Overview
overview
7Static
static
3wind64_Byp...er.dll
windows7-x64
1wind64_Byp...er.dll
windows10-2004-x64
1wind64_Byp...ne.exe
windows7-x64
5wind64_Byp...ne.exe
windows10-2004-x64
7wind64_Byp...ne.chm
windows7-x64
1wind64_Byp...ne.chm
windows10-2004-x64
1wind64_Byp...64.sys
windows7-x64
1wind64_Byp...64.sys
windows10-2004-x64
1wind64_Byp...32.exe
windows7-x64
3wind64_Byp...32.exe
windows10-2004-x64
3wind64_Byp...64.exe
windows7-x64
1wind64_Byp...64.exe
windows10-2004-x64
1wind64_Byp...ver.js
windows7-x64
3wind64_Byp...ver.js
windows10-2004-x64
3wind64_Byp...ver.js
windows7-x64
3wind64_Byp...ver.js
windows10-2004-x64
3wind64_Byp...ver.js
windows7-x64
3wind64_Byp...ver.js
windows10-2004-x64
3wind64_Byp...nfo.js
windows7-x64
3wind64_Byp...nfo.js
windows10-2004-x64
3wind64_Byp...rch.js
windows7-x64
3wind64_Byp...rch.js
windows10-2004-x64
3wind64_Byp...can.js
windows7-x64
3wind64_Byp...can.js
windows10-2004-x64
3wind64_Byp...ipt.js
windows7-x64
3wind64_Byp...ipt.js
windows10-2004-x64
3wind64_Byp...can.js
windows7-x64
3wind64_Byp...can.js
windows10-2004-x64
3wind64_Byp...ode.js
windows7-x64
3wind64_Byp...ode.js
windows10-2004-x64
3wind64_Byp...ram.js
windows7-x64
3wind64_Byp...ram.js
windows10-2004-x64
3Analysis
-
max time kernel
144s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07/09/2024, 21:55
Static task
static1
Behavioral task
behavioral1
Sample
wind64_Bypass-main/Cheat Engine 7.4/CSCompiler.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
wind64_Bypass-main/Cheat Engine 7.4/CSCompiler.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
wind64_Bypass-main/Cheat Engine 7.4/Cheat Engine.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral4
Sample
wind64_Bypass-main/Cheat Engine 7.4/Cheat Engine.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
wind64_Bypass-main/Cheat Engine 7.4/CheatEngine.chm
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
wind64_Bypass-main/Cheat Engine 7.4/CheatEngine.chm
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
wind64_Bypass-main/Cheat Engine 7.4/DBK64.sys
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
wind64_Bypass-main/Cheat Engine 7.4/DBK64.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
wind64_Bypass-main/Cheat Engine 7.4/DotNetDataCollector32.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
wind64_Bypass-main/Cheat Engine 7.4/DotNetDataCollector32.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
wind64_Bypass-main/Cheat Engine 7.4/DotNetDataCollector64.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral12
Sample
wind64_Bypass-main/Cheat Engine 7.4/DotNetDataCollector64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/dlls/src/Java/CEJVMTI/CEJVMTI/JavaEventServer.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/dlls/src/Java/CEJVMTI/CEJVMTI/JavaEventServer.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/dlls/src/Java/CEJVMTI/CEJVMTI/JavaServer.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/dlls/src/Java/CEJVMTI/CEJVMTI/JavaServer.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/dlls/src/Mono/MonoDataCollector/PipeServer.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/dlls/src/Mono/MonoDataCollector/PipeServer.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/dotnetinfo.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/dotnetinfo.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/dotnetsearch.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/dotnetsearch.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/modulelistscan.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/modulelistscan.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/monoscript.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral26
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/monoscript.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/patchscan.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/patchscan.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/pseudocode.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral30
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/pseudocode.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/pseudocodediagram.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
wind64_Bypass-main/Cheat Engine 7.4/autorun/pseudocodediagram.js
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
wind64_Bypass-main/Cheat Engine 7.4/Cheat Engine.exe
-
Size
363KB
-
MD5
0fa859e1b115bb88ea35bf65077e97af
-
SHA1
75f2f3e46b059f5f4bfefb62970e6c6a9c91075f
-
SHA256
37bb7ba2590773884017988b6a0eb3ebb1a24f2add9781805af98699d3d0c50a
-
SHA512
31956e2c7bd08dd5804b3267f58336881fbdabe8b778c63d4a8d7a144b08465560d755838638ea46cd5378a1e97ca85ba3d56d5dafe0445c27dd97e8d26b4761
-
SSDEEP
6144:Ue0N02K5ebkjaIvsz3dCvKHlLjsyRW6oCog8fC08l0glwgugEkkoSE5j:b0N02KsbnIU70vYrRHAjC0Y0glwgugEs
Malware Config
Signatures
-
Drops file in System32 directory 52 IoCs
description ioc Process File opened for modification C:\Windows\system32\CFGMGR32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\ws2_32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\psapi.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\NSI.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\MSCTF.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\oleaut32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\GLU32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\propsys.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\DDRAW.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\api-ms-win-core-synch-l1-2-0.DLL cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\iertutil.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\profapi.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\LPK.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\uxtheme.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\DCIMAN32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\wsock32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\USER32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\dwmapi.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\CRYPTBASE.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\explorerframe.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\shfolder.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\DEVOBJ.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\imm32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\version.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\msimg32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\ole32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\GDI32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\DUser.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SYSTEM32\sechost.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\normaliz.DLL cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\shell32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\DUI70.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\kernel32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\USP10.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\CLBCatQ.DLL cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\opengl32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\comdlg32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\imagehlp.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\msvcrt.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\RPCRT4.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\SETUPAPI.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\SYSTEM32\ntdll.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\SHLWAPI.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\KERNELBASE.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\wininet.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\advapi32.dll cheatengine-x86_64-SSE4-AVX2.exe File opened for modification C:\Windows\system32\hhctrl.ocx cheatengine-x86_64-SSE4-AVX2.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll cheatengine-x86_64-SSE4-AVX2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cheat Engine.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tutorial-i386.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2880 cheatengine-x86_64-SSE4-AVX2.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2880 cheatengine-x86_64-SSE4-AVX2.exe Token: SeTcbPrivilege 2880 cheatengine-x86_64-SSE4-AVX2.exe Token: SeTcbPrivilege 2880 cheatengine-x86_64-SSE4-AVX2.exe Token: SeLoadDriverPrivilege 2880 cheatengine-x86_64-SSE4-AVX2.exe Token: SeCreateGlobalPrivilege 2880 cheatengine-x86_64-SSE4-AVX2.exe Token: SeLockMemoryPrivilege 2880 cheatengine-x86_64-SSE4-AVX2.exe Token: 33 2880 cheatengine-x86_64-SSE4-AVX2.exe Token: SeSecurityPrivilege 2880 cheatengine-x86_64-SSE4-AVX2.exe Token: SeTakeOwnershipPrivilege 2880 cheatengine-x86_64-SSE4-AVX2.exe Token: SeManageVolumePrivilege 2880 cheatengine-x86_64-SSE4-AVX2.exe Token: SeBackupPrivilege 2880 cheatengine-x86_64-SSE4-AVX2.exe Token: SeCreatePagefilePrivilege 2880 cheatengine-x86_64-SSE4-AVX2.exe Token: SeShutdownPrivilege 2880 cheatengine-x86_64-SSE4-AVX2.exe Token: SeRestorePrivilege 2880 cheatengine-x86_64-SSE4-AVX2.exe Token: 33 2880 cheatengine-x86_64-SSE4-AVX2.exe Token: SeIncBasePriorityPrivilege 2880 cheatengine-x86_64-SSE4-AVX2.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2880 cheatengine-x86_64-SSE4-AVX2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2880 2116 Cheat Engine.exe 29 PID 2116 wrote to memory of 2880 2116 Cheat Engine.exe 29 PID 2116 wrote to memory of 2880 2116 Cheat Engine.exe 29 PID 2116 wrote to memory of 2880 2116 Cheat Engine.exe 29 PID 2880 wrote to memory of 2856 2880 cheatengine-x86_64-SSE4-AVX2.exe 30 PID 2880 wrote to memory of 2856 2880 cheatengine-x86_64-SSE4-AVX2.exe 30 PID 2880 wrote to memory of 2856 2880 cheatengine-x86_64-SSE4-AVX2.exe 30 PID 2880 wrote to memory of 2856 2880 cheatengine-x86_64-SSE4-AVX2.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\wind64_Bypass-main\Cheat Engine 7.4\Cheat Engine.exe"C:\Users\Admin\AppData\Local\Temp\wind64_Bypass-main\Cheat Engine 7.4\Cheat Engine.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\wind64_Bypass-main\Cheat Engine 7.4\cheatengine-x86_64-SSE4-AVX2.exe"C:\Users\Admin\AppData\Local\Temp\wind64_Bypass-main\Cheat Engine 7.4\cheatengine-x86_64-SSE4-AVX2.exe"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\wind64_Bypass-main\Cheat Engine 7.4\Tutorial-i386.exe"C:\Users\Admin\AppData\Local\Temp\wind64_Bypass-main\Cheat Engine 7.4\Tutorial-i386.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-