Malware analysis CheatEngine73.exe Malicious activity

Add for printing

File name:	CheatEngine73.exe
Full analysis:	https://app.any.run/tasks/89a3b02f-c231-456f-894f-5914bc11427b
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. IcedID is a banking trojan-type malware which allows attackers to utilize it to steal banking credentials of the victims. IcedID aka BokBot mainly targets businesses and steals payment information, it also acts as a loader and can deliver another viruses or download additional modules. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 08, 2025, 12:28:55
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	delphi inno installer cheatengine tool bundleinstaller adware innosetup arch-exec dbk64-sys vuln-driver evasion stealer loader icedid
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:	7ED6B58360D0D7E033237F37DD314F47
SHA1:	6925AA78B2A1E18524BCBBE09611D079B7BDC9ED
SHA256:	9B8480581FFD010C93C4504D0BB5DCD8C2EBA5C57812E399DA8C6C58024A4903
SSDEEP:	98304:6Sif4opH4opH4opuE9vBuN1EdKKBEXJhJJ:SDBDBDlDKKB2/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Bundleinstaller mutex has been found
  - CheatEngine73.tmp (PID: 5924)
- Starts NET.EXE for service management
  - CheatEngine73.tmp (PID: 5168)
  - net.exe (PID: 2648)
  - net.exe (PID: 3952)
- Vulnerable driver has been detected
  - CheatEngine73.tmp (PID: 5168)
- Changes the autorun value in the registry
  - instup.exe (PID: 5080)
  - instup.exe (PID: 8244)
- Starts Visual C# compiler
  - WeatherZero.exe (PID: 7332)
- ICEDID has been detected (YARA)
  - servicehost.exe (PID: 7532)
- Steals credentials from Web Browsers
  - engsup.exe (PID: 1388)
  - AvastSvc.exe (PID: 4788)
  - aswEngSrv.exe (PID: 3520)
  - AvastUI.exe (PID: 2508)
- Actions looks like stealing of personal data
  - engsup.exe (PID: 1388)
  - AvastUI.exe (PID: 2508)
- Antivirus name has been found in the command line (generic signature)
  - AvastUI.exe (PID: 2508)
  - AvastUI.exe (PID: 3624)
  - AvastUI.exe (PID: 2220)
  - AvastUI.exe (PID: 4916)
  - AvastUI.exe (PID: 504)
  - AvastUI.exe (PID: 5028)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - CheatEngine73.tmp (PID: 1332)
  - CheatEngine73.tmp (PID: 5924)
  - saBSI.exe (PID: 4032)
  - WZSetup.exe (PID: 6732)
  - saBSI.exe (PID: 4088)
  - installer.exe (PID: 1044)
  - WeatherZero.exe (PID: 7332)
  - uihost.exe (PID: 8028)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6900)
  - Cheat Engine.exe (PID: 8004)
  - Cheat Engine.exe (PID: 6368)
  - AvastSvc.exe (PID: 4788)
  - AvastUI.exe (PID: 2508)
- Executable content was dropped or overwritten
  - CheatEngine73.exe (PID: 6612)
  - CheatEngine73.exe (PID: 4040)
  - CheatEngine73.tmp (PID: 5924)
  - CheatEngine73.exe (PID: 1096)
  - CheatEngine73.tmp (PID: 5168)
  - icacls.exe (PID: 3640)
  - cookie_mmm_irs_ppi_005_888_a.exe (PID: 6676)
  - WZSetup.exe (PID: 6732)
  - saBSI.exe (PID: 4032)
  - avast_free_antivirus_setup_online_x64.exe (PID: 6004)
  - saBSI.exe (PID: 4088)
  - Instup.exe (PID: 1080)
  - installer.exe (PID: 1944)
  - installer.exe (PID: 1044)
  - csc.exe (PID: 7416)
  - instup.exe (PID: 5080)
  - AvEmUpdate.exe (PID: 7576)
  - AvastSvc.exe (PID: 4788)
  - instup.exe (PID: 8244)
  - aswOfferTool.exe (PID: 8216)
- Reads the Windows owner or organization settings
  - CheatEngine73.tmp (PID: 5924)
  - CheatEngine73.tmp (PID: 5168)
- Starts SC.EXE for service management
  - CheatEngine73.tmp (PID: 5168)
- Windows service management via SC.EXE
  - sc.exe (PID: 4444)
  - sc.exe (PID: 4512)
- Process drops legitimate windows executable
  - CheatEngine73.tmp (PID: 5168)
  - installer.exe (PID: 1044)
  - instup.exe (PID: 5080)
  - instup.exe (PID: 8244)
- Process drops SQLite DLL files
  - CheatEngine73.tmp (PID: 5168)
- Drops a system driver (possible attempt to evade defenses)
  - CheatEngine73.tmp (PID: 5168)
  - instup.exe (PID: 5080)
- Uses ICACLS.EXE to modify access control lists
  - CheatEngine73.tmp (PID: 5168)
- Potential Corporate Privacy Violation
  - cookie_mmm_irs_ppi_005_888_a.exe (PID: 6676)
  - AvastUI.exe (PID: 2508)
- Adds/modifies Windows certificates
  - saBSI.exe (PID: 4032)
  - servicehost.exe (PID: 7532)
  - AvastSvc.exe (PID: 4788)
- The process verifies whether the antivirus software is installed
  - saBSI.exe (PID: 4088)
  - installer.exe (PID: 1944)
  - installer.exe (PID: 1044)
  - instup.exe (PID: 5080)
  - servicehost.exe (PID: 7532)
  - uihost.exe (PID: 8028)
  - updater.exe (PID: 7472)
  - cmd.exe (PID: 6776)
  - cmd.exe (PID: 8008)
  - SetupInf.exe (PID: 7600)
  - SetupInf.exe (PID: 2324)
  - SetupInf.exe (PID: 2664)
  - SetupInf.exe (PID: 2168)
  - SetupInf.exe (PID: 888)
  - AvEmUpdate.exe (PID: 7576)
  - AvEmUpdate.exe (PID: 5908)
  - RegSvr.exe (PID: 6036)
  - RegSvr.exe (PID: 3704)
  - AvastNM.exe (PID: 5720)
  - SetupInf.exe (PID: 1580)
  - overseer.exe (PID: 3148)
  - wsc_proxy.exe (PID: 3564)
  - engsup.exe (PID: 2532)
  - wsc_proxy.exe (PID: 6312)
  - aswToolsSvc.exe (PID: 8004)
  - AvastSvc.exe (PID: 4788)
  - aswEngSrv.exe (PID: 3520)
  - instup.exe (PID: 8196)
  - engsup.exe (PID: 1388)
  - instup.exe (PID: 8244)
  - AvastUI.exe (PID: 2508)
  - AvEmUpdate.exe (PID: 9208)
  - aswOfferTool.exe (PID: 6836)
  - aswOfferTool.exe (PID: 8216)
  - AvastUI.exe (PID: 3624)
  - AvastUI.exe (PID: 2220)
  - AvastUI.exe (PID: 4916)
  - AvastUI.exe (PID: 5028)
  - engsup.exe (PID: 8984)
  - AvastUI.exe (PID: 504)
  - aswidsagent.exe (PID: 7280)
  - instup.exe (PID: 2532)
- Executes as Windows Service
  - WeatherZeroService.exe (PID: 32)
  - PresentationFontCache.exe (PID: 7784)
  - servicehost.exe (PID: 7532)
  - AvastSvc.exe (PID: 4788)
  - aswToolsSvc.exe (PID: 8004)
  - wsc_proxy.exe (PID: 6312)
  - aswidsagent.exe (PID: 7280)
- Searches for installed software
  - WZSetup.exe (PID: 6732)
  - updater.exe (PID: 7472)
  - overseer.exe (PID: 3148)
  - AvastSvc.exe (PID: 4788)
- The process creates files with name similar to system file names
  - installer.exe (PID: 1044)
- Creates a software uninstall entry
  - WZSetup.exe (PID: 6732)
  - installer.exe (PID: 1044)
  - servicehost.exe (PID: 7532)
  - instup.exe (PID: 5080)
- Creates/Modifies COM task schedule object
  - installer.exe (PID: 1044)
  - instup.exe (PID: 5080)
  - RegSvr.exe (PID: 6036)
  - RegSvr.exe (PID: 3704)
- Starts itself from another location
  - Instup.exe (PID: 1080)
- Process checks presence of unattended files
  - instup.exe (PID: 5080)
- Uses .NET C# to load dll
  - WeatherZero.exe (PID: 7332)
- Reads Mozilla Firefox installation path
  - servicehost.exe (PID: 7532)
  - uihost.exe (PID: 8028)
- Checks for external IP
  - WeatherZero.exe (PID: 7332)
  - svchost.exe (PID: 2200)
  - AvEmUpdate.exe (PID: 7576)
  - AvastSvc.exe (PID: 4788)
  - AvEmUpdate.exe (PID: 9208)
  - AvastUI.exe (PID: 2508)
- Starts CMD.EXE for commands execution
  - updater.exe (PID: 7472)
- The process drops C-runtime libraries
  - instup.exe (PID: 5080)
- Detected use of alternative data streams (AltDS)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6900)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 5020)
- Creates files in the driver directory
  - instup.exe (PID: 5080)
- Creates or modifies Windows services
  - instup.exe (PID: 5080)
- Modifies hosts file to alter network resolution
  - AvastSvc.exe (PID: 4788)
- Connects to unusual port
  - AvastSvc.exe (PID: 4788)
- Reads the date of Windows installation
  - instup.exe (PID: 5080)
  - AvastSvc.exe (PID: 4788)
  - AvastUI.exe (PID: 2508)
  - aswidsagent.exe (PID: 7280)
  - instup.exe (PID: 8244)
- Checks for Java to be installed
  - AvastSvc.exe (PID: 4788)
- Application launched itself
  - AvastUI.exe (PID: 2508)
- Read startup parameters
  - aswidsagent.exe (PID: 7280)
  - AvastSvc.exe (PID: 4788)
- Reads Microsoft Outlook installation path
  - AvastSvc.exe (PID: 4788)
- Process requests binary or script from the Internet
  - AvastSvc.exe (PID: 4788)
INFO
- Checks supported languages
  - CheatEngine73.exe (PID: 6612)
  - CheatEngine73.tmp (PID: 1332)
  - CheatEngine73.exe (PID: 4040)
  - CheatEngine73.tmp (PID: 5924)
  - CheatEngine73.exe (PID: 1096)
  - CheatEngine73.tmp (PID: 5168)
  - Kernelmoduleunloader.exe (PID: 2324)
  - _setup64.tmp (PID: 6520)
  - windowsrepair.exe (PID: 2348)
  - saBSI.exe (PID: 4032)
  - cookie_mmm_irs_ppi_005_888_a.exe (PID: 6676)
  - WZSetup.exe (PID: 6732)
  - avast_free_antivirus_setup_online_x64.exe (PID: 6004)
  - saBSI.exe (PID: 4088)
  - Instup.exe (PID: 1080)
  - WeatherZeroService.exe (PID: 1096)
  - WeatherZeroService.exe (PID: 2732)
  - WeatherZeroService.exe (PID: 32)
  - installer.exe (PID: 1944)
  - installer.exe (PID: 1044)
  - instup.exe (PID: 5080)
  - sbr.exe (PID: 7248)
  - WeatherZero.exe (PID: 7332)
  - csc.exe (PID: 7416)
  - cvtres.exe (PID: 7592)
  - PresentationFontCache.exe (PID: 7784)
  - servicehost.exe (PID: 7532)
  - uihost.exe (PID: 8028)
  - updater.exe (PID: 7472)
  - Cheat Engine.exe (PID: 6368)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6900)
  - Cheat Engine.exe (PID: 8004)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 5020)
  - SetupInf.exe (PID: 7600)
  - SetupInf.exe (PID: 888)
  - SetupInf.exe (PID: 2324)
  - SetupInf.exe (PID: 2168)
  - SetupInf.exe (PID: 2664)
  - AvEmUpdate.exe (PID: 5908)
  - AvEmUpdate.exe (PID: 7576)
  - RegSvr.exe (PID: 6036)
  - RegSvr.exe (PID: 3704)
  - AvastNM.exe (PID: 5720)
  - overseer.exe (PID: 3148)
  - engsup.exe (PID: 2532)
  - wsc_proxy.exe (PID: 3564)
  - SetupInf.exe (PID: 1580)
  - AvastSvc.exe (PID: 4788)
  - aswToolsSvc.exe (PID: 8004)
  - wsc_proxy.exe (PID: 6312)
  - engsup.exe (PID: 1388)
  - aswEngSrv.exe (PID: 3520)
  - instup.exe (PID: 8244)
  - instup.exe (PID: 8196)
  - AvEmUpdate.exe (PID: 9208)
  - AvastUI.exe (PID: 2508)
  - aswOfferTool.exe (PID: 8216)
  - AvastUI.exe (PID: 3624)
  - AvastUI.exe (PID: 2220)
  - aswOfferTool.exe (PID: 6836)
  - AvastUI.exe (PID: 4916)
  - AvastUI.exe (PID: 5028)
  - AvastUI.exe (PID: 504)
  - aswidsagent.exe (PID: 7280)
  - engsup.exe (PID: 8984)
  - instup.exe (PID: 2532)
- Process checks computer location settings
  - CheatEngine73.tmp (PID: 1332)
  - CheatEngine73.tmp (PID: 5924)
  - uihost.exe (PID: 8028)
  - servicehost.exe (PID: 7532)
  - Cheat Engine.exe (PID: 6368)
  - Cheat Engine.exe (PID: 8004)
  - aswToolsSvc.exe (PID: 8004)
  - AvastSvc.exe (PID: 4788)
  - AvastUI.exe (PID: 2508)
  - AvastUI.exe (PID: 504)
  - AvastUI.exe (PID: 4916)
- Reads the computer name
  - CheatEngine73.tmp (PID: 1332)
  - CheatEngine73.tmp (PID: 5924)
  - CheatEngine73.tmp (PID: 5168)
  - Kernelmoduleunloader.exe (PID: 2324)
  - saBSI.exe (PID: 4032)
  - cookie_mmm_irs_ppi_005_888_a.exe (PID: 6676)
  - WZSetup.exe (PID: 6732)
  - avast_free_antivirus_setup_online_x64.exe (PID: 6004)
  - saBSI.exe (PID: 4088)
  - WeatherZeroService.exe (PID: 1096)
  - Instup.exe (PID: 1080)
  - WeatherZeroService.exe (PID: 2732)
  - WeatherZeroService.exe (PID: 32)
  - installer.exe (PID: 1044)
  - instup.exe (PID: 5080)
  - WeatherZero.exe (PID: 7332)
  - servicehost.exe (PID: 7532)
  - PresentationFontCache.exe (PID: 7784)
  - uihost.exe (PID: 8028)
  - updater.exe (PID: 7472)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6900)
  - Cheat Engine.exe (PID: 6368)
  - Cheat Engine.exe (PID: 8004)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 5020)
  - SetupInf.exe (PID: 7600)
  - SetupInf.exe (PID: 888)
  - SetupInf.exe (PID: 2324)
  - SetupInf.exe (PID: 2664)
  - SetupInf.exe (PID: 2168)
  - AvEmUpdate.exe (PID: 5908)
  - AvEmUpdate.exe (PID: 7576)
  - RegSvr.exe (PID: 6036)
  - RegSvr.exe (PID: 3704)
  - overseer.exe (PID: 3148)
  - wsc_proxy.exe (PID: 3564)
  - SetupInf.exe (PID: 1580)
  - wsc_proxy.exe (PID: 6312)
  - AvastSvc.exe (PID: 4788)
  - aswToolsSvc.exe (PID: 8004)
  - engsup.exe (PID: 1388)
  - instup.exe (PID: 8196)
  - instup.exe (PID: 8244)
  - AvEmUpdate.exe (PID: 9208)
  - AvastUI.exe (PID: 2508)
  - aswOfferTool.exe (PID: 8216)
  - aswOfferTool.exe (PID: 6836)
  - AvastUI.exe (PID: 2220)
  - AvastUI.exe (PID: 4916)
  - AvastUI.exe (PID: 504)
  - AvastUI.exe (PID: 5028)
  - AvastUI.exe (PID: 3624)
  - aswidsagent.exe (PID: 7280)
  - instup.exe (PID: 2532)
- Create files in a temporary directory
  - CheatEngine73.exe (PID: 6612)
  - CheatEngine73.exe (PID: 4040)
  - CheatEngine73.tmp (PID: 5924)
  - CheatEngine73.exe (PID: 1096)
  - CheatEngine73.tmp (PID: 5168)
  - WZSetup.exe (PID: 6732)
  - saBSI.exe (PID: 4088)
  - installer.exe (PID: 1044)
  - WeatherZero.exe (PID: 7332)
  - csc.exe (PID: 7416)
  - cvtres.exe (PID: 7592)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6900)
  - engsup.exe (PID: 1388)
  - AvastUI.exe (PID: 2508)
- Detects InnoSetup installer (YARA)
  - CheatEngine73.exe (PID: 6612)
  - CheatEngine73.tmp (PID: 1332)
  - CheatEngine73.exe (PID: 4040)
  - CheatEngine73.tmp (PID: 5924)
  - CheatEngine73.exe (PID: 1096)
  - CheatEngine73.tmp (PID: 5168)
- Compiled with Borland Delphi (YARA)
  - CheatEngine73.exe (PID: 6612)
  - CheatEngine73.tmp (PID: 1332)
  - CheatEngine73.exe (PID: 4040)
  - CheatEngine73.tmp (PID: 5924)
  - CheatEngine73.exe (PID: 1096)
  - CheatEngine73.tmp (PID: 5168)
- The sample compiled with russian language support
  - CheatEngine73.tmp (PID: 5924)
- CHEATENGINE mutex has been found
  - CheatEngine73.tmp (PID: 5924)
- Reads the software policy settings
  - CheatEngine73.tmp (PID: 5924)
  - saBSI.exe (PID: 4032)
  - WZSetup.exe (PID: 6732)
  - avast_free_antivirus_setup_online_x64.exe (PID: 6004)
  - Instup.exe (PID: 1080)
  - saBSI.exe (PID: 4088)
  - installer.exe (PID: 1044)
  - instup.exe (PID: 5080)
  - WeatherZero.exe (PID: 7332)
  - servicehost.exe (PID: 7532)
  - uihost.exe (PID: 8028)
  - updater.exe (PID: 7472)
  - slui.exe (PID: 2076)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6900)
  - AvEmUpdate.exe (PID: 7576)
  - AvastSvc.exe (PID: 4788)
  - instup.exe (PID: 8244)
  - AvEmUpdate.exe (PID: 9208)
  - AvastUI.exe (PID: 2508)
  - instup.exe (PID: 8196)
  - instup.exe (PID: 2532)
- The sample compiled with english language support
  - CheatEngine73.tmp (PID: 5924)
  - CheatEngine73.tmp (PID: 5168)
  - WZSetup.exe (PID: 6732)
  - cookie_mmm_irs_ppi_005_888_a.exe (PID: 6676)
  - saBSI.exe (PID: 4032)
  - avast_free_antivirus_setup_online_x64.exe (PID: 6004)
  - saBSI.exe (PID: 4088)
  - Instup.exe (PID: 1080)
  - installer.exe (PID: 1944)
  - installer.exe (PID: 1044)
  - instup.exe (PID: 5080)
  - AvEmUpdate.exe (PID: 7576)
  - AvastSvc.exe (PID: 4788)
  - instup.exe (PID: 8244)
  - aswOfferTool.exe (PID: 8216)
- Reads the machine GUID from the registry
  - CheatEngine73.tmp (PID: 5924)
  - saBSI.exe (PID: 4032)
  - WZSetup.exe (PID: 6732)
  - cookie_mmm_irs_ppi_005_888_a.exe (PID: 6676)
  - avast_free_antivirus_setup_online_x64.exe (PID: 6004)
  - Instup.exe (PID: 1080)
  - saBSI.exe (PID: 4088)
  - WeatherZeroService.exe (PID: 2732)
  - installer.exe (PID: 1044)
  - WeatherZeroService.exe (PID: 32)
  - instup.exe (PID: 5080)
  - WeatherZero.exe (PID: 7332)
  - cvtres.exe (PID: 7592)
  - PresentationFontCache.exe (PID: 7784)
  - servicehost.exe (PID: 7532)
  - uihost.exe (PID: 8028)
  - updater.exe (PID: 7472)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6900)
  - SetupInf.exe (PID: 7600)
  - csc.exe (PID: 7416)
  - SetupInf.exe (PID: 888)
  - SetupInf.exe (PID: 2324)
  - SetupInf.exe (PID: 2664)
  - SetupInf.exe (PID: 2168)
  - AvEmUpdate.exe (PID: 5908)
  - AvEmUpdate.exe (PID: 7576)
  - RegSvr.exe (PID: 6036)
  - RegSvr.exe (PID: 3704)
  - overseer.exe (PID: 3148)
  - wsc_proxy.exe (PID: 3564)
  - SetupInf.exe (PID: 1580)
  - wsc_proxy.exe (PID: 6312)
  - AvastSvc.exe (PID: 4788)
  - aswToolsSvc.exe (PID: 8004)
  - instup.exe (PID: 8244)
  - instup.exe (PID: 8196)
  - AvEmUpdate.exe (PID: 9208)
  - AvastUI.exe (PID: 2508)
  - AvastUI.exe (PID: 2220)
  - AvastUI.exe (PID: 4916)
  - AvastUI.exe (PID: 504)
  - AvastUI.exe (PID: 5028)
  - AvastUI.exe (PID: 3624)
  - instup.exe (PID: 2532)
  - aswidsagent.exe (PID: 7280)
- Checks proxy server information
  - CheatEngine73.tmp (PID: 5924)
  - saBSI.exe (PID: 4032)
  - WZSetup.exe (PID: 6732)
  - avast_free_antivirus_setup_online_x64.exe (PID: 6004)
  - Instup.exe (PID: 1080)
  - saBSI.exe (PID: 4088)
  - instup.exe (PID: 5080)
  - WeatherZero.exe (PID: 7332)
  - slui.exe (PID: 2076)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6900)
  - AvEmUpdate.exe (PID: 5908)
  - AvEmUpdate.exe (PID: 7576)
  - instup.exe (PID: 8244)
  - AvEmUpdate.exe (PID: 9208)
  - AvastUI.exe (PID: 2508)
  - AvastUI.exe (PID: 3624)
  - AvastUI.exe (PID: 4916)
  - AvastUI.exe (PID: 2220)
  - AvastUI.exe (PID: 5028)
  - AvastUI.exe (PID: 504)
- Creates a software uninstall entry
  - CheatEngine73.tmp (PID: 5168)
- Creates files in the program directory
  - CheatEngine73.tmp (PID: 5168)
  - saBSI.exe (PID: 4032)
  - avast_free_antivirus_setup_online_x64.exe (PID: 6004)
  - Instup.exe (PID: 1080)
  - saBSI.exe (PID: 4088)
  - WZSetup.exe (PID: 6732)
  - installer.exe (PID: 1944)
  - installer.exe (PID: 1044)
  - instup.exe (PID: 5080)
  - servicehost.exe (PID: 7532)
  - uihost.exe (PID: 8028)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 6900)
  - cheatengine-x86_64-SSE4-AVX2.exe (PID: 5020)
  - AvEmUpdate.exe (PID: 7576)
  - AvEmUpdate.exe (PID: 5908)
  - AvastNM.exe (PID: 5720)
  - engsup.exe (PID: 2532)
  - wsc_proxy.exe (PID: 3564)
  - AvastSvc.exe (PID: 4788)
  - aswToolsSvc.exe (PID: 8004)
  - engsup.exe (PID: 1388)
  - instup.exe (PID: 8244)
  - AvastUI.exe (PID: 2508)
  - aswOfferTool.exe (PID: 8216)
  - engsup.exe (PID: 8984)
  - aswidsagent.exe (PID: 7280)
  - instup.exe (PID: 8196)
  - instup.exe (PID: 2532)
- Creates files or folders in the user directory
  - WZSetup.exe (PID: 6732)
  - WeatherZero.exe (PID: 7332)
  - AvastUI.exe (PID: 2508)
  - AvastUI.exe (PID: 5028)
- Reads CPU info
  - avast_free_antivirus_setup_online_x64.exe (PID: 6004)
  - Instup.exe (PID: 1080)
  - instup.exe (PID: 5080)
  - SetupInf.exe (PID: 7600)
  - SetupInf.exe (PID: 888)
  - SetupInf.exe (PID: 2324)
  - SetupInf.exe (PID: 2664)
  - SetupInf.exe (PID: 2168)
  - AvEmUpdate.exe (PID: 5908)
  - AvEmUpdate.exe (PID: 7576)
  - RegSvr.exe (PID: 6036)
  - RegSvr.exe (PID: 3704)
  - AvastNM.exe (PID: 5720)
  - SetupInf.exe (PID: 1580)
  - engsup.exe (PID: 2532)
  - servicehost.exe (PID: 7532)
  - wsc_proxy.exe (PID: 3564)
  - wsc_proxy.exe (PID: 6312)
  - AvastSvc.exe (PID: 4788)
  - aswToolsSvc.exe (PID: 8004)
  - engsup.exe (PID: 1388)
  - instup.exe (PID: 8244)
  - aswEngSrv.exe (PID: 3520)
  - instup.exe (PID: 8196)
  - uihost.exe (PID: 8028)
  - AvastUI.exe (PID: 2508)
  - AvEmUpdate.exe (PID: 9208)
  - AvastUI.exe (PID: 2220)
  - AvastUI.exe (PID: 4916)
  - AvastUI.exe (PID: 504)
  - AvastUI.exe (PID: 5028)
  - AvastUI.exe (PID: 3624)
  - engsup.exe (PID: 8984)
  - aswidsagent.exe (PID: 7280)
  - instup.exe (PID: 2532)
- Reads Environment values
  - Instup.exe (PID: 1080)
  - instup.exe (PID: 5080)
  - AvEmUpdate.exe (PID: 5908)
  - AvEmUpdate.exe (PID: 7576)
  - aswToolsSvc.exe (PID: 8004)
  - AvastSvc.exe (PID: 4788)
  - instup.exe (PID: 8244)
  - instup.exe (PID: 8196)
  - AvEmUpdate.exe (PID: 9208)
  - AvastUI.exe (PID: 2508)
  - aswidsagent.exe (PID: 7280)
  - instup.exe (PID: 2532)
- Launching a file from a Registry key
  - instup.exe (PID: 5080)
  - instup.exe (PID: 8244)
- Disables trace logs
  - WeatherZero.exe (PID: 7332)
- The sample compiled with czech language support
  - instup.exe (PID: 5080)
- Manual execution by a user
  - Cheat Engine.exe (PID: 2532)
  - Cheat Engine.exe (PID: 8004)
  - AvastUI.exe (PID: 2508)
- Process checks whether UAC notifications are on
  - AvastSvc.exe (PID: 4788)
  - AvastUI.exe (PID: 2508)
- Reads product name
  - aswidsagent.exe (PID: 7280)
- Reads the time zone
  - aswidsagent.exe (PID: 7280)
- Drops encrypted JS script (Microsoft Script Encoder)
  - aswidsagent.exe (PID: 7280)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Inno Setup installer (67.7)
.exe	\|	Win32 EXE PECompact compressed (generic) (25.6)
.exe	\|	Win32 Executable (generic) (2.7)
.exe	\|	Win16/32 Executable Delphi generic (1.2)
.exe	\|	Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:11:15 09:48:30+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	741376
InitializedDataSize:	102912
UninitializedDataSize:	-
EntryPoint:	0xb5eec
OSVersion:	6.1
ImageVersion:	6
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	7.3.0.0
ProductVersionNumber:	7.3.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:
FileDescription:	EngineGame Installer
FileVersion:	7.3.0
LegalCopyright:
OriginalFileName:
ProductName:	EngineGame
ProductVersion:	7.3.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

243

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

"C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe"

C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe

—

services.exe

User:

SYSTEM

Company:

Weather Information Service

Integrity Level:

SYSTEM

Description:

Weather Delivery Service

Version:

1.0.0.9

Modules

Images
c:\program files (x86)\weatherzero\weatherzeroservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

436

"icacls" "C:\Program Files\Cheat Engine 7.3" /grant *S-1-15-2-1:(OI)(CI)(RX)

C:\Windows\System32\icacls.exe

—

CheatEngine73.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

504

"C:\Program Files\Avast Software\Avast\AvastUI.exe" --type=renderer --no-sandbox --autoplay-policy=no-user-gesture-required --log-file="C:\Users\admin\AppData\Roaming\Avast Software\Avast\log\cef_log.txt" --field-trial-handle=9044,6230262323459737487,1081633641400832709,131072 --disable-features=CalculateNativeWinOcclusion,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SameSiteDefaultChecksMethodRigorously --disable-gpu-compositing --lang=en-US --log-file="C:\Users\admin\AppData\Roaming\Avast Software\Avast\log\cef_log.txt" --log-severity=error --user-agent="Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36 Avastium (0.0.0) (Windows 10.0)" --disable-webaudio --force-wave-audio --disable-software-rasterizer --no-sandbox --blacklist-accelerated-compositing --disable-accelerated-2d-canvas --disable-accelerated-compositing --disable-accelerated-layers --disable-accelerated-video-decode --blacklist-webgl --disable-bundled-ppapi-flash --disable-flash-3d --enable-aggressive-domstorage-flushing --enable-media-stream --disable-gpu --disable-webgl --disable-gpu-compositing --allow-file-access-from-files=1 --pack_loading_disabled=1 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=9328 /prefetch:1

C:\Program Files\Avast Software\Avast\AvastUI.exe

—

AvastUI.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

MEDIUM

Description:

Avast Antivirus

Version:

25.6.10221.0

Modules

Images
c:\program files\avast software\avast\avastui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll

888

"C:\Program Files\Avast Software\Avast\SetupInf.exe" /uninstall /catalog:aswHwid.cat

C:\Program Files\Avast Software\Avast\SetupInf.exe

—

instup.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

HIGH

Description:

Avast Antivirus Installer

Exit code:

Version:

25.6.10221.0

Modules

Images
c:\program files\avast software\avast\setupinf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

1044

"C:\Program Files\McAfee\Temp1855103906\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\Program Files\McAfee\Temp1855103906\installer.exe

installer.exe

User:

admin

Company:

McAfee, LLC

Integrity Level:

HIGH

Description:

McAfee WebAdvisor(installer)

Exit code:

Version:

4,1,1,1054

Modules

Images
c:\program files\mcafee\temp1855103906\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll

1080

"C:\WINDOWS\Temp\asw.5b3813cefeb26c60\instup.exe" /sfx:lite /sfxstorage:C:\WINDOWS\Temp\asw.5b3813cefeb26c60 /edition:1 /prod:ais /stub_context:4a0ace23-0b5f-4b03-89c0-d68e38c64d69:11665632 /guid:90a1d014-b0db-4975-8605-b7e977854748 /ga_clientid:cb131748-ed58-4d35-acd1-e9b57fc8cfd2 /silent /ws /psh:2bJ1koXNT4FT01gO1KZw0Bh6T3GuBRRURqdvh8UePFJUjxDL9hefzM3t2goqYEa6CZKq233v2l8SC /cookie:mmm_irs_ppi_005_888_a /ga_clientid:cb131748-ed58-4d35-acd1-e9b57fc8cfd2 /edat_dir:C:\WINDOWS\Temp\asw.dd625157eaad7448

C:\Windows\Temp\asw.5b3813cefeb26c60\Instup.exe

avast_free_antivirus_setup_online_x64.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

HIGH

Description:

Avast Antivirus Installer

Exit code:

Version:

25.6.10221.0

Modules

Images
c:\windows\temp\asw.5b3813cefeb26c60\instup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll

1096

"C:\Users\admin\AppData\Local\Temp\is-1LUCM.tmp\CheatEngine73.exe" /VERYSILENT /ZBDIST

C:\Users\admin\AppData\Local\Temp\is-1LUCM.tmp\CheatEngine73.exe

—

CheatEngine73.tmp

User:

admin

Company:

Cheat Engine

Integrity Level:

HIGH

Description:

Cheat Engine Setup

Exit code:

Version:

7.3.0.11

Modules

Images
c:\users\admin\appdata\local\temp\is-1lucm.tmp\cheatengine73.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

1096

"C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" install

C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe

—

WZSetup.exe

User:

admin

Company:

Weather Information Service

Integrity Level:

HIGH

Description:

Weather Delivery Service

Exit code:

Version:

1.0.0.9

Modules

Images
c:\program files (x86)\weatherzero\weatherzeroservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

1332

"C:\Users\admin\AppData\Local\Temp\is-2AONV.tmp\CheatEngine73.tmp" /SL5="$A0222,2408085,845312,C:\Users\admin\AppData\Local\Temp\CheatEngine73.exe"

C:\Users\admin\AppData\Local\Temp\is-2AONV.tmp\CheatEngine73.tmp

—

CheatEngine73.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-2aonv.tmp\cheatengine73.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll

1388

"C:\Program Files\Avast Software\Avast\defs\25070703\engsup.exe" /get_latest_ga_client_id /get_latest_landingpageid_cookie /get_latest_pagedownloadid_cookie /get_latest_trpar

C:\Program Files\Avast Software\Avast\defs\25070703\engsup.exe

—

instup.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

HIGH

Description:

Avast Antivirus vps tool

Exit code:

Version:

18.0.2282.0

Modules

Images
c:\program files\avast software\avast\defs\25070703\engsup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

136 998

Read events

125 564

Write events

11 269

Delete events

165

Modification events


(PID) Process:	(5168) CheatEngine73.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	Owner
Value: 30140000C9B7F2F503F0DB01
(PID) Process:	(5168) CheatEngine73.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	SessionHash
Value: A13D066D5C6B292E967CAA42809372CD89DAAA2E93721F64F7DEDBD2C18442E2
(PID) Process:	(5168) CheatEngine73.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(5168) CheatEngine73.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	RegFiles0000
Value: C:\Program Files\Cheat Engine 7.3\windowsrepair.exe
(PID) Process:	(5168) CheatEngine73.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	RegFilesHash
Value: F93A785064F4635A6696A9753898C8E216E2F7F1BE1855E44254F1B9F422D264
(PID) Process:	(5168) CheatEngine73.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Cheat Engine\VersionCheck
Operation:	write	Name:	CheckOnLaunch
Value: 1
(PID) Process:	(5168) CheatEngine73.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Cheat Engine\VersionCheck
Operation:	write	Name:	CheckInterval
Value: 1
(PID) Process:	(5168) CheatEngine73.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	delete value	Name:	RegFiles0000
Value: C:\Program Files\Cheat Engine 7.3\windowsrepair.exe
(PID) Process:	(5168) CheatEngine73.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	delete value	Name:	Sequence
Value:
(PID) Process:	(5168) CheatEngine73.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	delete value	Name:	SessionHash
Value: 㶡洆歜⸩粖䊪鎀쵲�⺪犓搟�틛蓁

Add for printing

Executable files

912

Suspicious files

1 357

Text files

1 471

Unknown types

435

Dropped files

PID	Process	Filename		Type
5924	CheatEngine73.tmp	C:\Users\admin\AppData\Local\Temp\is-1LUCM.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5924	CheatEngine73.tmp	C:\Users\admin\AppData\Local\Temp\is-1LUCM.tmp\zbShieldUtils.dll		executable
		MD5:E1F18A22199C6F6AA5D87B24E5B39EF1	SHA256:62C56C8CF2AC6521CE047B73AA99B6D3952CA53F11D34B00E98D17674A2FC10D
5924	CheatEngine73.tmp	C:\Users\admin\AppData\Local\Temp\is-1LUCM.tmp\is-I5TOO.tmp		compressed
		MD5:F68008B70822BD28C82D13A289DEB418	SHA256:CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
5924	CheatEngine73.tmp	C:\Users\admin\AppData\Local\Temp\is-1LUCM.tmp\WeatherZero.png		image
		MD5:9AC6287111CB2B272561781786C46CDD	SHA256:AB99CDB7D798CB7B7D8517584D546AA4ED54ECA1B808DE6D076710C8A400C8C4
5924	CheatEngine73.tmp	C:\Users\admin\AppData\Local\Temp\is-1LUCM.tmp\AVAST.png		image
		MD5:378F74A0CBDD582D8B434B7B978FF375	SHA256:1225AFDA135B0BF3B5633595AF4096F8C6620EBB34AA5DF7C64253F03668B33D
6612	CheatEngine73.exe	C:\Users\admin\AppData\Local\Temp\is-2AONV.tmp\CheatEngine73.tmp		executable
		MD5:04F7929159C24D9D1A04E7771F285B57	SHA256:2DDE2C775E7F549C63F95E6AAE533E61B1B4E33400C9034664F826B4A4EF6639
5924	CheatEngine73.tmp	C:\Users\admin\AppData\Local\Temp\is-1LUCM.tmp\is-6UO7O.tmp		image
		MD5:378F74A0CBDD582D8B434B7B978FF375	SHA256:1225AFDA135B0BF3B5633595AF4096F8C6620EBB34AA5DF7C64253F03668B33D
5924	CheatEngine73.tmp	C:\Users\admin\AppData\Local\Temp\is-1LUCM.tmp\WebAdvisor.png		image
		MD5:4CFFF8DC30D353CD3D215FD3A5DBAC24	SHA256:0C430E56D69435D8AB31CBB5916A73A47D11EF65B37D289EE7D11130ADF25856
4040	CheatEngine73.exe	C:\Users\admin\AppData\Local\Temp\is-KJK6F.tmp\CheatEngine73.tmp		executable
		MD5:04F7929159C24D9D1A04E7771F285B57	SHA256:2DDE2C775E7F549C63F95E6AAE533E61B1B4E33400C9034664F826B4A4EF6639
5924	CheatEngine73.tmp	C:\Users\admin\AppData\Local\Temp\is-1LUCM.tmp\is-TPCUG.tmp		image
		MD5:9AC6287111CB2B272561781786C46CDD	SHA256:AB99CDB7D798CB7B7D8517584D546AA4ED54ECA1B808DE6D076710C8A400C8C4

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

191

TCP/UDP connections

197

DNS requests

249

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6676	cookie_mmm_irs_ppi_005_888_a.exe	POST	200	142.250.185.142:80	http://www.google-analytics.com/collect	unknown	—	—	whitelisted
6732	WZSetup.exe	GET	200	142.250.185.99:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4580	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2404	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
2404	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6676	cookie_mmm_irs_ppi_005_888_a.exe	POST	200	142.250.185.142:80	http://www.google-analytics.com/collect	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6676	cookie_mmm_irs_ppi_005_888_a.exe	POST	204	34.117.223.223:80	http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi	unknown	—	—	whitelisted
1080	Instup.exe	GET	200	92.122.166.32:80	http://r6726306.iavs9x.u.avast.com/iavs9x/avbugreport_x64_ais-a6e.vpx	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6368	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4580	svchost.exe	20.190.159.128:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4580	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59 20.73.194.208	whitelisted
google.com	142.250.185.238	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.32 23.216.77.35 23.216.77.30 23.216.77.8 23.216.77.37 23.216.77.16 23.216.77.42 23.216.77.38	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
login.live.com	20.190.159.128 40.126.31.131 20.190.159.64 20.190.159.68 40.126.31.73 20.190.159.4 20.190.159.75 40.126.31.67 40.126.31.130 40.126.31.0 20.190.159.71 40.126.31.128 40.126.31.69	whitelisted
ocsp.digicert.com	2.17.190.73 2.23.77.188	whitelisted
d2oq4dwfbh6gxl.cloudfront.net	18.66.137.45 18.66.137.114 18.66.137.198 18.66.137.70	whitelisted
nexusrules.officeapps.live.com	52.111.227.11	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted

Threats

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
—	—	A Network Trojan was detected	ET ADWARE_PUP Win32/OfferCore Checkin M1
—	—	Generic Protocol Command Decode	SURICATA HTTP Request unrecognized authorization method
—	—	A Network Trojan was detected	ET ADWARE_PUP Win32/OfferCore Checkin M2
—	—	Generic Protocol Command Decode	SURICATA HTTP Request unrecognized authorization method
—	—	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] InnoSetup Installer
—	—	A Network Trojan was detected	ET ADWARE_PUP Win32/OfferCore Checkin M2
—	—	Generic Protocol Command Decode	SURICATA HTTP Request unrecognized authorization method
—	—	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] InnoSetup Installer
—	—	Generic Protocol Command Decode	SURICATA HTTP Request unrecognized authorization method

Add for printing

Process	Message
Kernelmoduleunloader.exe	Kernelmodule unloader
Kernelmoduleunloader.exe	setup=true
Kernelmoduleunloader.exe	attempting to unload
Kernelmoduleunloader.exe	Setup. So do not show messages
Kernelmoduleunloader.exe	count=0
Kernelmoduleunloader.exe	Running in wow64
Kernelmoduleunloader.exe	SCManager opened
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe	NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\is-1LUCM.tmp\prod0_extract\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\is-1LUCM.tmp\prod0_extract\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in current directory

General Info

CheatEngine73.exe

7ED6B58360D0D7E033237F37DD314F47

6925AA78B2A1E18524BCBBE09611D079B7BDC9ED

9B8480581FFD010C93C4504D0BB5DCD8C2EBA5C57812E399DA8C6C58024A4903

98304:6Sif4opH4opH4opuE9vBuN1EdKKBEXJhJJ:SDBDBDlDKKB2/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bundleinstaller mutex has been found

Starts NET.EXE for service management

Vulnerable driver has been detected

Changes the autorun value in the registry

Starts Visual C# compiler

ICEDID has been detected (YARA)

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Antivirus name has been found in the command line (generic signature)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Starts SC.EXE for service management

Windows service management via SC.EXE

Process drops legitimate windows executable

Process drops SQLite DLL files

Drops a system driver (possible attempt to evade defenses)

Uses ICACLS.EXE to modify access control lists

Potential Corporate Privacy Violation

Adds/modifies Windows certificates

The process verifies whether the antivirus software is installed

Executes as Windows Service

Searches for installed software

The process creates files with name similar to system file names

Creates a software uninstall entry

Creates/Modifies COM task schedule object

Starts itself from another location

Process checks presence of unattended files

Uses .NET C# to load dll

Reads Mozilla Firefox installation path

Checks for external IP

Starts CMD.EXE for commands execution

The process drops C-runtime libraries

Detected use of alternative data streams (AltDS)

Creates files in the driver directory

Creates or modifies Windows services

Modifies hosts file to alter network resolution

Connects to unusual port

Reads the date of Windows installation

Checks for Java to be installed

Application launched itself

Read startup parameters

Reads Microsoft Outlook installation path

Process requests binary or script from the Internet

INFO

Checks supported languages

Process checks computer location settings

Reads the computer name

Create files in a temporary directory

Detects InnoSetup installer (YARA)

Compiled with Borland Delphi (YARA)

The sample compiled with russian language support

CHEATENGINE mutex has been found

Reads the software policy settings

The sample compiled with english language support

Reads the machine GUID from the registry

Checks proxy server information

Creates a software uninstall entry

Creates files in the program directory

Creates files or folders in the user directory

Reads CPU info

Reads Environment values

Launching a file from a Registry key

Disables trace logs

The sample compiled with czech language support

Manual execution by a user

Process checks whether UAC notifications are on