Malware Analysis Report

2025-05-28 18:17

Sample ID 241109-y1e58azra1
Target PAYDAY3_Trainer_[unknowncheats.me]_.exe
SHA256 d48fa25aa43ffa59b29b8219de34a5421e620242d22bdcb831ca0c2210ec8e72
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d48fa25aa43ffa59b29b8219de34a5421e620242d22bdcb831ca0c2210ec8e72

Threat Level: Shows suspicious behavior

The file PAYDAY3_Trainer_[unknowncheats.me]_.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:14

Reported

2024-11-09 20:17

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAYDAY3_Trainer_[unknowncheats.me]_.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\hhctrl.ocx C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\kernel32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\GDI32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\version.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\SHLWAPI.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\GLU32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\SETUPAPI.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\ws2_32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\iertutil.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\CLBCatQ.DLL C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\DUser.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\DUI70.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\Dbghelp.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\opengl32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\DCIMAN32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\comdlg32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\psapi.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\CRYPTBASE.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\RPCRT4.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\explorerframe.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\ole32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\advapi32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\CFGMGR32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\imm32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\uxtheme.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\oleaut32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\USER32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\LPK.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\USP10.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\DEVOBJ.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\dwmapi.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\MSCTF.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\normaliz.DLL C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\KERNELBASE.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\msvcrt.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\DDRAW.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\winmm.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\msimg32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\ntdll.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\sechost.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\wsock32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\wininet.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\api-ms-win-core-synch-l1-2-0.DLL C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\propsys.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\shell32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\NSI.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\PAYDAY3_Trainer_[unknowncheats.me]_.exe C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe
PID 2192 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\PAYDAY3_Trainer_[unknowncheats.me]_.exe C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe
PID 2192 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\PAYDAY3_Trainer_[unknowncheats.me]_.exe C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe
PID 2192 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\PAYDAY3_Trainer_[unknowncheats.me]_.exe C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe
PID 2696 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe
PID 2696 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe
PID 2696 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe
PID 2696 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PAYDAY3_Trainer_[unknowncheats.me]_.exe

"C:\Users\Admin\AppData\Local\Temp\PAYDAY3_Trainer_[unknowncheats.me]_.exe"

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe

"C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe

MD5 971b37cedf686e0ac8ca0297a953aad9
SHA1 8ea777fa6c70a619d4e92cc6435c4eba2b16a23e
SHA256 1965546a19990b4523a1588eb0d7fdd42bd443e2bcc632dae04343d358394ae7
SHA512 2f0f3facf2587b751bb658eaab9ca1536d7326956b0eeca7bd0badc893c0878741f8bb56d8c1e360f2cb4bd9442866bd9faf7bdec7d02105f6c149640cf180d8

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\CET_Archive.dat

MD5 596b20865af108f27ec9e8107bdf240e
SHA1 a839323bf74236e707e5ae6b1d7907599d5d38a0
SHA256 f302cc69ca61b0c1d0f97d18b01ea9eaeb89a9586a35be92e0ac997b1b8ad270
SHA512 f3ec4c57e6a82b478f60f5df2a8ba002e426316084ac8122f48dba6b2438bf4f32822430dca69a81e8d8a6627d6ac07ed86b07371dd4dff754a2411905941a18

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe

MD5 edeef697cbf212b5ecfcd9c1d9a8803d
SHA1 e90585899ae4b4385a6d0bf43c516c122e7883e2
SHA256 ac9bcc7813c0063bdcd36d8e4e79a59b22f6e95c2d74c65a4249c7d5319ae3f6
SHA512 1aaa8fc2f9fafecbe88abf07fbc97dc03a7c68cc1d870513e921bf3caeaa97128583293bf5078a69aecbb93bf1e531605b36bd756984db8d703784627d1877d1

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\lua53-64.dll

MD5 b7c9f1e7e640f1a034be84af86970d45
SHA1 f795dc3d781b9578a96c92658b9f95806fc9bdde
SHA256 6d0a06b90213f082cb98950890518c0f08b9fc16dbfab34d400267cb6cdadeff
SHA512 da63992b68f1112c0d6b33e6004f38e85b3c3e251e0d5457cd63804a49c5aa05aa23249e0614dacad4fec28ca6efdb5ddee06da5bfbfa07e21942976201079f3

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\CET_TRAINER.CETRAINER

MD5 64cefcb99b2b731cd8762d33c14ac102
SHA1 69548d28c32599b99e8949e68e70074e795a7d8b
SHA256 34994d2729e94c0e47f0301377bd82d43ef45faaed1f5f07db2e152978fbedd8
SHA512 e5b2eb2dfb199b588d790ece5a17bc52380eb37079008c61aefd4674f98f0617b8116e3549eae7dd4537548a5ffc10d67effd1bd1a1e1998d6188eebfdeb226f

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET41B2.tmp\extracted\defines.lua

MD5 62e1fa241d417668f7c5da6e4009a5a6
SHA1 f887409e3c204a87731f317a999dc7e4cc8d3fcd
SHA256 82e8ef7df20a86791cef062f2dcacb1d91b4adc9f5dea2fd274886be8365b2f8
SHA512 2283cbb9e1d5d53ad1ed9bc9db6034fb3c53c633b11001f373523640bbbba95da9a3a0866c7d5fa0620facab7d18c8577dfd69496fc7319e0a4a74d0b9e10c45

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 20:14

Reported

2024-11-09 20:19

Platform

win10v2004-20241007-en

Max time kernel

268s

Max time network

212s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAYDAY3_Trainer_[unknowncheats.me]_.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\KERNELBASE.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\msvcp_win.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\win32u.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\msvcrt.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\ole32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\system32\explorerframe.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\ntdll.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\user32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\imm32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\shcore.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\version.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\hhctrl.ocx C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\GLU32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\ucrtbase.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\combase.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\sechost.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\uxtheme.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\MSCTF.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\oleaut32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\gdi32full.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\advapi32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\wininet.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\msimg32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\Dbghelp.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\KERNEL32.DLL C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\shell32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\bcryptPrimitives.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\RPCRT4.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\ws2_32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\opengl32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\kernel.appcore.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\PROPSYS.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\GDI32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\comdlg32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\wsock32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\winmm.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\Wldp.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\SHLWAPI.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\psapi.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\System32\clbcatq.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
File opened for modification C:\Windows\SYSTEM32\windows.storage.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAYDAY3_Trainer_[unknowncheats.me]_.exe

"C:\Users\Admin\AppData\Local\Temp\PAYDAY3_Trainer_[unknowncheats.me]_.exe"

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe

"C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe

MD5 971b37cedf686e0ac8ca0297a953aad9
SHA1 8ea777fa6c70a619d4e92cc6435c4eba2b16a23e
SHA256 1965546a19990b4523a1588eb0d7fdd42bd443e2bcc632dae04343d358394ae7
SHA512 2f0f3facf2587b751bb658eaab9ca1536d7326956b0eeca7bd0badc893c0878741f8bb56d8c1e360f2cb4bd9442866bd9faf7bdec7d02105f6c149640cf180d8

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\CET_Archive.dat

MD5 596b20865af108f27ec9e8107bdf240e
SHA1 a839323bf74236e707e5ae6b1d7907599d5d38a0
SHA256 f302cc69ca61b0c1d0f97d18b01ea9eaeb89a9586a35be92e0ac997b1b8ad270
SHA512 f3ec4c57e6a82b478f60f5df2a8ba002e426316084ac8122f48dba6b2438bf4f32822430dca69a81e8d8a6627d6ac07ed86b07371dd4dff754a2411905941a18

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe

MD5 edeef697cbf212b5ecfcd9c1d9a8803d
SHA1 e90585899ae4b4385a6d0bf43c516c122e7883e2
SHA256 ac9bcc7813c0063bdcd36d8e4e79a59b22f6e95c2d74c65a4249c7d5319ae3f6
SHA512 1aaa8fc2f9fafecbe88abf07fbc97dc03a7c68cc1d870513e921bf3caeaa97128583293bf5078a69aecbb93bf1e531605b36bd756984db8d703784627d1877d1

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\lua53-64.dll

MD5 b7c9f1e7e640f1a034be84af86970d45
SHA1 f795dc3d781b9578a96c92658b9f95806fc9bdde
SHA256 6d0a06b90213f082cb98950890518c0f08b9fc16dbfab34d400267cb6cdadeff
SHA512 da63992b68f1112c0d6b33e6004f38e85b3c3e251e0d5457cd63804a49c5aa05aa23249e0614dacad4fec28ca6efdb5ddee06da5bfbfa07e21942976201079f3

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\CET_TRAINER.CETRAINER

MD5 64cefcb99b2b731cd8762d33c14ac102
SHA1 69548d28c32599b99e8949e68e70074e795a7d8b
SHA256 34994d2729e94c0e47f0301377bd82d43ef45faaed1f5f07db2e152978fbedd8
SHA512 e5b2eb2dfb199b588d790ece5a17bc52380eb37079008c61aefd4674f98f0617b8116e3549eae7dd4537548a5ffc10d67effd1bd1a1e1998d6188eebfdeb226f

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET73D8.tmp\extracted\defines.lua

MD5 62e1fa241d417668f7c5da6e4009a5a6
SHA1 f887409e3c204a87731f317a999dc7e4cc8d3fcd
SHA256 82e8ef7df20a86791cef062f2dcacb1d91b4adc9f5dea2fd274886be8365b2f8
SHA512 2283cbb9e1d5d53ad1ed9bc9db6034fb3c53c633b11001f373523640bbbba95da9a3a0866c7d5fa0620facab7d18c8577dfd69496fc7319e0a4a74d0b9e10c45