analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CheatEngine683.exe

Full analysis: https://app.any.run/tasks/d5f527a0-c737-4eb0-a1ba-26e8b13cc83e
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: February 11, 2019, 10:22:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
adware
installcore
pup
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F1C2281AF4F1112F613C7CB51F3AE6B0

SHA1:

56F10B2009F224B891D979AF525051D3E842A687

SHA256:

BBE0A00833E54A6CE70FEFA15F0F09C637CE894047D4CE534B2654508CBA8BFB

SSDEEP:

393216:vMgXCrRV64yZJc6BPCpZtM8DTJXTwys6q0:kgXCrRA4yZxartMIm56q0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • INSTALLCORE was detected

      • CheatEngine683.tmp (PID: 2524)

    • Application was dropped or rewritten from another process

      • windowsrepair.exe (PID: 2536)
      • Kernelmoduleunloader.exe (PID: 3648)
      • ceregreset.exe (PID: 3968)
      • cheatengine-i386.exe (PID: 2356)
      • Cheat Engine.exe (PID: 2672)
      • Tutorial-i386.exe (PID: 4068)

    • Connects to CnC server

      • CheatEngine683.tmp (PID: 2524)

    • Loads dropped or rewritten executable

      • cheatengine-i386.exe (PID: 2356)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • CheatEngine683.tmp (PID: 2524)

    • Reads Environment values

      • CheatEngine683.tmp (PID: 2524)

    • Reads Windows owner or organization settings

      • CheatEngine683.tmp (PID: 2524)

    • Executable content was dropped or overwritten

      • CheatEngine683.exe (PID: 3464)
      • CheatEngine683.exe (PID: 3924)
      • CheatEngine683.tmp (PID: 2524)

    • Reads the Windows organization settings

      • CheatEngine683.tmp (PID: 2524)

    • Reads CPU info

      • CheatEngine683.tmp (PID: 2524)

    • Reads internet explorer settings

      • CheatEngine683.tmp (PID: 2524)

    • Reads the date of Windows installation

      • CheatEngine683.tmp (PID: 2524)

    • Reads Windows Product ID

      • CheatEngine683.tmp (PID: 2524)

    • Modifies the open verb of a shell class

      • CheatEngine683.tmp (PID: 2524)

    • Uses ICACLS.EXE to modify access control list

      • CheatEngine683.tmp (PID: 2524)

    • Creates files in the program directory

      • cheatengine-i386.exe (PID: 2356)

    • Starts Internet Explorer

      • CheatEngine683.tmp (PID: 2524)

    • Reads Internet Cache Settings

      • cheatengine-i386.exe (PID: 2356)

    • Creates files in the user directory

      • cheatengine-i386.exe (PID: 2356)

  • INFO

    • Application was dropped or rewritten from another process

      • CheatEngine683.tmp (PID: 2324)
      • CheatEngine683.tmp (PID: 2524)

    • Loads dropped or rewritten executable

      • CheatEngine683.tmp (PID: 2524)

    • Creates a software uninstall entry

      • CheatEngine683.tmp (PID: 2524)

    • Reads settings of System Certificates

      • cheatengine-i386.exe (PID: 2356)

    • Application launched itself

      • iexplore.exe (PID: 3396)

    • Changes internet zones settings

      • iexplore.exe (PID: 3396)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2396)

    • Creates files in the user directory

      • iexplore.exe (PID: 2396)

    • Creates files in the program directory

      • CheatEngine683.tmp (PID: 2524)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2396)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2396)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (45.2)
.dll | Win32 Dynamic Link Library (generic) (20.9)
.exe | Win32 Executable (generic) (14.3)
.exe | Win16/32 Executable Delphi generic (6.6)
.exe | Generic Win/DOS Executable (6.3)

EXIF

EXE

ProductVersion: 6.8.3.2
ProductName: Cheat Engine 6.8.3
LegalCopyright: Cheat Engine
FileVersion: 6.8.3.2
FileDescription: Cheat Engine 6.8.3 Setup
CompanyName: Cheat Engine
Comments: This installation was built with Inno Setup.
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 6.8.3.2
FileVersionNumber: 6.8.3.2
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: 6
OSVersion: 5
EntryPoint: 0x117dc
UninitializedDataSize: -
InitializedDataSize: 53760
CodeSize: 66560
LinkerVersion: 2.25
PEType: PE32
TimeStamp: 2016:04:06 16:39:04+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 06-Apr-2016 14:39:04
Detected languages:
  • Dutch - Netherlands
  • English - United States
Comments: This installation was built with Inno Setup.
CompanyName: Cheat Engine
FileDescription: Cheat Engine 6.8.3 Setup
FileVersion: 6.8.3.2
LegalCopyright: Cheat Engine
ProductName: Cheat Engine 6.8.3
ProductVersion: 6.8.3.2

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 8
Time date stamp: 06-Apr-2016 14:39:04
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000F244
0x0000F400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.37521
.itext
0x00011000
0x00000F64
0x00001000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.7322
.data
0x00012000
0x00000C88
0x00000E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.29672
.bss
0x00013000
0x000056BC
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x00019000
0x00000E04
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.59781
.tls
0x0001A000
0x00000008
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rdata
0x0001B000
0x00000018
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.204488
.rsrc
0x0001C000
0x0000B200
0x0000B200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.14507

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.13965
1580
UNKNOWN
English - United States
RT_MANIFEST
2
3.47151
1384
UNKNOWN
Dutch - Netherlands
RT_ICON
3
3.91708
744
UNKNOWN
Dutch - Netherlands
RT_ICON
4
3.91366
2216
UNKNOWN
Dutch - Netherlands
RT_ICON
4091
2.56031
104
UNKNOWN
UNKNOWN
RT_STRING
4092
3.25287
212
UNKNOWN
UNKNOWN
RT_STRING
4093
3.26919
164
UNKNOWN
UNKNOWN
RT_STRING
4094
3.33268
684
UNKNOWN
UNKNOWN
RT_STRING
4095
3.34579
844
UNKNOWN
UNKNOWN
RT_STRING
4096
3.28057
660
UNKNOWN
UNKNOWN
RT_STRING

Imports

advapi32.dll
comctl32.dll
kernel32.dll
oleaut32.dll
user32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
13
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start cheatengine683.exe cheatengine683.tmp no specs cheatengine683.exe #INSTALLCORE cheatengine683.tmp kernelmoduleunloader.exe windowsrepair.exe no specs icacls.exe no specs ceregreset.exe no specs cheat engine.exe no specs cheatengine-i386.exe iexplore.exe iexplore.exe tutorial-i386.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3464"C:\Users\admin\AppData\Local\Temp\CheatEngine683.exe" C:\Users\admin\AppData\Local\Temp\CheatEngine683.exe
explorer.exe
User:
admin
Company:
Cheat Engine
Integrity Level:
MEDIUM
Description:
Cheat Engine 6.8.3 Setup
Exit code:
0
Version:
6.8.3.2
2324"C:\Users\admin\AppData\Local\Temp\is-Q36DN.tmp\CheatEngine683.tmp" /SL5="$30190,14336707,121344,C:\Users\admin\AppData\Local\Temp\CheatEngine683.exe" C:\Users\admin\AppData\Local\Temp\is-Q36DN.tmp\CheatEngine683.tmpCheatEngine683.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
3924"C:\Users\admin\AppData\Local\Temp\CheatEngine683.exe" /SPAWNWND=$3019A /NOTIFYWND=$30190 C:\Users\admin\AppData\Local\Temp\CheatEngine683.exe
CheatEngine683.tmp
User:
admin
Company:
Cheat Engine
Integrity Level:
HIGH
Description:
Cheat Engine 6.8.3 Setup
Exit code:
0
Version:
6.8.3.2
2524"C:\Users\admin\AppData\Local\Temp\is-R5G4A.tmp\CheatEngine683.tmp" /SL5="$40194,14336707,121344,C:\Users\admin\AppData\Local\Temp\CheatEngine683.exe" /SPAWNWND=$3019A /NOTIFYWND=$30190 C:\Users\admin\AppData\Local\Temp\is-R5G4A.tmp\CheatEngine683.tmp
CheatEngine683.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
3648"C:\Program Files\Cheat Engine 6.8.3\Kernelmoduleunloader.exe" /SETUPC:\Program Files\Cheat Engine 6.8.3\Kernelmoduleunloader.exe
CheatEngine683.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
2536"C:\Program Files\Cheat Engine 6.8.3\windowsrepair.exe" /sC:\Program Files\Cheat Engine 6.8.3\windowsrepair.exeCheatEngine683.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
3824"icacls" "C:\Program Files\Cheat Engine 6.8.3" /grant *S-1-15-2-1:(OI)(CI)(RX) /TC:\Windows\system32\icacls.exeCheatEngine683.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
1332
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3968"C:\Program Files\Cheat Engine 6.8.3\ceregreset.exe" -silent -dontdeletecustomtypes -dontdeleteversioncheckC:\Program Files\Cheat Engine 6.8.3\ceregreset.exeCheatEngine683.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
2672"C:\Program Files\Cheat Engine 6.8.3\Cheat Engine.exe"C:\Program Files\Cheat Engine 6.8.3\Cheat Engine.exeCheatEngine683.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
6.3.0.0
2356"C:\Program Files\Cheat Engine 6.8.3\cheatengine-i386.exe" C:\Program Files\Cheat Engine 6.8.3\cheatengine-i386.exe
Cheat Engine.exe
User:
admin
Company:
Cheat Engine
Integrity Level:
HIGH
Description:
Cheat Engine
Exit code:
0
Version:
6.8.3.5803
Total events
1 267
Read events
1 079
Write events
0
Delete events
0

Modification events

No data
Executable files
55
Suspicious files
7
Text files
161
Unknown types
19

Dropped files

PID
Process
Filename
Type
2524CheatEngine683.tmpC:\Users\admin\AppData\Local\Temp\00248463.log
MD5:
SHA256:
2524CheatEngine683.tmpC:\Users\admin\AppData\Local\Temp\is-DENQH.tmp\ApLjypj.dllexecutable
MD5:48BC80695D6C292CF144248FFD11A2E5
SHA256:F4D13A9D3E12C4C1524E87D369FF8E1E9A1C4F82C72211BD05FA0283640702D1
3464CheatEngine683.exeC:\Users\admin\AppData\Local\Temp\is-Q36DN.tmp\CheatEngine683.tmpexecutable
MD5:C2D0AE931B7651B0D332DFA384AFEE22
SHA256:C5E4AB9CF706C908D9A2388182A57B1B8DF7E8AC7D210BF046CB6B8EB1745DCC
3924CheatEngine683.exeC:\Users\admin\AppData\Local\Temp\is-R5G4A.tmp\CheatEngine683.tmpexecutable
MD5:C2D0AE931B7651B0D332DFA384AFEE22
SHA256:C5E4AB9CF706C908D9A2388182A57B1B8DF7E8AC7D210BF046CB6B8EB1745DCC
2524CheatEngine683.tmpC:\Users\admin\AppData\Local\Temp\nsd239318747420\css\sdk-ui\browse.csstext
MD5:6009D6E864F60AEA980A9DF94C1F7E1C
SHA256:5EF48A8C8C3771B4F233314D50DD3B5AFDCD99DD4B74A9745C8FE7B22207056D
2524CheatEngine683.tmpC:\Users\admin\AppData\Local\Temp\nsd239318747420\css\sdk-ui\progress-bar.csstext
MD5:5335F1C12201B5F7CF5F8B4F5692E3D1
SHA256:974CD89E64BDAA85BF36ED2A50AF266D245D781A8139F5B45D7C55A0B0841DDA
2524CheatEngine683.tmpC:\Users\admin\AppData\Local\Temp\nsd239318747420\locale\BE.localetext
MD5:411748400CD72340BCF29E34F539340A
SHA256:2C9E5A82C1EDABE537C04C330A87332FAA1188A4BA3394084E756E9AB2F0066A
2524CheatEngine683.tmpC:\Users\admin\AppData\Local\Temp\nsd239318747420\css\main.csstext
MD5:9B27E2A266FE15A3AABFE635C29E8923
SHA256:166AA42BC5216C5791388847AE114EC0671A0D97B9952D14F29419B8BE3FB23F
2524CheatEngine683.tmpC:\Users\admin\AppData\Local\Temp\nsd239318747420\css\sdk-ui\button.csstext
MD5:37E1FF96E084EC201F0D95FEEF4D5E94
SHA256:8E806F5B94FC294E918503C8053EF1284E4F4B1E02C7DA4F4635E33EC33E0534
2524CheatEngine683.tmpC:\Users\admin\AppData\Local\Temp\nsd239318747420\csshover3.htchtml
MD5:52FA0DA50BF4B27EE625C80D36C67941
SHA256:E37E99DDFC73AC7BA774E23736B2EF429D9A0CB8C906453C75B14C029BDD5493
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
11
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2524
CheatEngine683.tmp
GET
200
52.214.73.247:80
http://rp.ginihehen.com/
IE
malicious
2396
iexplore.exe
GET
200
143.204.208.165:80
http://ic-dc.cleanrepositorytowers.com/pr/public/css/style.css
US
text
1.26 Kb
whitelisted
2396
iexplore.exe
GET
301
104.20.175.30:80
http://cheatengine.org/typ.php
US
whitelisted
2524
CheatEngine683.tmp
GET
200
46.166.187.59:80
http://img.ginihehen.com/img/Rowabobeso/bg_fus_TB.png
NL
image
10.5 Kb
malicious
2524
CheatEngine683.tmp
POST
200
52.31.54.204:80
http://os.ginihehen.com/Fusioncheatengine/
IE
binary
539 Kb
whitelisted
2524
CheatEngine683.tmp
POST
200
52.214.73.247:80
http://rp.ginihehen.com/
IE
malicious
2524
CheatEngine683.tmp
POST
200
52.214.73.247:80
http://rp.ginihehen.com/
IE
malicious
2524
CheatEngine683.tmp
POST
200
52.214.73.247:80
http://rp.ginihehen.com/
IE
malicious
2524
CheatEngine683.tmp
POST
200
52.214.73.247:80
http://rp.ginihehen.com/
IE
malicious
2524
CheatEngine683.tmp
POST
200
52.214.73.247:80
http://rp.ginihehen.com/
IE
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2524
CheatEngine683.tmp
52.214.73.247:80
rp.ginihehen.com
Amazon.com, Inc.
IE
malicious
3396
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2396
iexplore.exe
143.204.208.165:80
ic-dc.cleanrepositorytowers.com
US
malicious
2524
CheatEngine683.tmp
46.166.187.59:80
img.ginihehen.com
NForce Entertainment B.V.
NL
malicious
2396
iexplore.exe
104.20.175.30:443
cheatengine.org
Cloudflare Inc
US
shared
2396
iexplore.exe
104.20.175.30:80
cheatengine.org
Cloudflare Inc
US
shared
2396
iexplore.exe
74.117.182.93:443
www.1-1ads.com
WZ Communications Inc.
US
unknown
2524
CheatEngine683.tmp
52.31.54.204:80
os.ginihehen.com
Amazon.com, Inc.
IE
malicious
2356
cheatengine-i386.exe
104.20.175.30:443
cheatengine.org
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
rp.ginihehen.com
  • 52.214.73.247
  • 54.194.149.175
malicious
os.ginihehen.com
  • 52.31.54.204
  • 52.214.236.246
  • 52.31.245.195
whitelisted
img.ginihehen.com
  • 46.166.187.59
malicious
cheatengine.org
  • 104.20.175.30
  • 104.20.174.30
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ic-dc.cleanrepositorytowers.com
  • 143.204.208.165
  • 143.204.208.61
  • 143.204.208.221
  • 143.204.208.77
whitelisted
www.1-1ads.com
  • 74.117.182.93
whitelisted

Threats

PID
Process
Class
Message
2524
CheatEngine683.tmp
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2
2524
CheatEngine683.tmp
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
2524
CheatEngine683.tmp
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3
2524
CheatEngine683.tmp
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4
8 ETPRO signatures available at the full report
Process
Message
Kernelmoduleunloader.exe
Kernelmodule unloader
Kernelmoduleunloader.exe
Setup. So do not show messages
Kernelmoduleunloader.exe
attempting to unload
Kernelmoduleunloader.exe
SCManager opened
Kernelmoduleunloader.exe
count=0
Kernelmoduleunloader.exe
setup=true
cheatengine-i386.exe
setDPIAware
cheatengine-i386.exe
p3
cheatengine-i386.exe
Offset of LBR_Count=760
cheatengine-i386.exe
sizeof fxstate = 512
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CheatEngine683.exe