Windows Analysis Report
7FEGBYFBHFBJH32.exe

AI detected suspicious sample

Source: Yara match	File source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for sample

Source: 7FEGBYFBHFBJH32.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: freegeoip.app

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: 7FEGBYFBHFBJH32.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: mscorlib.pdb source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481EC2000.00000004.00000800.00020000.00000000.sdmp, WER525E.tmp.dmp.3.dr
Source:	Binary string: Insidious.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WER525E.tmp.dmp.3.dr
Source:	Binary string: C:\Users\ddtug\Downloads\44CALIBER-main\44CALIBER\obj\Debug\Insidious.pdb source: 7FEGBYFBHFBJH32.exe
Source:	Binary string: mscorlib.ni.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Core.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Xml.pdb#( source: WER525E.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: Insidious.pdb@w^ source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Xml.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdb source: WER525E.tmp.dmp.3.dr

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Code function: 4x nop then jmp 00007FFD9B7E3D1Fh	0_2_00007FFD9B7E3BCD
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Code function: 4x nop then jmp 00007FFD9B7E668Ah	0_2_00007FFD9B7E61C8
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Code function: 4x nop then mov eax, dword ptr [ebp-24h]	0_2_00007FFD9B7F4ED0
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Code function: 4x nop then jmp 00007FFD9B7E88ABh	0_2_00007FFD9B7E8581
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Code function: 4x nop then mov edx, dword ptr [ebp-14h]	0_2_00007FFD9B7E5B30

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: freegeoip.app

Source: cert9.db.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: cert9.db.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: cert9.db.0.dr	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: cert9.db.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: cert9.db.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: cert9.db.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: cert9.db.0.dr	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481CBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://freegeoip.app
Source: cert9.db.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: cert9.db.0.dr	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481E6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: cert9.db.0.dr	String found in binary or memory: http://x1.c.lencr.org/0
Source: cert9.db.0.dr	String found in binary or memory: http://x1.i.lencr.org/0
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.vimeworld.ru/user/name/
Source: 7FEGBYFBHFBJH32.exe	String found in binary or memory: https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 7FEGBYFBHFBJH32.exe	String found in binary or memory: https://discord.com/api/webhooks/1324061351169101927/Upg-sOh6FXJYwbAsqIx2PTZdfYr6z3JtFkd-CN6KxlCaM74
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481C81000.00000004.00000800.00020000.00000000.sdmp, 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481C99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: 7FEGBYFBHFBJH32.exe	String found in binary or memory: https://steamcommunity.com/profiles/ASOFTWARE
Source: tmp4FED.tmp.tmpdb.0.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp4FED.tmp.tmpdb.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp4FED.tmp.tmpdb.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp4FED.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp4FED.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: tmp4FED.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D48000.00000004.00000800.00020000.00000000.sdmp, tmp4FED.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp4FED.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D48000.00000004.00000800.00020000.00000000.sdmp, tmp4FED.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 7FEGBYFBHFBJH32.exe, Screen.cs

.Net Code: GetScreen

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary

Source: 7FEGBYFBHFBJH32.exe, type: SAMPLE	Matched rule: Finds samples of the 44Caliber stealer Author: Sekoia.io
Source: 7FEGBYFBHFBJH32.exe, type: SAMPLE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 7FEGBYFBHFBJH32.exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 7FEGBYFBHFBJH32.exe, type: SAMPLE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 7FEGBYFBHFBJH32.exe, type: SAMPLE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE	Matched rule: Finds samples of the 44Caliber stealer Author: Sekoia.io
Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.1817698372.0000022481D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: 7FEGBYFBHFBJH32.exe PID: 7416, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7416 -s 1700

Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInsidious.exe6 vs 7FEGBYFBHFBJH32.exe
Source: 7FEGBYFBHFBJH32.exe	Binary or memory string: OriginalFilenameInsidious.exe6 vs 7FEGBYFBHFBJH32.exe

Source: 7FEGBYFBHFBJH32.exe, type: SAMPLE	Matched rule: infostealer_win_44caliber author = Sekoia.io, description = Finds samples of the 44Caliber stealer, creation_date = 2022-03-08, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/razexgod/44CALIBER, id = 44e5bbc1-f442-47d3-8431-25182f38439d
Source: 7FEGBYFBHFBJH32.exe, type: SAMPLE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 7FEGBYFBHFBJH32.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 7FEGBYFBHFBJH32.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 7FEGBYFBHFBJH32.exe, type: SAMPLE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_44caliber author = Sekoia.io, description = Finds samples of the 44Caliber stealer, creation_date = 2022-03-08, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/razexgod/44CALIBER, id = 44e5bbc1-f442-47d3-8431-25182f38439d
Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.1817698372.0000022481D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: 7FEGBYFBHFBJH32.exe PID: 7416, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: 7FEGBYFBHFBJH32.exe, Help.cs

Suspicious URL: 'https://api.vimeworld.ru/user/name/'

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@2/15@1/1

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe

File created: C:\Users\user\AppData\Roaming\44

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7416

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe

File created: C:\Users\user\AppData\Local\Temp\tmp4FED.tmp

Source: 7FEGBYFBHFBJH32.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 7FEGBYFBHFBJH32.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481E51000.00000004.00000800.00020000.00000000.sdmp, tmp505C.tmp.dat.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 7FEGBYFBHFBJH32.exe

Virustotal: Detection: 71%

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe

File read: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe

Source: unknown	Process created: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe "C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe"
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7416 -s 1700

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: 7FEGBYFBHFBJH32.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 7FEGBYFBHFBJH32.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 7FEGBYFBHFBJH32.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Xml.ni.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: mscorlib.pdb source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481EC2000.00000004.00000800.00020000.00000000.sdmp, WER525E.tmp.dmp.3.dr
Source:	Binary string: Insidious.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WER525E.tmp.dmp.3.dr
Source:	Binary string: C:\Users\ddtug\Downloads\44CALIBER-main\44CALIBER\obj\Debug\Insidious.pdb source: 7FEGBYFBHFBJH32.exe
Source:	Binary string: mscorlib.ni.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Core.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Xml.pdb#( source: WER525E.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: Insidious.pdb@w^ source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Xml.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.pdb source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER525E.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdb source: WER525E.tmp.dmp.3.dr

Source: 7FEGBYFBHFBJH32.exe

Static PE information: 0xFF0F76A5 [Sat Aug 8 19:38:13 2105 UTC]

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Code function: 0_2_00007FFD9B7E021D push E95E4598h; ret		0_2_00007FFD9B7E0259
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Code function: 0_2_00007FFD9B7E00AD pushad ; iretd		0_2_00007FFD9B7E00C1

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Memory allocated: 224803C0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Memory allocated: 22499C80000 memory reserve \| memory write watch			Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1819342876.000002249A518000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe

Queries volume information: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe VolumeInformation

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Yara detected 44Caliber Stealer

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Source: Yara match	File source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7FEGBYFBHFBJH32.exe PID: 7416, type: MEMORYSTR

Yara detected Rags Stealer

Source: Yara match	File source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Source: Yara match	File source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1817698372.0000022481CBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7FEGBYFBHFBJH32.exe PID: 7416, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Electrum
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: JaxxDir
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: ExodusDir
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior

Source: Yara match	File source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1817698372.0000022481D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7FEGBYFBHFBJH32.exe PID: 7416, type: MEMORYSTR

Remote Access Functionality

Yara detected 44Caliber Stealer

Source: Yara match	File source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7FEGBYFBHFBJH32.exe PID: 7416, type: MEMORYSTR

Yara detected Rags Stealer

Source: Yara match	File source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Source: Yara match	File source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1817698372.0000022481CBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7FEGBYFBHFBJH32.exe PID: 7416, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	3 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
7FEGBYFBHFBJH32.exe	72%	Virustotal		Browse
7FEGBYFBHFBJH32.exe	100%	Avira	HEUR/AGEN.1307065
7FEGBYFBHFBJH32.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://api.vimeworld.ru/user/name/	0%	Avira URL Cloud	safe
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
freegeoip.app	188.114.96.3	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://freegeoip.app/xml/	7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481C81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	tmp4FED.tmp.tmpdb.0.dr	false		high
https://duckduckgo.com/ac/?q=	7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	false		high
https://steamcommunity.com/profiles/ASOFTWARE	7FEGBYFBHFBJH32.exe	false		high
https://freegeoip.app	7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481C81000.00000004.00000800.00020000.00000000.sdmp, 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481C99000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	cert9.db.0.dr	false		high
http://upx.sf.net	Amcache.hve.3.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	cert9.db.0.dr	false		high
https://www.ecosia.org/newtab/	7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmp4FED.tmp.tmpdb.0.dr	false		high
https://ac.ecosia.org/autocomplete?q=	7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	false		high
http://x1.c.lencr.org/0	cert9.db.0.dr	false		high
http://x1.i.lencr.org/0	cert9.db.0.dr	false		high
https://discord.com/api/webhooks/1324061351169101927/Upg-sOh6FXJYwbAsqIx2PTZdfYr6z3JtFkd-CN6KxlCaM74	7FEGBYFBHFBJH32.exe	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	cert9.db.0.dr	false		high
https://api.vimeworld.ru/user/name/	7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481C81000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	7FEGBYFBHFBJH32.exe	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	tmp4FED.tmp.tmpdb.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481E6D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.dr	false		high
http://freegeoip.app	7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481CBF000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	freegeoip.app	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583097
Start date and time:	2025-01-01 22:10:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7FEGBYFBHFBJH32.exe
Detection:	MAL
Classification:	mal100.troj.spyw.winEXE@2/15@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 105 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 40.126.31.71, 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 7FEGBYFBHFBJH32.exe, PID 7416 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:11:14	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
freegeoip.app	tyPafmiT0t.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.96.3
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	188.114.97.3
	VegaStealer_v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	172.67.160.84
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	172.67.160.84
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	104.21.73.97
	ypauPrrA08.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	188.114.97.3
	Loader.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.97.3
	Nursultan.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Blank Grabber, Rags Stealer, Umbral Stealer, XWorm	Browse	188.114.97.3
	External.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	188.114.96.3
	Insidious_protected.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	16oApcahEa.exe	Get hash	malicious	Babuk, Djvu	Browse	104.21.32.1
	UhsjR3ZFTD.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	544WP3NHaP.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.220.198
	KRNL.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	01012025.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.198.102
	SET_UP.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	104.21.21.16
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	104.21.21.16
	web44.mp4.hta	Get hash	malicious	LummaC	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	188.114.96.3
	web44.mp4.hta	Get hash	malicious	LummaC	Browse	188.114.96.3
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	188.114.96.3
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	1.ps1	Get hash	malicious	Unknown	Browse	188.114.96.3
	Let's_20Compress.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	YJaaZuNHwI.exe	Get hash	malicious	Quasar	Browse	188.114.96.3
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	OPRfEWLTto.js	Get hash	malicious	Unknown	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7FEGBYFBHFBJH32._97888a101021d5b6e5f93547cac549dae8ff78a0_d4a42602_de12d529-62ce-48df-8422-ce84912808da\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1212416592746164
Encrypted:	false
SSDEEP:	192:5coFU6ZTc809c0jQaWBTGlSeZBzuiF4AZ24lO8E:+omc49c0jQam0SmBzuiF4AY4lO8E
MD5:	55BE31223299FA1015C329F2F11AC5CE
SHA1:	30E92C3390586657012F6CB8D40A7AEF322D10F6
SHA-256:	8AB88962F5BA1622D3B66C50497110281CA9EF381D8C06ECEBF0D3341EDFECBA
SHA-512:	5AB1101589413CD384804634CE5295F55C18B74838EDED1EB6035E380188AA765637D3A5D5B54DE95F5142B50D8E78C7C7D3D6840E21BDE3205467A55F8EF9FE
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.2.3.9.4.5.8.8.4.7.0.8.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.2.3.9.4.6.0.4.0.9.5.8.0.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.1.2.d.5.2.9.-.6.2.c.e.-.4.8.d.f.-.8.4.2.2.-.c.e.8.4.9.1.2.8.0.8.d.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.9.c.d.0.d.a.-.4.4.b.a.-.4.c.3.5.-.8.d.3.5.-.b.8.5.7.c.b.f.2.e.3.f.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.7.F.E.G.B.Y.F.B.H.F.B.J.H.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.n.s.i.d.i.o.u.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.f.8.-.0.0.0.1.-.0.0.1.4.-.b.6.5.9.-.f.1.a.6.9.1.5.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.1.1.8.6.e.c.8.a.7.1.b.7.6.8.8.5.0.a.d.2.d.f.e.6.a.d.f.3.7.6.7.0.0.0.0.0.0.0.0.!.0.0.0.0.b.a.4.e.4.3.8.f.6.9.7.6.8.0.3.a.6.9.6.5.f.b.5.d.d.7.1.8.7.a.9.f.0.6.7.4.e.4.c.8.!.7.F.E.G.B.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER525E.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Wed Jan 1 21:10:59 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	559552
Entropy (8bit):	3.352435239785875
Encrypted:	false
SSDEEP:	3072:ljJ7waDSHp3+vWp7wXiADvMooVmfyBOXpIymdSZxgRNiAb2k4t/t90JJV2Pv0cSz:1BwaCp3QWKXrvMPniAbtlEw/xlq4
MD5:	A5AD888A6E2FA423A0B0F2FCC6807C69
SHA1:	8B436CFBA71865DE6108FB6D6D45FD076EBC434D
SHA-256:	9B36132D8B486C7EDA110DF8F0DC56D14552D454E07B6F0330E5D3A09203C99F
SHA-512:	22BAD0FF518371D9B11A676A373C301DCC0B5E256173EEB57DDED6376BAA1EEBE64D5B0694645879B299A2B0810B295DDB28E145DE19B3DAFB9982E4C322F3C1
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......c.ug........................,...$.......<...P$......t....$.......Z..............l.......8...........T...........pE..PD...........7...........8..............................................................................eJ.......9......Lw......................T...........a.ug.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5443.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8628
Entropy (8bit):	3.7042267822364794
Encrypted:	false
SSDEEP:	192:R6l7wVeJWy+6Y9vBZgmfZbiYprj89bZKGf8Tm:R6lXJb+6YFBZgmf1iJZTfl
MD5:	52C6BB81284F870AD2A0937EAD87D794
SHA1:	15DFEC2057F4ED2102BAB641E2C8598395FE82AB
SHA-256:	79AEFD62E56B48A4CCFC48F70E90B0AB6CFA0DA4AC45245A379E2B9629F53C75
SHA-512:	DEF30B6C52ED1081927AE6F8E2486589CB1116B245CAECE837B928CFF124C25AC1E08F7E20B0FF6FF3FFB196CD9D943EBB646C0A086FDA03653BB5CC457425EC
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER555D.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4829
Entropy (8bit):	4.509380163844644
Encrypted:	false
SSDEEP:	48:cvIwWl8zsDSmJg771I9liWpW8VY8Ym8M4JNEoFwyq8v4EnXCpBn4Gd:uIjfO8I72j7VoJmxWVnXCpeGd
MD5:	A98334A580FD1E75D694B9EA98B6F969
SHA1:	847363084DCABB687E023B355CB6C7BA50E93FE8
SHA-256:	080B21057B11B896A52E7F53F4C1F0D18BB83F3F5DE15EBCF457F874C76E0FE3
SHA-512:	2EC696F73B4DFBC0454E080E9B6C07A2100B5F0DC11DE6EC458A28A98DA55CCE770E5DD72DF6047007DF52703D5ADB7389034801EB182217AF251016C31573F3
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="657373" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\Public\fqs92o4p.default-release\cert9.db

Process:	C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	229376
Entropy (8bit):	0.64343788909108
Encrypted:	false
SSDEEP:	384:A1zkVmvQhyn+Zoz67dNlIMMz333JGN8j/LKXYj5kuv:AUUMXCyIr
MD5:	B6787B79D64948AAC1D6359AC18AB268
SHA1:	0831EB15AB2B330BE95975A24F8945ED284D0BA4
SHA-256:	9D6FD3B8AB8AA7934C75EDE36CEB9CF4DDAD06C5031E89872B4E814D7DB674E2
SHA-512:	9296866380EF966F1CB6E69B7B84D1A86CD5AE8D9A7332C57543875FAA4FC7F1387A4CF83B7D662E4BAB0381E4AFC9CB9999075EBB497C6756DF770454F3530E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j......z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\fqs92o4p.default-release\key4.db

Process:	C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	0.08436842005578409
Encrypted:	false
SSDEEP:	192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vIn:51zkVmvQhyn+Zoz67n
MD5:	2CD2840E30F477F23438B7C9D031FC08
SHA1:	03D5410A814B298B068D62ACDF493B2A49370518
SHA-256:	49F56AAA16086F2A9DB340CC9A6E8139E076765C1BFED18B1725CC3B395DC28D
SHA-512:	DCDD722C3A8AD79265616ADDDCA208E068E4ECEBE8820E4ED16B1D1E07FD52EB3A59A22988450071CFDA50BBFF7CB005ADF05A843DA38421F28572F3433C0F19
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4FED.tmp.tmpdb

Process:	C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp502C.tmp.dat

Process:	C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp505C.tmp.dat

Process:	C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp506D.tmp.dat

Process:	C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp509C.tmp.dat

Process:	C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp50AD.tmp.tmpdb

Process:	C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp50AE.tmp.dat

Process:	C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp50CE.tmp.dat

Process:	C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve