Windows Analysis Report
Cheat.exe

AI detected suspicious sample

Source: Yara match	File source: Cheat.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Cheat.exe.29b14490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for sample

Source: Cheat.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: freegeoip.app

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: Cheat.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: .pdbRq source: Cheat.exe, 00000000.00000002.2222955578.0000029B146D9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: Cheat.exe, 00000000.00000002.2223511365.0000029B163C1000.00000004.00000800.00020000.00000000.sdmp, WER99D1.tmp.dmp.4.dr
Source:	Binary string: Insidious.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: lib.pdb source: Cheat.exe, 00000000.00000002.2222955578.0000029B146D9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: C:\Users\kiril\Desktop\44CALIBER-main\44CALIBER\obj\Debug\Insidious.pdb source: Cheat.exe
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER99D1.tmp.dmp.4.dr

Source: C:\Users\user\Desktop\Cheat.exe	Code function: 4x nop then jmp 00007FF848F35D5Ah	0_2_00007FF848F3586B
Source: C:\Users\user\Desktop\Cheat.exe	Code function: 4x nop then jmp 00007FF848F33D1Fh	0_2_00007FF848F33BCD
Source: C:\Users\user\Desktop\Cheat.exe	Code function: 4x nop then jmp 00007FF848F3694Bh	0_2_00007FF848F3689F

Networking

Yara detected Generic Downloader

Source: Yara match	File source: Cheat.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Cheat.exe.29b14490000.0.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: freegeoip.app

Source: cert9.db.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: cert9.db.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: cert9.db.0.dr	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: cert9.db.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: cert9.db.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: cert9.db.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: cert9.db.0.dr	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Cheat.exe, 00000000.00000002.2223511365.0000029B164B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://freegeoip.app
Source: cert9.db.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: cert9.db.0.dr	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Cheat.exe, 00000000.00000002.2223511365.0000029B16440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: cert9.db.0.dr	String found in binary or memory: http://x1.c.lencr.org/0
Source: cert9.db.0.dr	String found in binary or memory: http://x1.i.lencr.org/0
Source: Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Cheat.exe, 00000000.00000002.2223511365.0000029B163C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.vimeworld.ru/user/name/
Source: Cheat.exe	String found in binary or memory: https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/
Source: Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Cheat.exe	String found in binary or memory: https://discord.com/api/webhooks/1254423260591030333/Im8Y-IPgPJTWTloM0jy_llzrxAFZLtGLTGrSJEpTfiSbOm4
Source: Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Cheat.exe, 00000000.00000002.2223511365.0000029B164A0000.00000004.00000800.00020000.00000000.sdmp, Cheat.exe, 00000000.00000002.2223511365.0000029B16440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app
Source: Cheat.exe, 00000000.00000002.2223511365.0000029B164B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app(
Source: Cheat.exe, 00000000.00000002.2223511365.0000029B163C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/(
Source: Cheat.exe	String found in binary or memory: https://steamcommunity.com/profiles/ASOFTWARE
Source: tmp9750.tmp.tmpdb.0.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp9750.tmp.tmpdb.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp9750.tmp.tmpdb.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp9750.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp9750.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: tmp9750.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Cheat.exe, 00000000.00000002.2224011760.0000029B2646E000.00000004.00000800.00020000.00000000.sdmp, tmp9750.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp9750.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Cheat.exe, 00000000.00000002.2224011760.0000029B2646E000.00000004.00000800.00020000.00000000.sdmp, tmp9750.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Cheat.exe, 00000000.00000002.2224011760.0000029B2646E000.00000004.00000800.00020000.00000000.sdmp, tmp9750.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49704 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: Cheat.exe, Screen.cs

.Net Code: GetScreen

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: Cheat.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Cheat.exe.29b14490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary

Source: Cheat.exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Cheat.exe, type: SAMPLE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: Cheat.exe, type: SAMPLE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.0.Cheat.exe.29b14490000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.Cheat.exe.29b14490000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.Cheat.exe.29b14490000.0.unpack, type: UNPACKEDPE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.2223511365.0000029B163C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: Cheat.exe PID: 1864, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Source: C:\Users\user\Desktop\Cheat.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1864 -s 1568

Source: Cheat.exe, 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInsidious.exe6 vs Cheat.exe
Source: Cheat.exe, 00000000.00000002.2222955578.0000029B1466C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Cheat.exe
Source: Cheat.exe	Binary or memory string: OriginalFilenameInsidious.exe6 vs Cheat.exe

Source: Cheat.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Cheat.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: Cheat.exe, type: SAMPLE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.0.Cheat.exe.29b14490000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.Cheat.exe.29b14490000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.Cheat.exe.29b14490000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.2223511365.0000029B163C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: Cheat.exe PID: 1864, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: Cheat.exe, Help.cs

Suspicious URL: 'https://api.vimeworld.ru/user/name/'

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@2/15@1/1

Source: C:\Users\user\Desktop\Cheat.exe

File created: C:\Users\user\AppData\Local\44

Source: C:\Users\user\Desktop\Cheat.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1864

Source: C:\Users\user\Desktop\Cheat.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9750.tmp

Source: Cheat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Cheat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\Cheat.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Cheat.exe, 00000000.00000002.2223511365.0000029B16569000.00000004.00000800.00020000.00000000.sdmp, Cheat.exe, 00000000.00000002.2223511365.0000029B1649A000.00000004.00000800.00020000.00000000.sdmp, tmp9842.tmp.dat.0.dr, tmp97DF.tmp.dat.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Cheat.exe

Virustotal: Detection: 69%

Source: C:\Users\user\Desktop\Cheat.exe

File read: C:\Users\user\Desktop\Cheat.exe

Source: unknown	Process created: C:\Users\user\Desktop\Cheat.exe "C:\Users\user\Desktop\Cheat.exe"
Source: C:\Users\user\Desktop\Cheat.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1864 -s 1568

Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\Cheat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Users\user\Desktop\Cheat.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: Cheat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Cheat.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Cheat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Xml.ni.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: .pdbRq source: Cheat.exe, 00000000.00000002.2222955578.0000029B146D9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: Cheat.exe, 00000000.00000002.2223511365.0000029B163C1000.00000004.00000800.00020000.00000000.sdmp, WER99D1.tmp.dmp.4.dr
Source:	Binary string: Insidious.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: lib.pdb source: Cheat.exe, 00000000.00000002.2222955578.0000029B146D9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: C:\Users\kiril\Desktop\44CALIBER-main\44CALIBER\obj\Debug\Insidious.pdb source: Cheat.exe
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER99D1.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER99D1.tmp.dmp.4.dr

Source: Cheat.exe

Static PE information: 0x92718E88 [Sat Nov 9 12:33:12 2047 UTC]

Source: C:\Users\user\Desktop\Cheat.exe	Code function: 0_2_00007FF848F3753A push ebx; iretd	0_2_00007FF848F3756A
Source: C:\Users\user\Desktop\Cheat.exe	Code function: 0_2_00007FF848F37548 push ebx; iretd	0_2_00007FF848F3756A
Source: C:\Users\user\Desktop\Cheat.exe	Code function: 0_2_00007FF848F3756B push ebx; iretd	0_2_00007FF848F3756A

Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Cheat.exe	Memory allocated: 29B14810000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Memory allocated: 29B2E3C0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\Cheat.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: C:\Users\user\Desktop\Cheat.exe TID: 7616	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe TID: 7616	Thread sleep time: -600000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Cheat.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Cheat.exe, 00000000.00000002.2223300958.0000029B148BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: tmp9831.tmp.dat.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Users\user\Desktop\Cheat.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Cheat.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Cheat.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Cheat.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\Cheat.exe

Queries volume information: C:\Users\user\Desktop\Cheat.exe VolumeInformation

Source: C:\Users\user\Desktop\Cheat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Yara detected 44Caliber Stealer

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Source: Yara match	File source: Cheat.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Cheat.exe.29b14490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2223511365.0000029B163C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Cheat.exe PID: 1864, type: MEMORYSTR

Yara detected Rags Stealer

Source: Yara match	File source: Cheat.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Cheat.exe.29b14490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Source: Yara match	File source: Cheat.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Cheat.exe.29b14490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2223511365.0000029B163C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Cheat.exe PID: 1864, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Cheat.exe, 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Electrum
Source: Cheat.exe, 00000000.00000002.2223511365.0000029B164D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 2C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: Cheat.exe, 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: JaxxDir
Source: Cheat.exe, 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: Cheat.exe, 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: Cheat.exe, 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: ExodusDir
Source: Cheat.exe, 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum
Source: Cheat.exe, 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: Cheat.exe, 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Cheat.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Cheat.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\Cheat.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior

Source: Yara match	File source: Cheat.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Cheat.exe.29b14490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2223511365.0000029B163C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Cheat.exe PID: 1864, type: MEMORYSTR

Remote Access Functionality

Yara detected 44Caliber Stealer

Source: Yara match	File source: Cheat.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Cheat.exe.29b14490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2223511365.0000029B163C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Cheat.exe PID: 1864, type: MEMORYSTR

Yara detected Rags Stealer

Source: Yara match	File source: Cheat.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Cheat.exe.29b14490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Source: Yara match	File source: Cheat.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Cheat.exe.29b14490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1986296648.0000029B14492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2223511365.0000029B163C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Cheat.exe PID: 1864, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Cheat.exe	69%	Virustotal		Browse
Cheat.exe	100%	Avira	HEUR/AGEN.1307065
Cheat.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
freegeoip.app	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
https://support.mozilla.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://steamcommunity.com/profiles/ASOFTWARE	0%	Avira URL Cloud	safe
https://freegeoip.app(	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://freegeoip.app	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://freegeoip.app/xml/(	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://discord.com/api/webhooks/1254423260591030333/Im8Y-IPgPJTWTloM0jy_llzrxAFZLtGLTGrSJEpTfiSbOm4	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/ASOFTWARE	0%	Virustotal		Browse
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	Avira URL Cloud	safe
https://freegeoip.app/xml/(	1%	Virustotal		Browse
https://api.vimeworld.ru/user/name/	0%	Avira URL Cloud	safe
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://freegeoip.app	0%	Avira URL Cloud	safe
http://freegeoip.app	0%	Virustotal		Browse
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	0%	Virustotal		Browse
https://freegeoip.app	0%	Virustotal		Browse
https://api.vimeworld.ru/user/name/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
freegeoip.app	188.114.97.3	true	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/ASOFTWARE	Cheat.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://freegeoip.app(	Cheat.exe, 00000000.00000002.2223511365.0000029B164B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://freegeoip.app	Cheat.exe, 00000000.00000002.2223511365.0000029B164A0000.00000004.00000800.00020000.00000000.sdmp, Cheat.exe, 00000000.00000002.2223511365.0000029B16440000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	cert9.db.0.dr	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	false	URL Reputation: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	cert9.db.0.dr	false	Avira URL Cloud: safe	unknown
https://freegeoip.app/xml/(	Cheat.exe, 00000000.00000002.2223511365.0000029B163C1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmp9750.tmp.tmpdb.0.dr	false	URL Reputation: safe	unknown
https://discord.com/api/webhooks/1254423260591030333/Im8Y-IPgPJTWTloM0jy_llzrxAFZLtGLTGrSJEpTfiSbOm4	Cheat.exe	true	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	cert9.db.0.dr	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	cert9.db.0.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	false	URL Reputation: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	cert9.db.0.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	tmp9750.tmp.tmpdb.0.dr	false	Avira URL Cloud: safe	unknown
https://api.vimeworld.ru/user/name/	Cheat.exe, 00000000.00000002.2223511365.0000029B163C1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	Cheat.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.mozilla.org	tmp9750.tmp.tmpdb.0.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Cheat.exe, 00000000.00000002.2223511365.0000029B16440000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Cheat.exe, 00000000.00000002.2224011760.0000029B26444000.00000004.00000800.00020000.00000000.sdmp, tmp9761.tmp.dat.0.dr, tmp97F0.tmp.dat.0.dr	false	URL Reputation: safe	unknown
http://freegeoip.app	Cheat.exe, 00000000.00000002.2223511365.0000029B164B4000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	freegeoip.app	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1494203
Start date and time:	2024-08-17 15:49:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Cheat.exe
Detection:	MAL
Classification:	mal100.troj.spyw.winEXE@2/15@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 76% Number of executed functions: 69 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Cheat.exe, PID 1864 because it is empty
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:50:14	API Interceptor	1x Sleep call for process: WerFault.exe modified
09:50:14	API Interceptor	1x Sleep call for process: Cheat.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	FedEx Shipping Document.exe	Get hash	malicious	Azorult	Browse	l0h5.shop/CM341/index.php
	http://binanceevn.com/index/index/lang/ko-kr/Trade/tradelist	Get hash	malicious	Unknown	Browse	binanceevn.com/Verify/code
	rfq_commercial_order_GMlist_for_Drumedis_tender_august_quater_2024.xls	Get hash	malicious	Unknown	Browse	jiourl.com/anbdld
	rfq_commercial_order_GMlist_for_Drumedis_tender_august_quater_2024.xls	Get hash	malicious	Unknown	Browse	jiourl.com/anbdld
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/qLW2DYuh/download
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/jSVzi5ju/download
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/Ry4NfKBu/download
	http://dpd-hr.receiving-delivery.com/track/5294558215/	Get hash	malicious	Unknown	Browse	dpd-hr.receiving-delivery.com/track/5294558215/
	Payment Advice_pdf.exe	Get hash	malicious	FormBook	Browse	www.hanguyenwriter.com/d6sr/?wr0Pj=B6mQBi1XdG6Ip8HjYP8J20Tn9n8w+fm1VWBEYYr6I8xhcx3c/+KR1ZBvapv5UXRO0F08kJtDNJclAYc2CHffI7PBVjFLJU51UUvdjXHprzdYJUZk4jM9p8s=&1d=cfLL
	UBEGtm2WmN.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149387cm.n9sh.top/Authuniversaltrackpublic.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
freegeoip.app	B5U2ccQ8H1.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	188.114.97.3
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	188.114.96.3
	Pots.exe	Get hash	malicious	44userber Stealer, Rags Stealer	Browse	104.21.73.97
	qdHMT36Tn9.exe	Get hash	malicious	44Caliber Stealer, Njrat, Rags Stealer	Browse	172.67.160.84
	64drop.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	104.21.73.97
	123.scr.exe	Get hash	malicious	Unknown	Browse	104.21.73.97
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	104.21.73.97
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	172.67.160.84
	RP.sfx.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	172.67.160.84
	i6R4NsEd8t.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.73.97

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	outlook-attachment.exe	Get hash	malicious	LummaC, Go Injector	Browse	104.21.16.74
	apzzz-20c7e.kxcdn.com.ps1	Get hash	malicious	LummaC, Go Injector	Browse	104.21.16.74
	set-up.exe	Get hash	malicious	Cryptbot	Browse	188.114.96.3
	set-up.exe	Get hash	malicious	Cryptbot	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC, Go Injector	Browse	104.21.69.39
	Setup.exe	Get hash	malicious	LummaC, Go Injector	Browse	104.21.16.74
	Setup.exe	Get hash	malicious	LummaC, Go Injector	Browse	104.21.16.74
	https://aquafish.net/pagecon/pagecon.cgi?no=13&page=http://aaudio-for-wordpress-131830832858f3d16cef719d9e5e572d8eeda9f5.s3-website-us-west-2.amazonaws.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	RUN.exe	Get hash	malicious	LummaC	Browse	172.67.178.83
	https://89be4869.e90cd77623a877cd9e1af5f9.workers.dev/?qrc=michael.girault@xfab.com	Get hash	malicious	Unknown	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	apzzz-20c7e.kxcdn.com.ps1	Get hash	malicious	LummaC, Go Injector	Browse	188.114.97.3
	DHL Receipt_4977049580.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://pub-244e972cad9242be820ac9530c22a242.r2.dev/%EA%B0%90%EC%82%AC%ED%95%A9%EB%8B%88%EB%8B%A4.html	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://gtm.you1.cn/profiles/76561198013673010	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://pub-5844853ca98a4f61b82797c3efcc684d.r2.dev/wazxrd.html	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://loginkarkeen.gitbook.io/us	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://blockedwindowsdsgfsdg.pages.dev/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://mui.qfv.mybluehost.me/admin1/am/infospage.php/	Get hash	malicious	Unknown	Browse	188.114.97.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Cheat.exe_2f2ad1ee7045ac41c39471de6d9c1679b604e43_9caa26b2_6713b3cc-c4d1-46b8-8b83-706a53bfb040\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1082934100174906
Encrypted:	false
SSDEEP:	192:rFzFFlohyL809c0jQaWxTklEeZBzuiF/Z24lO8QH:rJdohyr9c0jQaGGEmBzuiF/Y4lO8QH
MD5:	ACEA7D060D0428C7BB5DBC9D1BF666E5
SHA1:	6EC670B8CD01D3F7AD215DCEEB222AF701DAA4CD
SHA-256:	016EF435EB45D9F7D9450A0947C9D6A1B073D338B6F8609EFEF5AE59A3EF9B1A
SHA-512:	9E0C6DD99322A600F16A254E326696C175BABC97850F6F5630FC62DB6185F59E49FF74A7BCACE4B28081ADD24E5550C3FEC51C1369662A4B475F9ADC4E9ABF95
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.8.3.7.6.1.9.1.4.7.1.7.6.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.8.3.7.6.1.9.3.1.5.9.2.7.1.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.1.3.b.3.c.c.-.c.4.d.1.-.4.6.b.8.-.8.b.8.3.-.7.0.6.a.5.3.b.f.b.0.4.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.1.4.4.7.e.8.-.c.9.3.1.-.4.a.1.9.-.b.8.5.a.-.7.6.5.a.b.c.3.2.f.d.9.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.C.h.e.a.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.n.s.i.d.i.o.u.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.4.8.-.0.0.0.1.-.0.0.1.4.-.c.5.c.1.-.9.1.5.4.a.c.f.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.1.1.8.6.e.c.8.a.7.1.b.7.6.8.8.5.0.a.d.2.d.f.e.6.a.d.f.3.7.6.7.0.0.0.0.0.0.0.0.!.0.0.0.0.5.f.a.b.6.c.c.b.0.7.4.8.a.2.d.e.5.0.2.b.8.7.7.c.3.4.d.2.4.0.9.b.1.1.1.8.b.d.3.0.!.C.h.e.a.t...e.x.e.....T.a.r.g.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER99D1.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Sat Aug 17 13:49:51 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	560242
Entropy (8bit):	3.361046861096494
Encrypted:	false
SSDEEP:	6144:uJqG+avGoaHAgqSIx3Qbb+s2476J36TPQr2B:DDav5YRq9Qes24eJ36TPQiB
MD5:	E9AC652F957DF669D4FFC487CE9CFFAA
SHA1:	6693D37B4F47A37DD7D573A964B497189431BB2D
SHA-256:	23A0B3DF6EC3B7AAC8F76CE09A97DBA5C368E2B8F330A4DED599D751F2851EED
SHA-512:	1493F4E2C6C6D5BB0941F12C666D5E4F1DA9564ECEB016A4FD21427A7021BE59C726E6E7B3424462B38A1F9925432CD916E598D598D1831ADDB50380D312888C
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f........................,...$.......<...P$......t....$......TZ..............l.......8...........T...........pE...G...........7...........8..............................................................................eJ.......9......Lw......................T.......H...~..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EF3.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8784
Entropy (8bit):	3.6975979731830497
Encrypted:	false
SSDEEP:	192:R6l7wVeJ5Wvf6YEItcPDXgmfZGiHprt89bgD0f8Am:R6lXJ4vf6YESMDXgmfkiQgwfq
MD5:	4F690DCC5BABFFB5F2B3F217C9C9545E
SHA1:	F2C67729EC2C295244BFB0329E07FD2833AA77A6
SHA-256:	6CACC23A2C917F4B6826A84F9021A6230DAB535AFFE590EA5C9941D37DE5FE8A
SHA-512:	77608349D2C2C97F28991CB0FAA579A854B6AE31D8B3F33AFCB6CFAD3ABBDA30F2E2BD1DD39C5B56B0F3704FDF087135A356291F4F1DA87B3B8BEFE908731726
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.8.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F32.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4779
Entropy (8bit):	4.444395953183569
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg771I9SVWpW8VY7Ym8M4JQEoFSuHyq8vdE6XClyPqd:uIjffI7Nk7VHJtR8W26XCUPqd
MD5:	F8C9F9C4DCC6F5A6B1397FE63129375B
SHA1:	A08A270237AF7D628207E95DC72010C1A3F7EA53
SHA-256:	0189240E970980D0241EE4B6B053ADE1EC6AC9C315C7360C7CE01E0C2F415338
SHA-512:	9D2F3FEB45408A54C740CCC7D1712FAC8028219658C565D1EBEBF78D76774B13154B536D09C7989905B7B790B087A66078EB035E56754695B0429B60FCF2E304
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="459652" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\Public\v6zchhhv.default-release\cert9.db

Process:	C:\Users\user\Desktop\Cheat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	229376
Entropy (8bit):	0.643383182059925
Encrypted:	false
SSDEEP:	384:A1zkVmvQhyn+Zoz67kMMTNlH333JqN8j/LKXu5Uu/:AlM0sCyW
MD5:	F23F48363C7BAA0709698208A7E833A0
SHA1:	07D2AEE271A0F2BA14608FE5A9A677E2594D22CC
SHA-256:	51DFB72705CBEB6AF5A14F2BE20FC39172E86263E25704F50BEB292F776B7713
SHA-512:	F8F16198A96F047E320EF82026160EBD5A0836B48FC3496C427F90965CF3BF5FAB5EBE0FB9016E3BDE56657EB42627D7286AED3167A422D69F865524892C3DFA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j......z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\v6zchhhv.default-release\key4.db

Process:	C:\Users\user\Desktop\Cheat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	0.08438200565341271
Encrypted:	false
SSDEEP:	192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23v4U:51zkVmvQhyn+Zoz67NU
MD5:	F7EEE7B0D281E250D1D8E36486F5A2C3
SHA1:	309736A27E794672BD1BDFBAC69B2C6734FC25CE
SHA-256:	378DD46FE8A8AAC2C430AE8A7C5C1DC3C2A343534A64A263EC9A4F1CE801985E
SHA-512:	CE102A41CA4E2A27CCB27F415D2D69A75A0058BA0F600C23F63B89F30FFC982BA48336140714C522B46CC6D13EDACCE3DF0D6685D02844B8DB0AD3378DB9CABB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9750.tmp.tmpdb

Process:	C:\Users\user\Desktop\Cheat.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9761.tmp.dat

Process:	C:\Users\user\Desktop\Cheat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp97DF.tmp.dat

Process:	C:\Users\user\Desktop\Cheat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp97F0.tmp.dat

Process:	C:\Users\user\Desktop\Cheat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9810.tmp.tmpdb

Process:	C:\Users\user\Desktop\Cheat.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9811.tmp.dat

Process:	C:\Users\user\Desktop\Cheat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9831.tmp.dat

Process:	C:\Users\user\Desktop\Cheat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9842.tmp.dat

Process:	C:\Users\user\Desktop\Cheat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve