download: | download.php |
Full analysis: | https://app.any.run/tasks/083073ee-0496-4a39-a677-a125a810d473 |
Verdict: | Malicious activity |
Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
Analysis date: | November 08, 2019, 17:45:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/html |
File info: | HTML document, ASCII text, with very long lines |
MD5: | 30B0963A41BA4EF9DFEBFA6CAD86845E |
SHA1: | DBA6D90562D18C5EC55D4ADE978E9A7562C29341 |
SHA256: | EF95038E2290B01CAC55FDA5918B58E77155E53A0191B959A230A636B6049E09 |
SSDEEP: | 384:+CMLS5O4/IjlfGKZIJkI7/Pm2DLeQUvrtjM0Mk6uW:+CSSU4/HKZIF7/PVDLeQUvrtjM0Mk6uW |
Title: | Cheat Engine |
---|---|
ContentType: | text/html; charset=utf-8 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1516 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\download.php | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
252 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | — | explorer.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 68.0.1 | ||||
3748 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 68.0.1 | ||||
2116 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3748.0.502793132\701979972" -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3748 "\\.\pipe\gecko-crash-server-pipe.3748" 1156 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 1 Version: 68.0.1 | ||||
1744 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3748.3.1054923503\1254435007" -childID 1 -isForBrowser -prefsHandle 1692 -prefMapHandle 1316 -prefsLen 1 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3748 "\\.\pipe\gecko-crash-server-pipe.3748" 1716 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 68.0.1 | ||||
2924 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3748.13.1528513629\3814724" -childID 2 -isForBrowser -prefsHandle 2820 -prefMapHandle 2824 -prefsLen 5996 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3748 "\\.\pipe\gecko-crash-server-pipe.3748" 2840 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 68.0.1 | ||||
4072 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3748.20.1025948625\49713112" -childID 3 -isForBrowser -prefsHandle 3804 -prefMapHandle 3808 -prefsLen 7129 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3748 "\\.\pipe\gecko-crash-server-pipe.3748" 3820 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 68.0.1 | ||||
3768 | "C:\Users\admin\Downloads\CheatEngine70.exe" | C:\Users\admin\Downloads\CheatEngine70.exe | firefox.exe | |
User: admin Company: Cheat Engine Integrity Level: MEDIUM Description: Cheat Engine 7.0 Setup Exit code: 0 Version: 7.0.0.8 | ||||
960 | "C:\Users\admin\AppData\Local\Temp\is-MHS8M.tmp\CheatEngine70.tmp" /SL5="$7012A,17382706,121344,C:\Users\admin\Downloads\CheatEngine70.exe" | C:\Users\admin\AppData\Local\Temp\is-MHS8M.tmp\CheatEngine70.tmp | — | CheatEngine70.exe |
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
1252 | "C:\Users\admin\Downloads\CheatEngine70.exe" /SPAWNWND=$301D8 /NOTIFYWND=$7012A | C:\Users\admin\Downloads\CheatEngine70.exe | CheatEngine70.tmp | |
User: admin Company: Cheat Engine Integrity Level: HIGH Description: Cheat Engine 7.0 Setup Exit code: 0 Version: 7.0.0.8 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3748 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
3748 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3748 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
3748 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
3748 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp | — | |
MD5:— | SHA256:— | |||
3748 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js | text | |
MD5:354459382F30B8994109C88659DFA1F3 | SHA256:E3E8E2B7E7EECA231620D83C70FA5A926E8B9CE74C51F595F71191DC0B50527E | |||
3748 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin | binary | |
MD5:DE9496ACA551ADE408EF6466A11833A1 | SHA256:8F9C7FDB3E0BC01024E43A8E242468FC4DD4F74C725E32A883571635203DC10A | |||
3748 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4 | jsonlz4 | |
MD5:6D378E0D40B6EACA22C8BCE899A1C5C1 | SHA256:ADA2467B2477ACEFF837AC7820C435AD1EBBE844B2DA31C7AB9AE8D010C7A639 | |||
3748 | firefox.exe | C:\Users\admin\AppData\Local\Temp\mz_etilqs_8iKU86PGZDWy3Hg | — | |
MD5:— | SHA256:— | |||
3748 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-current.bin | binary | |
MD5:5027177F513CDAE07DB2330E1DED5934 | SHA256:0C53F16051E738287A4612F68E296238087627E594CFD6DDFA1FECC2E998328B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3748 | firefox.exe | POST | 200 | 172.217.23.131:80 | http://ocsp.pki.goog/gts1o1 | US | der | 472 b | whitelisted |
3748 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3748 | firefox.exe | GET | 200 | 2.16.106.152:80 | http://detectportal.firefox.com/success.txt | unknown | text | 8 b | whitelisted |
3748 | firefox.exe | POST | 200 | 172.217.23.131:80 | http://ocsp.pki.goog/gts1o1 | US | der | 472 b | whitelisted |
3748 | firefox.exe | GET | 200 | 143.204.101.115:80 | http://static-v2.ffsrchmgr.com/js/vn2143cxz67m.js | US | text | 64.1 Kb | whitelisted |
3748 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3748 | firefox.exe | POST | 200 | 172.217.23.131:80 | http://ocsp.pki.goog/gts1o1 | US | der | 472 b | whitelisted |
3748 | firefox.exe | POST | 200 | 172.217.23.131:80 | http://ocsp.pki.goog/gts1o1 | US | der | 472 b | whitelisted |
3748 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3748 | firefox.exe | POST | 200 | 172.217.23.131:80 | http://ocsp.pki.goog/gts1o1 | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3748 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3748 | firefox.exe | 143.204.101.24:443 | firefox.settings.services.mozilla.com | — | US | suspicious |
3748 | firefox.exe | 172.217.21.234:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
3748 | firefox.exe | 52.40.98.65:443 | tiles.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3748 | firefox.exe | 54.230.229.64:443 | snippets.cdn.mozilla.net | Amazon.com, Inc. | US | unknown |
3748 | firefox.exe | 52.89.218.39:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3748 | firefox.exe | 2.16.106.152:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
3748 | firefox.exe | 54.191.170.25:443 | push.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3748 | firefox.exe | 172.217.23.131:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3748 | firefox.exe | 172.217.18.100:443 | www.google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
push.services.mozilla.com |
| whitelisted |
autopush.prod.mozaws.net |
| whitelisted |
snippets.cdn.mozilla.net |
| whitelisted |
d228z91au11ukj.cloudfront.net |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
cs9.wac.phicdn.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
3376 | CheatEngine70.tmp | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2 |
3376 | CheatEngine70.tmp | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1 |
3376 | CheatEngine70.tmp | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3 |
3376 | CheatEngine70.tmp | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4 |
Process | Message |
---|---|
Kernelmoduleunloader.exe | Kernelmodule unloader |
Kernelmoduleunloader.exe | Setup. So do not show messages |
Kernelmoduleunloader.exe | attempting to unload |
Kernelmoduleunloader.exe | SCManager opened |
Kernelmoduleunloader.exe | count=0 |
Kernelmoduleunloader.exe | setup=true |
cheatengine-i386.exe | setDPIAware |
cheatengine-i386.exe | p3 |
cheatengine-i386.exe | arm disa6 |
cheatengine-i386.exe | arm disassembler |