combase.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\RPCRT4.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\advapi32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\comdlg32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\psapi.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\opengl32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\SYSTEM32\wininet.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\shell32.dll cheatengine-x86_64.exe File opened for modification C:\Windows\System32\win32u.dll cheatengine-x86_64.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll cheatengine-x86_64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cheat Engine.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tutorial-i386.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1692 cheatengine-x86_64.exe Token: SeTcbPrivilege 1692 cheatengine-x86_64.exe Token: SeTcbPrivilege 1692 cheatengine-x86_64.exe Token: SeLoadDriverPrivilege 1692 cheatengine-x86_64.exe Token: SeCreateGlobalPrivilege 1692 cheatengine-x86_64.exe Token: SeLockMemoryPrivilege 1692 cheatengine-x86_64.exe Token: 33 1692 cheatengine-x86_64.exe Token: SeSecurityPrivilege 1692 cheatengine-x86_64.exe Token: SeTakeOwnershipPrivilege 1692 cheatengine-x86_64.exe Token: SeManageVolumePrivilege 1692 cheatengine-x86_64.exe Token: SeBackupPrivilege 1692 cheatengine-x86_64.exe Token: SeCreatePagefilePrivilege 1692 cheatengine-x86_64.exe Token: SeShutdownPrivilege 1692 cheatengine-x86_64.exe Token: SeRestorePrivilege 1692 cheatengine-x86_64.exe Token: 33 1692 cheatengine-x86_64.exe Token: SeIncBasePriorityPrivilege 1692 cheatengine-x86_64.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1692 cheatengine-x86_64.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4748 wrote to memory of 1692 4748 Cheat Engine.exe 92 PID 4748 wrote to memory of 1692 4748 Cheat Engine.exe 92 PID 1692 wrote to memory of 4720 1692 cheatengine-x86_64.exe 98 PID 1692 wrote to memory of 4720 1692 cheatengine-x86_64.exe 98 PID 1692 wrote to memory of 4720 1692 cheatengine-x86_64.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\noinstall\Cheat Engine.exe"C:\Users\Admin\AppData\Local\Temp\noinstall\Cheat Engine.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Users\Admin\AppData\Local\Temp\noinstall\cheatengine-x86_64.exe"C:\Users\Admin\AppData\Local\Temp\noinstall\cheatengine-x86_64.exe"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\noinstall\Tutorial-i386.exe"C:\Users\Admin\AppData\Local\Temp\noinstall\Tutorial-i386.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4720
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:81⤵PID:2944