Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7FEGBYFBHFBJH32.exe

Overview

General Information

Sample name:7FEGBYFBHFBJH32.exe
Analysis ID:1583097
MD5:5fd5700f4787f405bc2a0fc6e6233037
SHA1:ba4e438f6976803a6965fb5dd7187a9f0674e4c8
SHA256:a680029a0a1bd1aa336b5e4086104f21f2a97b054e6fb1b9fb122ed32786ce12
Tags:exeuser-aachum
Infos:

Detection

44Caliber Stealer, BlackGuard, Rags Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected 44Caliber Stealer
Yara detected BlackGuard
Yara detected Rags Stealer
AI detected suspicious sample
Contains functionality to capture screen (.Net source)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7FEGBYFBHFBJH32.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe" MD5: 5FD5700F4787F405BC2A0FC6E6233037)
    • WerFault.exe (PID: 7580 cmdline: C:\Windows\system32\WerFault.exe -u -p 7416 -s 1700 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BlackGuardAccording to Zscaler, BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackguard

Malware Configuration

Threatname: 44Caliber Stealer

{"Discord Webhook": "https://discord.com/api/webhooks/1324061351169101927/Upg-sOh6FXJYwbAsqIx2PTZdfYr6z3JtFkd-CN6KxlCaM74dpejrx9TbGUYSk03-Cb92\u0001123321"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
7FEGBYFBHFBJH32.exeJoeSecurity_BlackGuardYara detected BlackGuardJoe Security
    7FEGBYFBHFBJH32.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      7FEGBYFBHFBJH32.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        7FEGBYFBHFBJH32.exeJoeSecurity_RagsStealerYara detected Rags StealerJoe Security
          7FEGBYFBHFBJH32.exeJoeSecurity_44CaliberStealerYara detected 44Caliber StealerJoe Security
            Click to see the 5 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_BlackGuardYara detected BlackGuardJoe Security
              00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RagsStealerYara detected Rags StealerJoe Security
                  00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_44CaliberStealerYara detected 44Caliber StealerJoe Security
                    00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
                    • 0x40faf:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
                    Click to see the 7 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpackJoeSecurity_BlackGuardYara detected BlackGuardJoe Security
                      0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                        0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                          0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpackJoeSecurity_RagsStealerYara detected Rags StealerJoe Security
                            0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpackJoeSecurity_44CaliberStealerYara detected 44Caliber StealerJoe Security
                              Click to see the 5 entries

                              Sigma Signatures

                              No Sigma rule has matched

                              Suricata Signatures

                              No Suricata rule has matched

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus / Scanner detection for submitted sample
                              Source: 7FEGBYFBHFBJH32.exeAvira: detected
                              Found malware configuration
                              Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpackMalware Configuration Extractor: 44Caliber Stealer {"Discord Webhook": "https://discord.com/api/webhooks/1324061351169101927/Upg-sOh6FXJYwbAsqIx2PTZdfYr6z3JtFkd-CN6KxlCaM74dpejrx9TbGUYSk03-Cb92\u0001123321"}
                              Multi AV Scanner detection for submitted file
                              Source: 7FEGBYFBHFBJH32.exeVirustotal: Detection: 71%Perma Link
                              Yara detected BlackGuard
                              Source: Yara matchFile source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
                              Machine Learning detection for sample
                              Source: 7FEGBYFBHFBJH32.exeJoe Sandbox ML: detected

                              Location Tracking

                              barindex
                              Tries to detect the country of the analysis system (by using the IP)
                              Source: unknownDNS query: name: freegeoip.app
                              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
                              Source: 7FEGBYFBHFBJH32.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: System.Xml.ni.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: mscorlib.pdb source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481EC2000.00000004.00000800.00020000.00000000.sdmp, WER525E.tmp.dmp.3.dr
                              Source: Binary string: Insidious.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.ni.pdbRSDS source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: C:\Users\ddtug\Downloads\44CALIBER-main\44CALIBER\obj\Debug\Insidious.pdb source: 7FEGBYFBHFBJH32.exe
                              Source: Binary string: mscorlib.ni.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Core.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Configuration.ni.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Xml.pdb#( source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Configuration.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: Insidious.pdb@w^ source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Xml.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.ni.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Xml.ni.pdbRSDS# source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Core.ni.pdbRSDS source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Core.ni.pdb source: WER525E.tmp.dmp.3.dr
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeCode function: 4x nop then jmp 00007FFD9B7E3D1Fh0_2_00007FFD9B7E3BCD
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeCode function: 4x nop then jmp 00007FFD9B7E668Ah0_2_00007FFD9B7E61C8
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeCode function: 4x nop then mov eax, dword ptr [ebp-24h]0_2_00007FFD9B7F4ED0
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeCode function: 4x nop then jmp 00007FFD9B7E88ABh0_2_00007FFD9B7E8581
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeCode function: 4x nop then mov edx, dword ptr [ebp-14h]0_2_00007FFD9B7E5B30

                              Networking

                              barindex
                              Yara detected Generic Downloader
                              Source: Yara matchFile source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
                              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficDNS traffic detected: DNS query: freegeoip.app
                              Source: cert9.db.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                              Source: cert9.db.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                              Source: cert9.db.0.drString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                              Source: cert9.db.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                              Source: cert9.db.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                              Source: cert9.db.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                              Source: cert9.db.0.drString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481CBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://freegeoip.app
                              Source: cert9.db.0.drString found in binary or memory: http://ocsp.digicert.com0
                              Source: cert9.db.0.drString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481E6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
                              Source: cert9.db.0.drString found in binary or memory: http://x1.c.lencr.org/0
                              Source: cert9.db.0.drString found in binary or memory: http://x1.i.lencr.org/0
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.vimeworld.ru/user/name/
                              Source: 7FEGBYFBHFBJH32.exeString found in binary or memory: https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                              Source: 7FEGBYFBHFBJH32.exeString found in binary or memory: https://discord.com/api/webhooks/1324061351169101927/Upg-sOh6FXJYwbAsqIx2PTZdfYr6z3JtFkd-CN6KxlCaM74
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481C81000.00000004.00000800.00020000.00000000.sdmp, 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481C99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://freegeoip.app
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://freegeoip.app/xml/
                              Source: 7FEGBYFBHFBJH32.exeString found in binary or memory: https://steamcommunity.com/profiles/ASOFTWARE
                              Source: tmp4FED.tmp.tmpdb.0.drString found in binary or memory: https://support.mozilla.org
                              Source: tmp4FED.tmp.tmpdb.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                              Source: tmp4FED.tmp.tmpdb.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D26000.00000004.00000800.00020000.00000000.sdmp, tmp506D.tmp.dat.0.dr, tmp502C.tmp.dat.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                              Source: tmp4FED.tmp.tmpdb.0.drString found in binary or memory: https://www.mozilla.org
                              Source: tmp4FED.tmp.tmpdb.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                              Source: tmp4FED.tmp.tmpdb.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D48000.00000004.00000800.00020000.00000000.sdmp, tmp4FED.tmp.tmpdb.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                              Source: tmp4FED.tmp.tmpdb.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1818258957.0000022491D48000.00000004.00000800.00020000.00000000.sdmp, tmp4FED.tmp.tmpdb.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2

                              Key, Mouse, Clipboard, Microphone and Screen Capturing

                              barindex
                              Contains functionality to capture screen (.Net source)
                              Source: 7FEGBYFBHFBJH32.exe, Screen.cs.Net Code: GetScreen

                              E-Banking Fraud

                              barindex
                              Yara detected BlackGuard
                              Source: Yara matchFile source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

                              System Summary

                              barindex
                              Malicious sample detected (through community Yara rule)
                              Source: 7FEGBYFBHFBJH32.exe, type: SAMPLEMatched rule: Finds samples of the 44Caliber stealer Author: Sekoia.io
                              Source: 7FEGBYFBHFBJH32.exe, type: SAMPLEMatched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
                              Source: 7FEGBYFBHFBJH32.exe, type: SAMPLEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: 7FEGBYFBHFBJH32.exe, type: SAMPLEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                              Source: 7FEGBYFBHFBJH32.exe, type: SAMPLEMatched rule: Detects A310Logger Author: ditekSHen
                              Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPEMatched rule: Finds samples of the 44Caliber stealer Author: Sekoia.io
                              Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPEMatched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
                              Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                              Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                              Source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: 00000000.00000002.1817698372.0000022481D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: Process Memory Space: 7FEGBYFBHFBJH32.exe PID: 7416, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7416 -s 1700
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameInsidious.exe6 vs 7FEGBYFBHFBJH32.exe
                              Source: 7FEGBYFBHFBJH32.exeBinary or memory string: OriginalFilenameInsidious.exe6 vs 7FEGBYFBHFBJH32.exe
                              Source: 7FEGBYFBHFBJH32.exe, type: SAMPLEMatched rule: infostealer_win_44caliber author = Sekoia.io, description = Finds samples of the 44Caliber stealer, creation_date = 2022-03-08, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/razexgod/44CALIBER, id = 44e5bbc1-f442-47d3-8431-25182f38439d
                              Source: 7FEGBYFBHFBJH32.exe, type: SAMPLEMatched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
                              Source: 7FEGBYFBHFBJH32.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: 7FEGBYFBHFBJH32.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                              Source: 7FEGBYFBHFBJH32.exe, type: SAMPLEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                              Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_44caliber author = Sekoia.io, description = Finds samples of the 44Caliber stealer, creation_date = 2022-03-08, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/razexgod/44CALIBER, id = 44e5bbc1-f442-47d3-8431-25182f38439d
                              Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
                              Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                              Source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                              Source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: 00000000.00000002.1817698372.0000022481D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: Process Memory Space: 7FEGBYFBHFBJH32.exe PID: 7416, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                              Source: 7FEGBYFBHFBJH32.exe, Help.csSuspicious URL: 'https://api.vimeworld.ru/user/name/'
                              Source: classification engineClassification label: mal100.troj.spyw.winEXE@2/15@1/1
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile created: C:\Users\user\AppData\Roaming\44Jump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeMutant created: NULL
                              Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7416
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4FED.tmpJump to behavior
                              Source: 7FEGBYFBHFBJH32.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: 7FEGBYFBHFBJH32.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481E51000.00000004.00000800.00020000.00000000.sdmp, tmp505C.tmp.dat.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                              Source: 7FEGBYFBHFBJH32.exeVirustotal: Detection: 71%
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile read: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe "C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe"
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7416 -s 1700
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: rasapi32.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: rtutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeSection loaded: schannel.dllJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                              Source: 7FEGBYFBHFBJH32.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                              Source: 7FEGBYFBHFBJH32.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: 7FEGBYFBHFBJH32.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                              Source: Binary string: System.Xml.ni.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: mscorlib.pdb source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481EC2000.00000004.00000800.00020000.00000000.sdmp, WER525E.tmp.dmp.3.dr
                              Source: Binary string: Insidious.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.ni.pdbRSDS source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: C:\Users\ddtug\Downloads\44CALIBER-main\44CALIBER\obj\Debug\Insidious.pdb source: 7FEGBYFBHFBJH32.exe
                              Source: Binary string: mscorlib.ni.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Core.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Configuration.ni.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Xml.pdb#( source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Configuration.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: Insidious.pdb@w^ source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Xml.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.ni.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.pdb source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Xml.ni.pdbRSDS# source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Core.ni.pdbRSDS source: WER525E.tmp.dmp.3.dr
                              Source: Binary string: System.Core.ni.pdb source: WER525E.tmp.dmp.3.dr
                              Source: 7FEGBYFBHFBJH32.exeStatic PE information: 0xFF0F76A5 [Sat Aug 8 19:38:13 2105 UTC]
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeCode function: 0_2_00007FFD9B7E021D push E95E4598h; ret 0_2_00007FFD9B7E0259
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeCode function: 0_2_00007FFD9B7E00AD pushad ; iretd 0_2_00007FFD9B7E00C1
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeMemory allocated: 224803C0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeMemory allocated: 22499C80000 memory reserve | memory write watchJump to behavior
                              Source: Amcache.hve.3.drBinary or memory string: VMware
                              Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
                              Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
                              Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
                              Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
                              Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                              Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                              Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                              Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                              Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                              Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                              Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1819342876.000002249A518000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: Amcache.hve.3.drBinary or memory string: vmci.sys
                              Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                              Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
                              Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
                              Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                              Source: Amcache.hve.3.drBinary or memory string: VMware20,1
                              Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
                              Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
                              Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                              Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                              Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                              Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                              Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
                              Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
                              Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
                              Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                              Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeMemory allocated: page read and write | page guardJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeQueries volume information: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                              Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                              Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
                              Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                              Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe

                              Stealing of Sensitive Information

                              barindex
                              Yara detected 44Caliber Stealer
                              Source: Yara matchFile source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 7FEGBYFBHFBJH32.exe PID: 7416, type: MEMORYSTR
                              Yara detected BlackGuard
                              Source: Yara matchFile source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Yara detected Rags Stealer
                              Source: Yara matchFile source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.1817698372.0000022481CBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 7FEGBYFBHFBJH32.exe PID: 7416, type: MEMORYSTR
                              Found many strings related to Crypto-Wallets (likely being stolen)
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Electrum
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000002.1817698372.0000022481D4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: JaxxDir
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: ExodusDir
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Ethereum
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
                              Source: 7FEGBYFBHFBJH32.exe, 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
                              Tries to harvest and steal browser information (history, passwords, etc)
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                              Tries to steal Crypto Currency Wallets
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                              Source: C:\Users\user\Desktop\7FEGBYFBHFBJH32.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\Jump to behavior
                              Source: Yara matchFile source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.1817698372.0000022481D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 7FEGBYFBHFBJH32.exe PID: 7416, type: MEMORYSTR

                              Remote Access Functionality

                              barindex
                              Yara detected 44Caliber Stealer
                              Source: Yara matchFile source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 7FEGBYFBHFBJH32.exe PID: 7416, type: MEMORYSTR
                              Yara detected BlackGuard
                              Source: Yara matchFile source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Yara detected Rags Stealer
                              Source: Yara matchFile source: 7FEGBYFBHFBJH32.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.7FEGBYFBHFBJH32.exe.22480030000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1652511622.0000022480032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.1817698372.0000022481CBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 7FEGBYFBHFBJH32.exe PID: 7416, type: MEMORYSTR

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                              DLL Side-Loading                              		1
                              Process Injection                              		1
                              Masquerading                              		1
                              OS Credential Dumping                              		21
                              Security Software Discovery                              		Remote Services1
                              Screen Capture                              		2
                              Encrypted Channel                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                              DLL Side-Loading                              		2
                              Virtualization/Sandbox Evasion                              		LSASS Memory2
                              Virtualization/Sandbox Evasion                              		Remote Desktop Protocol3
                              Data from Local System                              		1
                              Non-Application Layer Protocol                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                              Disable or Modify Tools                              		Security Account Manager1
                              Process Discovery                              		SMB/Windows Admin SharesData from Network Shared Drive2
                              Application Layer Protocol                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                              Process Injection                              		NTDS12
                              System Information Discovery                              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                              Obfuscated Files or Information                              		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                              Timestomp                              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                              DLL Side-Loading                              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.