|
14OWDrfahJ.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
| Filetype: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.950471609848932
|
| Filename: |
14OWDrfahJ.exe
|
| Filesize: |
1200128
|
| MD5: |
725dbfed269993cb9944c2e1f7bde652
|
| SHA1: |
7104f1350e38ec3c3ea49154f1bba976572cb271
|
| SHA256: |
6db8fff48b37469101d280c3e60463c27ace26ea8076e94e358ae74e49fb46ac
|
| SHA512: |
1b3eff8e975ee797787b003106d8d222b7c51a85549b3060b80b95edf5e6ef7aa1cfb9d066fd37add46066127b179d8b5c6fdc4d720c47b6524dccbd589e3227
|
| SSDEEP: |
24576:NyHiBlVAY6BZzrjPP57SKJXenZzrIKg0maIxCKy3dHELZwIIe:oCBIBZvrN/JOZzrIK88KmaVr
|
| Preview: |
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K...K...K...N...K...H...K...O...K...J...K...J...K...C...K.......K...I...K.Rich..K.........PE..L....`.b.................d.
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Multi AV Scanner detection for submitted file |
AV Detection |
|
| Malicious sample detected (through community Yara rule) |
System Summary |
|
| Antivirus / Scanner detection for submitted sample |
AV Detection |
|
| Machine Learning detection for sample |
AV Detection |
|
| Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
|
| Detected potential crypto function |
System Summary |
Access Token Manipulation
|
| Contains functionality to dynamically determine API calls |
Data Obfuscation, Anti Debugging |
|
| Drops PE files |
Persistence and Installation Behavior |
Access Token Manipulation
|
| Tries to load missing DLLs |
System Summary |
|
| Found evasive API chain checking for process token information |
Malware Analysis System Evasion |
Access Token Manipulation
|
| Uses 32bit PE files |
Compliance, System Summary |
|
| Yara signature match |
System Summary |
|
| Contains functionality to shutdown / reboot the system |
System Summary |
Access Token Manipulation
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
| PE file contains executable resources (Code or Archives) |
System Summary |
|
| AV process strings found (often used to terminate AV products) |
Lowering of HIPS / PFW / Operating System Security Settings |
|
| Sample file is different than original file name gathered from version info |
System Summary |
Access Token Manipulation
|
| Uses Microsoft's Enhanced Cryptographic Provider |
Cryptography |
System Network Configuration Discovery
|
| PE file has an executable .text section and no other executable section |
System Summary |
Access Token Manipulation
|
| Contains functionality to read ini properties file for application configuration |
Persistence and Installation Behavior |
|
| Contains functionality to query local / system time |
Language, Device and Operating System Detection |
Access Token Manipulation
|
| Contains functionality for error logging |
System Summary |
Access Token Manipulation
|
| Contains functionality to load and extract PE file embedded resources |
System Summary |
|
| Contains functionality to create a new security descriptor |
HIPS / PFW / Operating System Protection Evasion |
Access Token Manipulation
|
| Sample is known by Antivirus |
System Summary |
Access Token Manipulation
|
| Contains functionality to query system information |
Malware Analysis System Evasion |
|
| Reads software policies |
System Summary |
Access Token Manipulation
|
| Contains functionality to enumerate / list files inside a directory |
Spreading, Malware Analysis System Evasion |
|
| Contains functionality to adjust token privileges (e.g. debug / backup) |
System Summary |
Access Token Manipulation
|
| Creates temporary files |
System Summary |
|
| Contains functionality to check free disk space |
System Summary |
|
| Contains functionality to query windows version |
Language, Device and Operating System Detection |
|
| Contains functionality to register its own exception handler |
Anti Debugging |
|
| Might use command line arguments |
System Summary |
|
| PE file contains a debug data directory |
System Summary |
|
| Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
| PE file contains a mix of data directories often seen in goodware |
System Summary |
|
| PE file has a big raw section |
System Summary |
|
| Submission file is bigger than most known malware samples |
System Summary |
|
| Found GUI installer (many successful clicks) |
System Summary |
|
|
|
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Category: |
dropped
|
| Dump: |
OfficeTrackerNMP131.exe.12.dr
|
| ID: |
dr_10
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
6.666192479005095
|
| Encrypted: |
false
|
| Ssdeep: |
24576:NmmEs2wqfcRBxJCBEmAMpCOJMbgp2kvB1Pj5R+d3ThJZrU35Zln2i6:8dw/IyPxbgp2iB1Pju3TRrK5Zln2i6
|
| Size: |
1322267
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Yara detected PrivateLoader |
Spreading, Networking, Stealing of Sensitive Information, Remote Access Functionality |
|
| Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) |
Malware Analysis System Evasion |
|
| Found stalling execution ending in API Sleep call |
Malware Analysis System Evasion |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Tries to harvest and steal browser information (history, passwords, etc) |
Stealing of Sensitive Information |
|
| Tries to steal Mail credentials (via file / registry access) |
Stealing of Sensitive Information |
|
| Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
| Found decision node followed by non-executed suspicious APIs |
Malware Analysis System Evasion |
|
| Found evasive API chain (date check) |
Malware Analysis System Evasion |
|
| Installs a Chrome extension |
Persistence and Installation Behavior |
Browser Session Hijacking
|
| Queries information about the installed CPU (vendor, model number etc) |
Language, Device and Operating System Detection |
System Information Discovery
|
| Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
| Sample execution stops while process was sleeping (likely an evasion) |
Malware Analysis System Evasion |
|
| Program exit points |
Malware Analysis System Evasion |
|
| Sample might require command line arguments |
System Summary |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
|
| Category: |
dropped
|
| Dump: |
MaxLoonaFest131.exe.12.dr
|
| ID: |
dr_7
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
6.666192479005095
|
| Encrypted: |
false
|
| Ssdeep: |
24576:NmmEs2wqfcRBxJCBEmAMpCOJMbgp2kvB1Pj5R+d3ThJZrU35Zln2i6:8dw/IyPxbgp2iB1Pju3TRrK5Zln2i6
|
| Size: |
1322267
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Yara detected PrivateLoader |
Spreading, Networking, Stealing of Sensitive Information, Remote Access Functionality |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\FANBooster131\FANBooster131.exe
|
| Category: |
dropped
|
| Dump: |
FANBooster131.exe.12.dr
|
| ID: |
dr_8
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
6.666192479005095
|
| Encrypted: |
false
|
| Ssdeep: |
24576:NmmEs2wqfcRBxJCBEmAMpCOJMbgp2kvB1Pj5R+d3ThJZrU35Zln2i6:8dw/IyPxbgp2iB1Pju3TRrK5Zln2i6
|
| Size: |
1322267
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Yara detected PrivateLoader |
Spreading, Networking, Stealing of Sensitive Information, Remote Access Functionality |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\IXP000.TMP\5Rp2df8.exe
|
| Category: |
dropped
|
| Dump: |
5Rp2df8.exe.0.dr
|
| ID: |
dr_1
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\14OWDrfahJ.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.228014101885434
|
| Encrypted: |
false
|
| Ssdeep: |
3072:jDKW1LgppLRHMY0TBfJvjcTp5X2QyRk9Bo7KWH2yHsGe:jDKW1Lgbdl0TBBvjc/EIBr42f
|
| Size: |
194329
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Yara detected RedLine Stealer |
Stealing of Sensitive Information, Remote Access Functionality |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exe
|
| Category: |
dropped
|
| Dump: |
Ey3OF47.exe.0.dr
|
| ID: |
dr_0
|
| Target ID: |
0
|
| Process: |
C:\Users\user\Desktop\14OWDrfahJ.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.932567220315467
|
| Encrypted: |
false
|
| Ssdeep: |
24576:7yzQY6ImYCjOE00BoBXInozrpEZ3mbfxCqyXdHQO:uwImV62+BYozrpEi8qua
|
| Size: |
975872
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
| Found evasive API chain checking for process token information |
Malware Analysis System Evasion |
|
| Tries to load missing DLLs |
System Summary |
|
| Spawns processes |
System Summary |
|
| Found GUI installer (many successful clicks) |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\IXP001.TMP\4eD052Od.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\IXP001.TMP\4eD052Od.exe
|
| Category: |
dropped
|
| Dump: |
4eD052Od.exe.1.dr
|
| ID: |
dr_3
|
| Target ID: |
1
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
6.966236649868699
|
| Encrypted: |
false
|
| Ssdeep: |
768:f8FhylJE+hwr5hN7F0I0bQyvUgq65DQVi:f8qlJEQwrDNuIyvD5sV
|
| Size: |
38170
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Yara detected SmokeLoader |
Key, Mouse, Clipboard, Microphone and Screen Capturing, Stealing of Sensitive Information, Remote Access Functionality |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
|
C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exe
|
| Category: |
dropped
|
| Dump: |
BC5tT98.exe.1.dr
|
| ID: |
dr_2
|
| Target ID: |
1
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP000.TMP\Ey3OF47.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
7.916586155218512
|
| Encrypted: |
false
|
| Ssdeep: |
24576:4ypiqqjCyPW8UoiXqnozrHHJ3muNxCWyMdCW:/IGSppi6ozrHHJ8Wl
|
| Size: |
848896
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found evasive API chain checking for process token information |
Malware Analysis System Evasion |
|
| Tries to load missing DLLs |
System Summary |
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exe
|
PE32 executable (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\2Iu7231.exe
|
| Category: |
dropped
|
| Dump: |
2Iu7231.exe.2.dr
|
| ID: |
dr_4
|
| Target ID: |
2
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exe
|
| Type: |
PE32 executable (console) Intel 80386, for MS Windows
|
| Entropy: |
6.737133406380524
|
| Encrypted: |
false
|
| Ssdeep: |
6144:v3nNKoPE2gZB/6fZOE0EUAOtwdl7HaOBq3Nu13Cdq66666q18x:fnNTPE2CEgEdl76nEds/x
|
| Size: |
505120
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Allocates memory in foreign processes |
HIPS / PFW / Operating System Protection Evasion |
|
| Contains functionality to inject code into remote processes |
HIPS / PFW / Operating System Protection Evasion |
|
| Injects a PE file into a foreign processes |
HIPS / PFW / Operating System Protection Evasion |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Writes to foreign memory regions |
HIPS / PFW / Operating System Protection Evasion |
|
| Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress) |
Anti Debugging |
|
| Contains functionality to check if a debugger is running (IsDebuggerPresent) |
Anti Debugging |
Security Software Discovery
|
| Contains functionality to query CPU information (cpuid) |
Language, Device and Operating System Detection |
System Information Discovery
|
| Contains functionality to query locales information (e.g. system language) |
Language, Device and Operating System Detection |
System Information Discovery
|
| Contains functionality to read the PEB |
Anti Debugging |
|
| Contains functionality which may be used to detect a debugger (GetProcessHeap) |
Anti Debugging |
Security Software Discovery
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Found evasive API chain (date check) |
Malware Analysis System Evasion |
|
| Found potential string decryption / allocating functions |
System Summary |
Obfuscated Files or Information
Deobfuscate/Decode Files or Information
|
| Tries to load missing DLLs |
System Summary |
|
| Contains functionality to modify the execution of threads in other processes |
|
|
| Spawns processes |
System Summary |
|
|
|
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Category: |
dropped
|
| Dump: |
3rB05VU.exe.2.dr
|
| ID: |
dr_5
|
| Target ID: |
2
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP001.TMP\BC5tT98.exe
|
| Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
| Entropy: |
6.666192479005095
|
| Encrypted: |
false
|
| Ssdeep: |
24576:NmmEs2wqfcRBxJCBEmAMpCOJMbgp2kvB1Pj5R+d3ThJZrU35Zln2i6:8dw/IyPxbgp2iB1Pju3TRrK5Zln2i6
|
| Size: |
1322267
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Yara detected PrivateLoader |
Spreading, Networking, Stealing of Sensitive Information, Remote Access Functionality |
|
| Contains functionality to inject threads in other processes |
HIPS / PFW / Operating System Protection Evasion |
|
| Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) |
Malware Analysis System Evasion |
|
| Found stalling execution ending in API Sleep call |
Malware Analysis System Evasion |
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Tries to steal Mail credentials (via file / registry access) |
Stealing of Sensitive Information |
|
| Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
| Contains functionality to call native functions |
System Summary |
|
| Contains functionality to record screenshots |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
|
| Creates a start menu entry (Start Menu\Programs\Startup) |
Boot Survival |
Registry Run Keys / Startup Folder
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
| Extensive use of GetProcAddress (often used to hide API calls) |
Hooking and other Techniques for Hiding and Protection |
|
| Found decision node followed by non-executed suspicious APIs |
Malware Analysis System Evasion |
|
| Found evasive API chain (date check) |
Malware Analysis System Evasion |
|
| Queries information about the installed CPU (vendor, model number etc) |
Language, Device and Operating System Detection |
System Information Discovery
|
| Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
| Sample execution stops while process was sleeping (likely an evasion) |
Malware Analysis System Evasion |
|
| Stores files to the Windows start menu directory |
Boot Survival |
Registry Run Keys / Startup Folder
|
| Tries to load missing DLLs |
System Summary |
|
| Uses the system / local time for branch decision (may execute only at specific dates) |
Malware Analysis System Evasion |
|
| Contains functionality to download additional files from the internet |
Networking |
|
| Contains functionality to enum processes or threads |
System Summary |
|
| Contains functionality to instantiate COM classes |
System Summary |
|
| Contains functionality to query the account / user name |
Language, Device and Operating System Detection |
System Owner/User Discovery
|
| Contains functionality to query time zone information |
Language, Device and Operating System Detection |
|
| Creates an autostart registry key |
Boot Survival |
Registry Run Keys / Startup Folder
|
| Enumerates the file system |
Spreading, Malware Analysis System Evasion |
File and Directory Discovery
|
| Program exit points |
Malware Analysis System Evasion |
|
| Reads ini files |
System Summary |
File and Directory Discovery
|
| Sample might require command line arguments |
System Summary |
Command and Scripting Interpreter
|
| Spawns processes |
System Summary |
|
| Checks if Microsoft Office is installed |
System Summary |
System Information Discovery
|
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
|
| Category: |
dropped
|
| Dump: |
AppLaunch.exe.log.11.dr
|
| ID: |
dr_6
|
| Target ID: |
11
|
| Process: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
|
| Type: |
ASCII text, with CRLF line terminators
|
| Entropy: |
5.33145931749415
|
| Encrypted: |
false
|
| Ssdeep: |
96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
|
| Size: |
3094
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\9qAkkNWhLDEhe3SVi3MbZOkApbYumn_h.zip
|
Zip archive data, at least v2.0 to extract, compression method=deflate
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\9qAkkNWhLDEhe3SVi3MbZOkApbYumn_h.zip
|
| Category: |
dropped
|
| Dump: |
9qAkkNWhLDEhe3SVi3MbZOkApbYumn_h.zip.12.dr
|
| ID: |
dr_11
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
Zip archive data, at least v2.0 to extract, compression method=deflate
|
| Entropy: |
7.897524359443915
|
| Encrypted: |
false
|
| Ssdeep: |
96:pWGzqeAoMq+YK0KF8cAJiI2i+u8qo87RGqUHa5Sr1zeE4WBFr:dqASpF8wFzqoc5U65BWBFr
|
| Size: |
5519
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\i0Y2zBdGkYmG70fPowdUhlT85ovTRCZq.zip
|
Zip archive data, at least v2.0 to extract, compression method=deflate
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\i0Y2zBdGkYmG70fPowdUhlT85ovTRCZq.zip
|
| Category: |
dropped
|
| Dump: |
i0Y2zBdGkYmG70fPowdUhlT85ovTRCZq.zip.17.dr
|
| ID: |
dr_34
|
| Target ID: |
17
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
Zip archive data, at least v2.0 to extract, compression method=deflate
|
| Entropy: |
7.899928372355382
|
| Encrypted: |
false
|
| Ssdeep: |
96:5WGzqeAoMq+YK0KF8cAJiI2i+uF81rXtQBoYx0iehfahx1Up+cBFV:NqASpF8wFm81r+ox5hChx1UpzBFV
|
| Size: |
5517
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\rise131M9Asphalt.tmp
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\rise131M9Asphalt.tmp
|
| Category: |
dropped
|
| Dump: |
rise131M9Asphalt.tmp.12.dr
|
| ID: |
dr_12
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
ASCII text, with no line terminators
|
| Entropy: |
2.7773627950641693
|
| Encrypted: |
false
|
| Ssdeep: |
3:L/+Qt:D+Q
|
| Size: |
13
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\02zdBXl47cvzHistory
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\02zdBXl47cvzHistory
|
| Category: |
dropped
|
| Dump: |
02zdBXl47cvzHistory.12.dr
|
| ID: |
dr_18
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
| Entropy: |
0.7873599747470391
|
| Encrypted: |
false
|
| Ssdeep: |
96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
|
| Size: |
159744
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\02zdBXl47cvzcookies.sqlite
|
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\02zdBXl47cvzcookies.sqlite
|
| Category: |
dropped
|
| Dump: |
02zdBXl47cvzcookies.sqlite.12.dr
|
| ID: |
dr_17
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
|
| Entropy: |
0.08235737944063153
|
| Encrypted: |
false
|
| Ssdeep: |
12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
|
| Size: |
98304
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Enumerates the file system |
Spreading, Malware Analysis System Evasion |
File and Directory Discovery
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\2jQJv37iJ0lzHistory
|
SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4,
UTF-8, version-valid-for 2
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\2jQJv37iJ0lzHistory
|
| Category: |
dropped
|
| Dump: |
2jQJv37iJ0lzHistory.12.dr
|
| ID: |
dr_27
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4,
UTF-8, version-valid-for 2
|
| Entropy: |
0.47147045728725767
|
| Encrypted: |
false
|
| Ssdeep: |
96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
|
| Size: |
126976
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\3b6N2Xdh3CYwWeb Data
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\3b6N2Xdh3CYwWeb Data
|
| Category: |
dropped
|
| Dump: |
3b6N2Xdh3CYwWeb Data.12.dr
|
| ID: |
dr_20
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
| Entropy: |
1.1358696453229276
|
| Encrypted: |
false
|
| Ssdeep: |
192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
|
| Size: |
106496
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\3b6N2Xdh3CYwplaces.sqlite
|
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\3b6N2Xdh3CYwplaces.sqlite
|
| Category: |
dropped
|
| Dump: |
3b6N2Xdh3CYwplaces.sqlite.12.dr
|
| ID: |
dr_19
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
|
| Entropy: |
0.037963276276857943
|
| Encrypted: |
false
|
| Ssdeep: |
192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
|
| Size: |
5242880
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\8ghN89CsjOW1Login Data For Account
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\8ghN89CsjOW1Login Data For Account
|
| Category: |
dropped
|
| Dump: |
8ghN89CsjOW1Login Data For Account.12.dr
|
| ID: |
dr_15
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
| Entropy: |
0.8553638852307782
|
| Encrypted: |
false
|
| Ssdeep: |
48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
|
| Size: |
40960
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\D87fZN3R3jFeWeb Data
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\D87fZN3R3jFeWeb Data
|
| Category: |
dropped
|
| Dump: |
D87fZN3R3jFeWeb Data.12.dr
|
| ID: |
dr_16
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
| Entropy: |
1.1358696453229276
|
| Encrypted: |
false
|
| Ssdeep: |
192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
|
| Size: |
106496
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\D87fZN3R3jFeplaces.sqlite
|
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\D87fZN3R3jFeplaces.sqlite
|
| Category: |
dropped
|
| Dump: |
D87fZN3R3jFeplaces.sqlite.12.dr
|
| ID: |
dr_13
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
|
| Entropy: |
0.037963276276857943
|
| Encrypted: |
false
|
| Ssdeep: |
192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
|
| Size: |
5242880
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\Ei8DrAmaYu9KLogin Data
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\Ei8DrAmaYu9KLogin Data
|
| Category: |
dropped
|
| Dump: |
Ei8DrAmaYu9KLogin Data.12.dr
|
| ID: |
dr_14
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
| Entropy: |
0.8553638852307782
|
| Encrypted: |
false
|
| Ssdeep: |
48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
|
| Size: |
40960
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\IWPfiAXUTJTSHistory
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\IWPfiAXUTJTSHistory
|
| Category: |
dropped
|
| Dump: |
IWPfiAXUTJTSHistory.12.dr
|
| ID: |
dr_22
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
| Entropy: |
0.7873599747470391
|
| Encrypted: |
false
|
| Ssdeep: |
96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
|
| Size: |
159744
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\JX0OQi4nZtiqWeb Data
|
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\JX0OQi4nZtiqWeb Data
|
| Category: |
dropped
|
| Dump: |
JX0OQi4nZtiqWeb Data.12.dr
|
| ID: |
dr_24
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
| Entropy: |
0.9746603542602881
|
| Encrypted: |
false
|
| Ssdeep: |
192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
|
| Size: |
114688
|
| Whitelisted: |
true
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\QdX9ITDLyCRBLogin Data
|
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie
0xe, schema 4, UTF-8, version-valid-for 1
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\QdX9ITDLyCRBLogin Data
|
| Category: |
dropped
|
| Dump: |
QdX9ITDLyCRBLogin Data.12.dr
|
| ID: |
dr_23
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie
0xe, schema 4, UTF-8, version-valid-for 1
|
| Entropy: |
0.8180424350137764
|
| Encrypted: |
false
|
| Ssdeep: |
96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
|
| Size: |
49152
|
| Whitelisted: |
true
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\UPG2LoPXwc7OHistory
|
SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4,
UTF-8, version-valid-for 2
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\UPG2LoPXwc7OHistory
|
| Category: |
dropped
|
| Dump: |
UPG2LoPXwc7OHistory.12.dr
|
| ID: |
dr_25
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4,
UTF-8, version-valid-for 2
|
| Entropy: |
0.47147045728725767
|
| Encrypted: |
false
|
| Ssdeep: |
96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
|
| Size: |
126976
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\o0qT3dWYBP7ZWeb Data
|
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\o0qT3dWYBP7ZWeb Data
|
| Category: |
dropped
|
| Dump: |
o0qT3dWYBP7ZWeb Data.12.dr
|
| ID: |
dr_26
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
| Entropy: |
0.9746603542602881
|
| Encrypted: |
false
|
| Ssdeep: |
192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
|
| Size: |
114688
|
| Whitelisted: |
true
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\oOPEmFmu_xsJCookies
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8,
version-valid-for 11
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSaeI8GhtgT29e\oOPEmFmu_xsJCookies
|
| Category: |
dropped
|
| Dump: |
oOPEmFmu_xsJCookies.12.dr
|
| ID: |
dr_21
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8,
version-valid-for 11
|
| Entropy: |
2.5793180405395284
|
| Encrypted: |
false
|
| Ssdeep: |
96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
|
| Size: |
28672
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\02zdBXl47cvzHistory
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\02zdBXl47cvzHistory
|
| Category: |
dropped
|
| Dump: |
02zdBXl47cvzHistory.18.dr
|
| ID: |
dr_49
|
| Target ID: |
18
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
| Entropy: |
0.7873599747470391
|
| Encrypted: |
false
|
| Ssdeep: |
96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
|
| Size: |
159744
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\02zdBXl47cvzcookies.sqlite
|
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\02zdBXl47cvzcookies.sqlite
|
| Category: |
dropped
|
| Dump: |
02zdBXl47cvzcookies.sqlite.17.dr
|
| ID: |
dr_38
|
| Target ID: |
17
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
|
| Entropy: |
0.08235737944063153
|
| Encrypted: |
false
|
| Ssdeep: |
12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
|
| Size: |
98304
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\2jQJv37iJ0lzHistory
|
SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4,
UTF-8, version-valid-for 2
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\2jQJv37iJ0lzHistory
|
| Category: |
dropped
|
| Dump: |
2jQJv37iJ0lzHistory.18.dr
|
| ID: |
dr_47
|
| Target ID: |
18
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4,
UTF-8, version-valid-for 2
|
| Entropy: |
0.47147045728725767
|
| Encrypted: |
false
|
| Ssdeep: |
96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
|
| Size: |
126976
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\3b6N2Xdh3CYwWeb Data
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\3b6N2Xdh3CYwWeb Data
|
| Category: |
dropped
|
| Dump: |
3b6N2Xdh3CYwWeb Data.18.dr
|
| ID: |
dr_40
|
| Target ID: |
18
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
| Entropy: |
1.1358696453229276
|
| Encrypted: |
false
|
| Ssdeep: |
192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
|
| Size: |
106496
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\3b6N2Xdh3CYwplaces.sqlite
|
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\3b6N2Xdh3CYwplaces.sqlite
|
| Category: |
dropped
|
| Dump: |
3b6N2Xdh3CYwplaces.sqlite.17.dr
|
| ID: |
dr_39
|
| Target ID: |
17
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
|
| Entropy: |
0.037963276276857943
|
| Encrypted: |
false
|
| Ssdeep: |
192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
|
| Size: |
5242880
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\8ghN89CsjOW1Login Data For Account
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\8ghN89CsjOW1Login Data For Account
|
| Category: |
dropped
|
| Dump: |
8ghN89CsjOW1Login Data For Account.17.dr
|
| ID: |
dr_37
|
| Target ID: |
17
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
| Entropy: |
0.8553638852307782
|
| Encrypted: |
false
|
| Ssdeep: |
48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
|
| Size: |
40960
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\D87fZN3R3jFeWeb Data
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\D87fZN3R3jFeWeb Data
|
| Category: |
dropped
|
| Dump: |
D87fZN3R3jFeWeb Data.18.dr
|
| ID: |
dr_48
|
| Target ID: |
18
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
| Entropy: |
1.1358696453229276
|
| Encrypted: |
false
|
| Ssdeep: |
192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
|
| Size: |
106496
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\D87fZN3R3jFeplaces.sqlite
|
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\D87fZN3R3jFeplaces.sqlite
|
| Category: |
dropped
|
| Dump: |
D87fZN3R3jFeplaces.sqlite.17.dr
|
| ID: |
dr_35
|
| Target ID: |
17
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
|
| Entropy: |
0.037963276276857943
|
| Encrypted: |
false
|
| Ssdeep: |
192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
|
| Size: |
5242880
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\Ei8DrAmaYu9KLogin Data
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\Ei8DrAmaYu9KLogin Data
|
| Category: |
dropped
|
| Dump: |
Ei8DrAmaYu9KLogin Data.17.dr
|
| ID: |
dr_36
|
| Target ID: |
17
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
| Entropy: |
0.8553638852307782
|
| Encrypted: |
false
|
| Ssdeep: |
48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
|
| Size: |
40960
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\IWPfiAXUTJTSHistory
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\IWPfiAXUTJTSHistory
|
| Category: |
dropped
|
| Dump: |
IWPfiAXUTJTSHistory.18.dr
|
| ID: |
dr_42
|
| Target ID: |
18
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
| Entropy: |
0.7873599747470391
|
| Encrypted: |
false
|
| Ssdeep: |
96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
|
| Size: |
159744
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\JX0OQi4nZtiqWeb Data
|
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\JX0OQi4nZtiqWeb Data
|
| Category: |
dropped
|
| Dump: |
JX0OQi4nZtiqWeb Data.18.dr
|
| ID: |
dr_44
|
| Target ID: |
18
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
| Entropy: |
0.9746603542602881
|
| Encrypted: |
false
|
| Ssdeep: |
192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
|
| Size: |
114688
|
| Whitelisted: |
true
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\QdX9ITDLyCRBLogin Data
|
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie
0xe, schema 4, UTF-8, version-valid-for 1
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\QdX9ITDLyCRBLogin Data
|
| Category: |
dropped
|
| Dump: |
QdX9ITDLyCRBLogin Data.18.dr
|
| ID: |
dr_43
|
| Target ID: |
18
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie
0xe, schema 4, UTF-8, version-valid-for 1
|
| Entropy: |
0.8180424350137764
|
| Encrypted: |
false
|
| Ssdeep: |
96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
|
| Size: |
49152
|
| Whitelisted: |
true
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\UPG2LoPXwc7OHistory
|
SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4,
UTF-8, version-valid-for 2
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\UPG2LoPXwc7OHistory
|
| Category: |
dropped
|
| Dump: |
UPG2LoPXwc7OHistory.18.dr
|
| ID: |
dr_45
|
| Target ID: |
18
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4,
UTF-8, version-valid-for 2
|
| Entropy: |
0.47147045728725767
|
| Encrypted: |
false
|
| Ssdeep: |
96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
|
| Size: |
126976
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\o0qT3dWYBP7ZWeb Data
|
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\o0qT3dWYBP7ZWeb Data
|
| Category: |
dropped
|
| Dump: |
o0qT3dWYBP7ZWeb Data.18.dr
|
| ID: |
dr_46
|
| Target ID: |
18
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
| Entropy: |
0.9746603542602881
|
| Encrypted: |
false
|
| Ssdeep: |
192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
|
| Size: |
114688
|
| Whitelisted: |
true
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\oOPEmFmu_xsJCookies
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8,
version-valid-for 11
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempAVSgsImjMYlWzR3\oOPEmFmu_xsJCookies
|
| Category: |
dropped
|
| Dump: |
oOPEmFmu_xsJCookies.18.dr
|
| ID: |
dr_41
|
| Target ID: |
18
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8,
version-valid-for 11
|
| Entropy: |
2.5793180405395284
|
| Encrypted: |
false
|
| Ssdeep: |
96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
|
| Size: |
28672
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Cookies\Chrome_Default.txt
|
ASCII text, with very long lines (769), with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\Cookies\Chrome_Default.txt
|
| Category: |
dropped
|
| Dump: |
Chrome_Default.txt.12.dr
|
| ID: |
dr_28
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
ASCII text, with very long lines (769), with CRLF line terminators
|
| Entropy: |
6.038274200863744
|
| Encrypted: |
false
|
| Ssdeep: |
96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
|
| Size: |
6085
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\information.txt
|
ASCII text
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\information.txt
|
| Category: |
dropped
|
| Dump: |
information.txt.12.dr
|
| ID: |
dr_30
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
ASCII text
|
| Entropy: |
5.385073733001579
|
| Encrypted: |
false
|
| Ssdeep: |
96:twlQwbf9fJHBd8pvBUfioHmobapzOI4+68Dae5apYBRw/f0iV2z5JZx8kaNKs7sJ:t6RKgioGobaoI4+68Dae5apYBRw/f0ia
|
| Size: |
5722
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\passwords.txt
|
Unicode text, UTF-8 text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempCMSaeI8GhtgT29e\passwords.txt
|
| Category: |
dropped
|
| Dump: |
passwords.txt.12.dr
|
| ID: |
dr_29
|
| Target ID: |
12
|
| Process: |
C:\Users\user\AppData\Local\Temp\IXP002.TMP\3rB05VU.exe
|
| Type: |
Unicode text, UTF-8 text, with CRLF line terminators
|
| Entropy: |
2.5402512142169575
|
| Encrypted: |
false
|
| Ssdeep: |
48:tMMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMME:m
|
| Size: |
4902
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Cookies\Chrome_Default.txt
|
ASCII text, with very long lines (769), with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\Cookies\Chrome_Default.txt
|
| Category: |
dropped
|
| Dump: |
Chrome_Default.txt.17.dr
|
| ID: |
dr_32
|
| Target ID: |
17
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
ASCII text, with very long lines (769), with CRLF line terminators
|
| Entropy: |
6.038274200863744
|
| Encrypted: |
false
|
| Ssdeep: |
96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
|
| Size: |
6085
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\information.txt
|
ASCII text
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\information.txt
|
| Category: |
dropped
|
| Dump: |
information.txt.17.dr
|
| ID: |
dr_33
|
| Target ID: |
17
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
ASCII text
|
| Entropy: |
5.385381816454912
|
| Encrypted: |
false
|
| Ssdeep: |
96:tCSQwbfvfJHBd8pvBUfioHmobapzOI4+68Dae5apYBRw/f0iV2z5JZx8kaNKs7sJ:O6rKgioGobaoI4+68Dae5apYBRw/f0ia
|
| Size: |
5724
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\passwords.txt
|
Unicode text, UTF-8 text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\Temp\tempCMSgsImjMYlWzR3\passwords.txt
|
| Category: |
dropped
|
| Dump: |
passwords.txt.17.dr
|
| ID: |
dr_31
|
| Target ID: |
17
|
| Process: |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
|
| Type: |
Unicode text, UTF-8 text, with CRLF line terminators
|
| Entropy: |
2.5402512142169575
|
| Encrypted: |
false
|
| Ssdeep: |
48:tMMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMME:m
|
| Size: |
4902
|
| Whitelisted: |
false
|
| Reputation: |
timeout
|
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive,
ctime=Tue Nov 21 02:17:50 2023, mtime=Tue Nov 21 02:17:50 2023, atime=Mon Nov 20 22:31:48 2023, length=1322267, window=hide
|
dropped
|
|
|
|
|
|
