Malware analysis CheatEngine74.exe Malicious activity

Add for printing

File name:	CheatEngine74.exe
Full analysis:	https://app.any.run/tasks/7928183b-4c39-4bf0-91d0-8df0a92930d5
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 01, 2024, 23:30:40
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer netreactor lua miner susp-powershell
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	EEC95B987E4B10E3D1632D62B50B4B30
SHA1:	D0D37058DC3F9E392ED00B284BBFD2B5EE66751D
SHA256:	02640E1DD5E7E7EA7A3B89ED9B7691AE934782013CB21B07905DC3B63782DD6A
SSDEEP:	98304:P+QqZ8fJFEEnnT/6wIIeFEEnnT/6wIIeFEEnnT/6wII8uL0EiEkOPATc+YiEQTPG:Y8KG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Starts NET.EXE for service management
  - net.exe (PID: 2096)
  - CheatEngine74.tmp (PID: 1992)
  - net.exe (PID: 3160)
- Actions looks like stealing of personal data
  - UnifiedStub-installer.exe (PID: 5148)
  - rsEngineSvc.exe (PID: 4820)
  - rsVPNSvc.exe (PID: 4772)
  - rsDNSSvc.exe (PID: 6608)
- Changes the autorun value in the registry
  - rundll32.exe (PID: 5724)
  - rundll32.exe (PID: 7396)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - CheatEngine74.tmp (PID: 4692)
  - CheatEngine74.tmp (PID: 7132)
  - prod0.exe (PID: 6504)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6716)
  - Cheat Engine.exe (PID: 3028)
  - rsWSC.exe (PID: 7060)
  - UnifiedStub-installer.exe (PID: 5148)
  - rsEngineSvc.exe (PID: 6308)
  - rsEDRSvc.exe (PID: 6056)
  - rsEngineSvc.exe (PID: 4820)
  - rsVPNSvc.exe (PID: 3812)
  - rsDNSSvc.exe (PID: 4692)
- Executable content was dropped or overwritten
  - CheatEngine74.exe (PID: 1164)
  - CheatEngine74.exe (PID: 6744)
  - CheatEngine74.tmp (PID: 7132)
  - CheatEngine74.exe (PID: 2040)
  - CheatEngine74.tmp (PID: 1992)
  - prod0.exe (PID: 6504)
  - 34cemg00.exe (PID: 5492)
  - UnifiedStub-installer.exe (PID: 5148)
- Drops the executable file immediately after the start
  - CheatEngine74.exe (PID: 1164)
  - CheatEngine74.exe (PID: 6744)
  - CheatEngine74.tmp (PID: 7132)
  - CheatEngine74.exe (PID: 2040)
  - CheatEngine74.tmp (PID: 1992)
  - prod0.exe (PID: 6504)
  - 34cemg00.exe (PID: 5492)
  - UnifiedStub-installer.exe (PID: 5148)
- Reads the date of Windows installation
  - CheatEngine74.tmp (PID: 4692)
  - CheatEngine74.tmp (PID: 7132)
  - prod0.exe (PID: 6504)
  - Cheat Engine.exe (PID: 3028)
  - rsEDRSvc.exe (PID: 6020)
  - rsEngineSvc.exe (PID: 4820)
- Reads the Windows owner or organization settings
  - CheatEngine74.tmp (PID: 7132)
  - CheatEngine74.tmp (PID: 1992)
- Starts SC.EXE for service management
  - CheatEngine74.tmp (PID: 1992)
- Uses ICACLS.EXE to modify access control lists
  - CheatEngine74.tmp (PID: 1992)
- Process drops SQLite DLL files
  - CheatEngine74.tmp (PID: 1992)
- Process drops legitimate windows executable
  - 34cemg00.exe (PID: 5492)
  - CheatEngine74.tmp (PID: 1992)
  - UnifiedStub-installer.exe (PID: 5148)
- Searches for installed software
  - UnifiedStub-installer.exe (PID: 5148)
  - rsVPNSvc.exe (PID: 4772)
- Executes as Windows Service
  - rsSyncSvc.exe (PID: 2228)
  - rsWSC.exe (PID: 1948)
  - rsClientSvc.exe (PID: 1640)
  - rsEngineSvc.exe (PID: 4820)
  - rsEDRSvc.exe (PID: 6020)
  - WmiApSrv.exe (PID: 5548)
  - rsVPNClientSvc.exe (PID: 5152)
  - rsVPNSvc.exe (PID: 4772)
  - WmiApSrv.exe (PID: 7400)
  - rsDNSClientSvc.exe (PID: 8052)
  - rsDNSSvc.exe (PID: 6608)
  - rsDNSResolver.exe (PID: 8184)
  - WmiApSrv.exe (PID: 7460)
- Drops a system driver (possible attempt to evade defenses)
  - CheatEngine74.tmp (PID: 1992)
  - UnifiedStub-installer.exe (PID: 5148)
- Creates a software uninstall entry
  - UnifiedStub-installer.exe (PID: 5148)
- Detected use of alternative data streams (AltDS)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6716)
- Checks Windows Trust Settings
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6716)
  - UnifiedStub-installer.exe (PID: 5148)
  - rsWSC.exe (PID: 7060)
  - rsEngineSvc.exe (PID: 6308)
  - rsWSC.exe (PID: 1948)
  - rsEDRSvc.exe (PID: 6056)
  - rsEDRSvc.exe (PID: 6020)
  - rsEngineSvc.exe (PID: 4820)
  - rsVPNSvc.exe (PID: 3812)
  - rsDNSSvc.exe (PID: 4692)
- There is functionality for communication over UDP network (YARA)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6716)
- The process creates files with name similar to system file names
  - UnifiedStub-installer.exe (PID: 5148)
- The process drops C-runtime libraries
  - UnifiedStub-installer.exe (PID: 5148)
- Drops 7-zip archiver for unpacking
  - UnifiedStub-installer.exe (PID: 5148)
- Adds/modifies Windows certificates
  - UnifiedStub-installer.exe (PID: 5148)
  - rsWSC.exe (PID: 7060)
  - rsEngineSvc.exe (PID: 4820)
- Uses RUNDLL32.EXE to load library
  - UnifiedStub-installer.exe (PID: 5148)
- Uses WEVTUTIL.EXE to install publishers and event logs from the manifest
  - UnifiedStub-installer.exe (PID: 5148)
- Creates or modifies Windows services
  - UnifiedStub-installer.exe (PID: 5148)
  - rundll32.exe (PID: 5724)
- Creates files in the driver directory
  - UnifiedStub-installer.exe (PID: 5148)
- Dropped object may contain URLs of mainers pools
  - rsEngineSvc.exe (PID: 4820)
- Process checks is Powershell's Script Block Logging on
  - rsEDRSvc.exe (PID: 6020)
- Reads the BIOS version
  - rsEngineSvc.exe (PID: 4820)
  - rsEDRSvc.exe (PID: 6020)
- Application launched itself
  - rsAppUI.exe (PID: 3208)
  - rsAppUI.exe (PID: 7264)
  - rsAppUI.exe (PID: 1992)
- The process checks if it is being run in the virtual environment
  - rsEngineSvc.exe (PID: 4820)
  - rsVPNSvc.exe (PID: 4772)
  - rsDNSSvc.exe (PID: 6608)
- There is functionality for taking screenshot (YARA)
  - rsHelper.exe (PID: 4168)
- Starts CMD.EXE for commands execution
  - rsDNSSvc.exe (PID: 6608)
- Process uses IPCONFIG to clear DNS cache
  - cmd.exe (PID: 644)
  - cmd.exe (PID: 7036)
INFO
- Create files in a temporary directory
  - CheatEngine74.exe (PID: 1164)
  - CheatEngine74.exe (PID: 6744)
  - CheatEngine74.tmp (PID: 7132)
  - CheatEngine74.exe (PID: 2040)
  - prod0.exe (PID: 6504)
  - 34cemg00.exe (PID: 5492)
  - CheatEngine74.tmp (PID: 1992)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6716)
  - UnifiedStub-installer.exe (PID: 5148)
  - rsAppUI.exe (PID: 3208)
  - rsAppUI.exe (PID: 7264)
  - rsAppUI.exe (PID: 1992)
- Checks supported languages
  - CheatEngine74.exe (PID: 1164)
  - CheatEngine74.tmp (PID: 4692)
  - CheatEngine74.exe (PID: 6744)
  - CheatEngine74.tmp (PID: 7132)
  - prod0.exe (PID: 6504)
  - CheatEngine74.exe (PID: 2040)
  - CheatEngine74.tmp (PID: 1992)
  - _setup64.tmp (PID: 4820)
  - 34cemg00.exe (PID: 5492)
  - UnifiedStub-installer.exe (PID: 5148)
  - rsSyncSvc.exe (PID: 6452)
  - rsSyncSvc.exe (PID: 2228)
  - Kernelmoduleunloader.exe (PID: 2132)
  - windowsrepair.exe (PID: 5144)
  - Cheat Engine.exe (PID: 3028)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6716)
  - rsWSC.exe (PID: 7060)
  - rsClientSvc.exe (PID: 6956)
  - rsWSC.exe (PID: 1948)
  - rsClientSvc.exe (PID: 1640)
  - rsEngineSvc.exe (PID: 6308)
  - rsEngineSvc.exe (PID: 4820)
  - rsHelper.exe (PID: 4168)
  - rsEDRSvc.exe (PID: 6056)
  - EPP.exe (PID: 7132)
  - rsEDRSvc.exe (PID: 6020)
  - rsAppUI.exe (PID: 3208)
  - rsAppUI.exe (PID: 3256)
  - rsAppUI.exe (PID: 6380)
  - rsAppUI.exe (PID: 7120)
  - rsLitmus.A.exe (PID: 1840)
  - rsAppUI.exe (PID: 1528)
  - rsVPNClientSvc.exe (PID: 3852)
  - rsVPNClientSvc.exe (PID: 5152)
  - rsVPNSvc.exe (PID: 3812)
  - VPN.exe (PID: 7240)
  - rsVPNSvc.exe (PID: 4772)
  - rsAppUI.exe (PID: 7264)
  - rsAppUI.exe (PID: 7620)
  - rsAppUI.exe (PID: 7556)
  - rsAppUI.exe (PID: 7584)
  - rsAppUI.exe (PID: 7836)
  - rsDNSResolver.exe (PID: 4528)
  - rsDNSClientSvc.exe (PID: 7948)
  - rsDNSResolver.exe (PID: 5504)
  - rsDNSClientSvc.exe (PID: 8052)
  - rsDNSSvc.exe (PID: 6608)
  - rsDNSResolver.exe (PID: 8184)
  - rsDNSSvc.exe (PID: 4692)
  - rsAppUI.exe (PID: 1992)
  - DNS.exe (PID: 8176)
  - rsAppUI.exe (PID: 8152)
  - rsAppUI.exe (PID: 7908)
  - rsAppUI.exe (PID: 6988)
- Reads the computer name
  - CheatEngine74.tmp (PID: 4692)
  - CheatEngine74.tmp (PID: 7132)
  - prod0.exe (PID: 6504)
  - CheatEngine74.tmp (PID: 1992)
  - UnifiedStub-installer.exe (PID: 5148)
  - Kernelmoduleunloader.exe (PID: 2132)
  - rsSyncSvc.exe (PID: 6452)
  - rsSyncSvc.exe (PID: 2228)
  - Cheat Engine.exe (PID: 3028)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6716)
  - rsWSC.exe (PID: 7060)
  - rsWSC.exe (PID: 1948)
  - rsClientSvc.exe (PID: 6956)
  - rsClientSvc.exe (PID: 1640)
  - rsEngineSvc.exe (PID: 6308)
  - rsEngineSvc.exe (PID: 4820)
  - rsHelper.exe (PID: 4168)
  - rsEDRSvc.exe (PID: 6020)
  - rsEDRSvc.exe (PID: 6056)
  - rsAppUI.exe (PID: 1528)
  - rsAppUI.exe (PID: 6380)
  - rsAppUI.exe (PID: 3208)
  - rsVPNClientSvc.exe (PID: 3852)
  - rsVPNSvc.exe (PID: 3812)
  - rsVPNClientSvc.exe (PID: 5152)
  - rsVPNSvc.exe (PID: 4772)
  - rsAppUI.exe (PID: 7264)
  - rsAppUI.exe (PID: 7556)
  - rsAppUI.exe (PID: 7584)
  - rsDNSClientSvc.exe (PID: 8052)
  - rsDNSClientSvc.exe (PID: 7948)
  - rsDNSResolver.exe (PID: 5504)
  - rsDNSSvc.exe (PID: 4692)
  - rsDNSResolver.exe (PID: 8184)
  - rsDNSSvc.exe (PID: 6608)
  - rsAppUI.exe (PID: 8152)
  - rsAppUI.exe (PID: 1992)
  - rsAppUI.exe (PID: 7908)
- Process checks computer location settings
  - CheatEngine74.tmp (PID: 4692)
  - CheatEngine74.tmp (PID: 7132)
  - prod0.exe (PID: 6504)
  - Cheat Engine.exe (PID: 3028)
  - rsAppUI.exe (PID: 3256)
  - rsAppUI.exe (PID: 3208)
  - rsAppUI.exe (PID: 7120)
  - rsVPNSvc.exe (PID: 4772)
  - rsAppUI.exe (PID: 7620)
  - rsAppUI.exe (PID: 7264)
  - rsAppUI.exe (PID: 7836)
  - rsAppUI.exe (PID: 6988)
  - rsAppUI.exe (PID: 1992)
- Reads the software policy settings
  - CheatEngine74.tmp (PID: 7132)
  - prod0.exe (PID: 6504)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6716)
  - UnifiedStub-installer.exe (PID: 5148)
  - slui.exe (PID: 6648)
  - rsWSC.exe (PID: 7060)
  - rsWSC.exe (PID: 1948)
  - rsEngineSvc.exe (PID: 6308)
  - rsEDRSvc.exe (PID: 6056)
  - rsEngineSvc.exe (PID: 4820)
  - rsEDRSvc.exe (PID: 6020)
  - rsVPNSvc.exe (PID: 4772)
  - rsVPNSvc.exe (PID: 3812)
  - slui.exe (PID: 940)
  - rsDNSSvc.exe (PID: 4692)
  - rsDNSSvc.exe (PID: 6608)
- Reads the machine GUID from the registry
  - CheatEngine74.tmp (PID: 7132)
  - prod0.exe (PID: 6504)
  - UnifiedStub-installer.exe (PID: 5148)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6716)
  - rsWSC.exe (PID: 7060)
  - rsWSC.exe (PID: 1948)
  - rsEngineSvc.exe (PID: 6308)
  - rsEngineSvc.exe (PID: 4820)
  - rsHelper.exe (PID: 4168)
  - rsEDRSvc.exe (PID: 6020)
  - rsEDRSvc.exe (PID: 6056)
  - rsAppUI.exe (PID: 3208)
  - rsVPNSvc.exe (PID: 3812)
  - rsVPNSvc.exe (PID: 4772)
  - rsAppUI.exe (PID: 7264)
  - rsDNSSvc.exe (PID: 4692)
  - rsDNSSvc.exe (PID: 6608)
  - rsAppUI.exe (PID: 1992)
- Checks proxy server information
  - CheatEngine74.tmp (PID: 7132)
  - prod0.exe (PID: 6504)
  - UnifiedStub-installer.exe (PID: 5148)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6716)
  - rsWSC.exe (PID: 7060)
  - rsAppUI.exe (PID: 3208)
  - rsAppUI.exe (PID: 7264)
  - slui.exe (PID: 940)
  - rsAppUI.exe (PID: 1992)
- The process uses the downloaded file
  - CheatEngine74.tmp (PID: 7132)
  - prod0.exe (PID: 6504)
  - UnifiedStub-installer.exe (PID: 5148)
  - Cheat Engine.exe (PID: 3028)
  - runonce.exe (PID: 5712)
  - rsWSC.exe (PID: 7060)
  - rsEngineSvc.exe (PID: 6308)
  - rsEDRSvc.exe (PID: 6056)
  - rsEngineSvc.exe (PID: 4820)
  - rsVPNSvc.exe (PID: 3812)
  - runonce.exe (PID: 7024)
  - rsDNSSvc.exe (PID: 4692)
- Disables trace logs
  - prod0.exe (PID: 6504)
  - UnifiedStub-installer.exe (PID: 5148)
  - rsEngineSvc.exe (PID: 4820)
  - rsEDRSvc.exe (PID: 6020)
  - rsVPNSvc.exe (PID: 4772)
  - rsDNSSvc.exe (PID: 6608)
- Reads Environment values
  - prod0.exe (PID: 6504)
  - UnifiedStub-installer.exe (PID: 5148)
  - rsEngineSvc.exe (PID: 4820)
  - rsEDRSvc.exe (PID: 6020)
  - rsAppUI.exe (PID: 3208)
  - rsVPNSvc.exe (PID: 4772)
  - rsAppUI.exe (PID: 7264)
  - rsDNSSvc.exe (PID: 6608)
  - rsAppUI.exe (PID: 1992)
- Creates files in the program directory
  - CheatEngine74.tmp (PID: 1992)
  - UnifiedStub-installer.exe (PID: 5148)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6716)
  - rsWSC.exe (PID: 7060)
  - rsEngineSvc.exe (PID: 6308)
  - rsEngineSvc.exe (PID: 4820)
  - rsEDRSvc.exe (PID: 6056)
  - rsEDRSvc.exe (PID: 6020)
  - rsVPNSvc.exe (PID: 3812)
  - rsVPNSvc.exe (PID: 4772)
  - rsDNSResolver.exe (PID: 5504)
  - rsDNSSvc.exe (PID: 4692)
  - rsDNSResolver.exe (PID: 8184)
  - rsDNSSvc.exe (PID: 6608)
- Creates a software uninstall entry
  - CheatEngine74.tmp (PID: 1992)
- Creates files or folders in the user directory
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6716)
  - UnifiedStub-installer.exe (PID: 5148)
  - rsWSC.exe (PID: 7060)
  - rsEngineSvc.exe (PID: 4820)
  - rsAppUI.exe (PID: 3208)
  - rsAppUI.exe (PID: 6380)
  - rsVPNSvc.exe (PID: 4772)
  - rsAppUI.exe (PID: 7264)
  - rsAppUI.exe (PID: 7584)
  - rsDNSSvc.exe (PID: 6608)
  - rsAppUI.exe (PID: 1992)
  - rsAppUI.exe (PID: 7908)
- .NET Reactor protector has been detected
  - UnifiedStub-installer.exe (PID: 5148)
  - rsWSC.exe (PID: 1948)
  - rsEngineSvc.exe (PID: 4820)
  - rsHelper.exe (PID: 4168)
  - rsEDRSvc.exe (PID: 6020)
- The process uses lua
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6716)
- Reads the time zone
  - runonce.exe (PID: 5712)
  - rsEngineSvc.exe (PID: 4820)
  - rsEDRSvc.exe (PID: 6020)
  - rsVPNSvc.exe (PID: 4772)
  - runonce.exe (PID: 7024)
  - rsDNSSvc.exe (PID: 6608)
- Reads security settings of Internet Explorer
  - runonce.exe (PID: 5712)
  - runonce.exe (PID: 7024)
- Reads product name
  - rsEDRSvc.exe (PID: 6020)
  - rsEngineSvc.exe (PID: 4820)
  - rsAppUI.exe (PID: 3208)
  - rsAppUI.exe (PID: 7264)
  - rsAppUI.exe (PID: 1992)
- Reads CPU info
  - rsEngineSvc.exe (PID: 4820)
  - rsEDRSvc.exe (PID: 6020)
  - rsVPNSvc.exe (PID: 4772)
  - rsDNSSvc.exe (PID: 6608)
- Found Base64 encoded access to Windows Defender via PowerShell (YARA)
  - rsEngineSvc.exe (PID: 4820)
- Found Base64 encoded text manipulation via PowerShell (YARA)
  - rsEngineSvc.exe (PID: 4820)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Inno Setup installer (51.8)
.exe	\|	InstallShield setup (20.3)
.exe	\|	Win32 EXE PECompact compressed (generic) (19.6)
.dll	\|	Win32 Dynamic Link Library (generic) (3.1)
.exe	\|	Win32 Executable (generic) (2.1)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:11:15 09:48:30+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	741376
InitializedDataSize:	38400
UninitializedDataSize:	-
EntryPoint:	0xb5eec
OSVersion:	6.1
ImageVersion:	6
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	7.4.0.0
ProductVersionNumber:	7.4.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:
FileDescription:	EngineGame Installer
FileVersion:	7.4.0
LegalCopyright:
OriginalFileName:
ProductName:	EngineGame
ProductVersion:	7.4.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

239

Monitored processes

100

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

188

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

644

"cmd.exe" /C ipconfig /flushdns

C:\Windows\System32\cmd.exe

—

rsDNSSvc.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

940

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1116

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

wevtutil.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1156

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

rsClientSvc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1164

"C:\Users\admin\AppData\Local\Temp\CheatEngine74.exe"

C:\Users\admin\AppData\Local\Temp\CheatEngine74.exe

explorer.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

EngineGame Installer

Exit code:

Version:

7.4.0

Modules

Images
c:\users\admin\appdata\local\temp\cheatengine74.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

1496

"C:\WINDOWS\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\elam\evntdrv.xml

C:\Windows\System32\wevtutil.exe

—

UnifiedStub-installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Eventing Command Line Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\wevtutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\combase.dll

1528

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1296 --field-trial-handle=1704,i,16147716300669257886,11772943422358165868,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

—

rsAppUI.exe

User:

admin

Company:

Reason Cybersecurity Ltd.

Integrity Level:

LOW

Description:

ReasonLabs Application

Version:

1.4.2

Modules

Images
c:\program files\reasonlabs\common\client\v1.4.2\rsappui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll

1640

"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe

—

services.exe

User:

SYSTEM

Company:

Reason Software Company Inc.

Integrity Level:

SYSTEM

Description:

Reason Client Service

Version:

5.36.0

Modules

Images
c:\program files\reasonlabs\epp\rsclientsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shell32.dll

1840

"C:\program files\reasonlabs\epp\rsLitmus.A.exe"

C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe

—

rsEngineSvc.exe

User:

SYSTEM

Integrity Level:

SYSTEM

Exit code:

54321

Modules

Images
c:\program files\reasonlabs\epp\rslitmus.a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

105 608

Read events

104 947

Write events

434

Delete events

227

Modification events


(PID) Process:	(7132) CheatEngine74.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: DC1B00006BD6C9FAC6FCDA01
(PID) Process:	(7132) CheatEngine74.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: 08302EB5FECD0EA416394265619DFFD7F637C3F16E8217C7E889B147C0884550
(PID) Process:	(7132) CheatEngine74.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(7132) CheatEngine74.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(7132) CheatEngine74.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(7132) CheatEngine74.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(7132) CheatEngine74.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6504) prod0.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\prod0_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6504) prod0.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\prod0_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6504) prod0.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\prod0_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0

Add for printing

Executable files

1 009

Suspicious files

374

Text files

485

Unknown types

Dropped files

PID	Process	Filename		Type
7132	CheatEngine74.tmp	C:\Users\admin\AppData\Local\Temp\is-IUG4T.tmp\prod0		executable
		MD5:857DA404F9647C4A778C9A5A35D4C7AA	SHA256:53C448F8227C38232FBCAE8DF6B02200E2C52041F6F36037889D168230F517ED
7132	CheatEngine74.tmp	C:\Users\admin\AppData\Local\Temp\is-IUG4T.tmp\zbShieldUtils.dll		executable
		MD5:E1F18A22199C6F6AA5D87B24E5B39EF1	SHA256:62C56C8CF2AC6521CE047B73AA99B6D3952CA53F11D34B00E98D17674A2FC10D
6744	CheatEngine74.exe	C:\Users\admin\AppData\Local\Temp\is-NJTCL.tmp\CheatEngine74.tmp		executable
		MD5:4D79561B3017B113D73B58FC63842C7C	SHA256:C9952A7EB2C7CA76A6B245724B4C4401728B24E306848EC45D28E7B93DC2DD92
7132	CheatEngine74.tmp	C:\Users\admin\AppData\Local\Temp\is-IUG4T.tmp\is-CV3R6.tmp		image
		MD5:CD09F361286D1AD2622BA8A57B7613BD	SHA256:B92A31D4853D1B2C4E5B9D9624F40B439856D0C6A517E100978CBDE8D3C47DC8
7132	CheatEngine74.tmp	C:\Users\admin\AppData\Local\Temp\is-IUG4T.tmp\finish.png		image
		MD5:6B7CB2A5A8B301C788C3792802696FE8	SHA256:3EED2E41BC6CA0AE9A5D5EE6D57CA727E5CBA6AC8E8C5234AC661F9080CEDADF
7132	CheatEngine74.tmp	C:\Users\admin\AppData\Local\Temp\is-IUG4T.tmp\botva2.dll		executable
		MD5:67965A5957A61867D661F05AE1F4773E	SHA256:450B9B0BA25BF068AFBC2B23D252585A19E282939BF38326384EA9112DFD0105
7132	CheatEngine74.tmp	C:\Users\admin\AppData\Local\Temp\is-IUG4T.tmp\is-ANETT.tmp		executable
		MD5:8F210E8BD05D93667412B67C092619A9	SHA256:5E9E9499CBDC5E77474918D8A6F09629F5FDC5CB41B78CFFB83DA64129543689
7132	CheatEngine74.tmp	C:\Users\admin\AppData\Local\Temp\is-IUG4T.tmp\CheatEngine74.exe		executable
		MD5:8F210E8BD05D93667412B67C092619A9	SHA256:5E9E9499CBDC5E77474918D8A6F09629F5FDC5CB41B78CFFB83DA64129543689
7132	CheatEngine74.tmp	C:\Users\admin\AppData\Local\Temp\is-IUG4T.tmp\error.png		image
		MD5:6B7CB2A5A8B301C788C3792802696FE8	SHA256:3EED2E41BC6CA0AE9A5D5EE6D57CA727E5CBA6AC8E8C5234AC661F9080CEDADF
1992	CheatEngine74.tmp	C:\Program Files\Cheat Engine 7.4\is-VEK39.tmp		executable
		MD5:604AEB519F602C31B7FB885646398FCB	SHA256:22EB324A2A22F319B96619CF2D0BE0BCA7F503E776F1A4750C9C983F714C375C

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

127

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4804	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1404	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4804	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6716	cheatengine-x86_64-SSE4-AVX2.exe	GET	200	142.250.186.35:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
6716	cheatengine-x86_64-SSE4-AVX2.exe	GET	200	142.250.186.35:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
5148	UnifiedStub-installer.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTDHsfuqfubd3pihvq4mgQVWgHWNwQUyH7SaoUqG8oZmAQHJ89QEE9oqKICEzMAAAAHh6M0o3uljhwAAAAAAAc%3D	unknown	—	—	whitelisted
5148	UnifiedStub-installer.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ0NE46krjtIffEj0l00lckKsLufgQUJEWZoXeQKnzDyoOwbmQWhCr4LGcCEzMAAVks49Nwjyk%2BFSMAAAABWSw%3D	unknown	—	—	whitelisted
5148	UnifiedStub-installer.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTOQYLFSE5GO%2FpaRVfYu7d9gZEbQAQU2UEpsA8PY2zvadf1zSmepEhqMOYCEzMAAAAEllBL0tvuy4gAAAAAAAQ%3D	unknown	—	—	whitelisted
5148	UnifiedStub-installer.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ0NE46krjtIffEj0l00lckKsLufgQUJEWZoXeQKnzDyoOwbmQWhCr4LGcCEzMAAVks49Nwjyk%2BFSMAAAABWSw%3D	unknown	—	—	whitelisted
5148	UnifiedStub-installer.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ID%20Verified%20CS%20AOC%20CA%2002.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
4132	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6880	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7132	CheatEngine74.tmp	18.66.137.114:443	d2oq4dwfbh6gxl.cloudfront.net	AMAZON-02	US	whitelisted
3260	svchost.exe	40.113.110.67:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1404	svchost.exe	20.190.160.22:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1404	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
7132	CheatEngine74.tmp	18.172.112.11:443	shield.reasonsecurity.com	—	US	unknown

DNS requests

Domain	IP	Reputation
google.com	142.250.184.206	whitelisted
d2oq4dwfbh6gxl.cloudfront.net	18.66.137.114 18.66.137.198 18.66.137.45 18.66.137.70	whitelisted
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2 4.231.128.59	whitelisted
client.wns.windows.com	40.113.110.67 40.113.103.199	whitelisted
login.live.com	20.190.160.22 40.126.32.72 40.126.32.133 40.126.32.136 40.126.32.138 40.126.32.68 40.126.32.134 40.126.32.140	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
shield.reasonsecurity.com	18.172.112.11 18.172.112.34 18.172.112.38 18.172.112.22	unknown
slscr.update.microsoft.com	40.68.123.157	whitelisted
www.microsoft.com	184.30.21.171 95.101.149.131	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted

Threats

No threats detected

Add for printing

Process	Message
Kernelmoduleunloader.exe	Kernelmodule unloader
Kernelmoduleunloader.exe	Running in wow64
Kernelmoduleunloader.exe	Setup. So do not show messages
Kernelmoduleunloader.exe	attempting to unload
Kernelmoduleunloader.exe	SCManager opened
Kernelmoduleunloader.exe	count=0
Kernelmoduleunloader.exe	setup=true
cheatengine-x86_64-SSE4-AVX2.exe	setDPIAware
cheatengine-x86_64-SSE4-AVX2.exe	DisassemblerThumb init
cheatengine-x86_64-SSE4-AVX2.exe	arm disassembler

General Info

CheatEngine74.exe

EEC95B987E4B10E3D1632D62B50B4B30

D0D37058DC3F9E392ED00B284BBFD2B5EE66751D

02640E1DD5E7E7EA7A3B89ED9B7691AE934782013CB21B07905DC3B63782DD6A

98304:P+QqZ8fJFEEnnT/6wIIeFEEnnT/6wIIeFEEnnT/6wII8uL0EiEkOPATc+YiEQTPG:Y8KG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts NET.EXE for service management

Actions looks like stealing of personal data

Changes the autorun value in the registry

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Drops the executable file immediately after the start

Reads the date of Windows installation

Reads the Windows owner or organization settings

Starts SC.EXE for service management

Uses ICACLS.EXE to modify access control lists

Process drops SQLite DLL files

Process drops legitimate windows executable

Searches for installed software

Executes as Windows Service

Drops a system driver (possible attempt to evade defenses)

Creates a software uninstall entry

Detected use of alternative data streams (AltDS)

Checks Windows Trust Settings

There is functionality for communication over UDP network (YARA)

The process creates files with name similar to system file names

The process drops C-runtime libraries

Drops 7-zip archiver for unpacking

Adds/modifies Windows certificates

Uses RUNDLL32.EXE to load library

Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

Creates or modifies Windows services

Creates files in the driver directory

Dropped object may contain URLs of mainers pools

Process checks is Powershell's Script Block Logging on

Reads the BIOS version

Application launched itself

The process checks if it is being run in the virtual environment

There is functionality for taking screenshot (YARA)

Starts CMD.EXE for commands execution

Process uses IPCONFIG to clear DNS cache

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Process checks computer location settings

Reads the software policy settings

Reads the machine GUID from the registry

Checks proxy server information

The process uses the downloaded file

Disables trace logs

Reads Environment values

Creates files in the program directory

Creates a software uninstall entry

Creates files or folders in the user directory

.NET Reactor protector has been detected

The process uses lua

Reads the time zone

Reads security settings of Internet Explorer

Reads product name

Reads CPU info

Found Base64 encoded access to Windows Defender via PowerShell (YARA)

Found Base64 encoded text manipulation via PowerShell (YARA)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information