BqqQh4Jr7L.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
|
|
|
Filetype: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.967934456708274
|
Filename: |
BqqQh4Jr7L.exe
|
Filesize: |
3251216
|
MD5: |
112de57b8288c1c154f6725f421046fc
|
SHA1: |
f9feb02d8666090b7d284eaa2821244309d8f9fa
|
SHA256: |
fa918289433c703e2df9e0094bc05c67fdb2259603ae24a44b02edb0cc7ec62c
|
SHA512: |
7bb82912dea6255f68b693dd227b9e9f5e3d48d24b2ed1425aa8666d38d72d0e62206f94b205868a2de608e3b1935419a2a24fa42abba9c9fb476aab07bd74d0
|
SSDEEP: |
98304:owbi+g33t3xUt7a48cvEHX86yzdgjTbCTyb:oDnhx3tQQ7lCTyb
|
Preview: |
MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Contains functionality to inject threads in other processes |
HIPS / PFW / Operating System Protection Evasion |
|
Found stalling execution ending in API Sleep call |
Malware Analysis System Evasion |
|
Machine Learning detection for sample |
AV Detection |
|
PE file contains section with special chars |
System Summary |
|
Query firmware table information (likely to detect VMs) |
Malware Analysis System Evasion |
|
Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
File and Directory Discovery
|
Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
Abnormal high CPU Usage |
System Summary |
|
Contains functionality to check if a debugger is running (IsDebuggerPresent) |
Anti Debugging |
|
Contains functionality to dynamically determine API calls |
Data Obfuscation, Anti Debugging |
|
Contains functionality to query locales information (e.g. system language) |
Language, Device and Operating System Detection |
|
Detected potential crypto function |
System Summary |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found evasive API chain (date check) |
Malware Analysis System Evasion |
|
May sleep (evasive loops) to hinder dynamic analysis |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
File and Directory Discovery
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Sample execution stops while process was sleeping (likely an evasion) |
Malware Analysis System Evasion |
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
Obfuscated Files or Information
|
Binary may include packed or encrypted code |
Data Obfuscation |
|
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011) |
System Summary |
|
Contains functionality to download additional files from the internet |
Networking |
|
Contains functionality to enumerate / list files inside a directory |
Spreading, Malware Analysis System Evasion |
File and Directory Discovery
|
Contains functionality to modify the execution of threads in other processes |
|
|
Contains functionality to query local / system time |
Language, Device and Operating System Detection |
|
Contains functionality to register its own exception handler |
Anti Debugging |
|
Creates an autostart registry key |
Boot Survival |
Registry Run Keys / Startup Folder
File and Directory Discovery
|
Creates files inside the user directory |
System Summary |
|
Creates temporary files |
System Summary |
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
|
Reads software policies |
System Summary |
|
SQL strings found in memory and binary data |
System Summary |
File and Directory Discovery
|
Sample is known by Antivirus |
System Summary |
|
Sample might require command line arguments |
System Summary |
|
Sample reads its own file content |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
PE file has a big raw section |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\ProgramData\MPGPH131\MPGPH131.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\MPGPH131\MPGPH131.exe
|
Category: |
dropped
|
Dump: |
MPGPH131.exe.0.dr
|
ID: |
dr_2
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\BqqQh4Jr7L.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.967934456708274
|
Encrypted: |
false
|
Ssdeep: |
98304:owbi+g33t3xUt7a48cvEHX86yzdgjTbCTyb:oDnhx3tQQ7lCTyb
|
Size: |
3251216
|
Whitelisted: |
false
|
Reputation: |
low
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Machine Learning detection for dropped file |
AV Detection |
|
Query firmware table information (likely to detect VMs) |
Malware Analysis System Evasion |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Sample might require command line arguments |
System Summary |
Command and Scripting Interpreter
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
URLs found in memory or binary data |
Networking |
|
|
C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier
|
Category: |
dropped
|
Dump: |
MPGPH131.exe_Zone.Identifier.0.dr
|
ID: |
dr_1
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\BqqQh4Jr7L.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
3.95006375643621
|
Encrypted: |
false
|
Ssdeep: |
3:ggPYV:rPYV
|
Size: |
26
|
Whitelisted: |
false
|
Reputation: |
high
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Machine Learning detection for dropped file |
AV Detection |
|
Query firmware table information (likely to detect VMs) |
Malware Analysis System Evasion |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
Sample might require command line arguments |
System Summary |
Command and Scripting Interpreter
|
Tries to load missing DLLs |
System Summary |
|
URLs found in memory or binary data |
Networking |
|
|
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Category: |
dropped
|
Dump: |
RageMP131.exe.0.dr
|
ID: |
dr_0
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\BqqQh4Jr7L.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.967934456708274
|
Encrypted: |
false
|
Ssdeep: |
98304:owbi+g33t3xUt7a48cvEHX86yzdgjTbCTyb:oDnhx3tQQ7lCTyb
|
Size: |
3251216
|
Whitelisted: |
false
|
Reputation: |
low
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Machine Learning detection for dropped file |
AV Detection |
|
Query firmware table information (likely to detect VMs) |
Malware Analysis System Evasion |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
Tries to harvest and steal browser information (history, passwords, etc) |
Stealing of Sensitive Information |
|
Tries to steal Mail credentials (via file / registry access) |
Stealing of Sensitive Information |
|
Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Contains capabilities to detect virtual machines |
Malware Analysis System Evasion |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
One or more processes crash |
System Summary |
|
Queries information about the installed CPU (vendor, model number etc) |
Language, Device and Operating System Detection |
System Information Discovery
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Sample execution stops while process was sleeping (likely an evasion) |
Malware Analysis System Evasion |
|
Sigma detected: CurrentVersion Autorun Keys Modification |
System Summary |
|
Queries a list of all running processes |
Malware Analysis System Evasion |
|
Reads ini files |
System Summary |
File and Directory Discovery
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Checks if Microsoft Office is installed |
System Summary |
System Information Discovery
|
|
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier
|
Category: |
dropped
|
Dump: |
RageMP131.exe_Zone.Identifier.0.dr
|
ID: |
dr_4
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\BqqQh4Jr7L.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
3.95006375643621
|
Encrypted: |
false
|
Ssdeep: |
3:ggPYV:rPYV
|
Size: |
26
|
Whitelisted: |
false
|
Reputation: |
high
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Machine Learning detection for dropped file |
AV Detection |
|
Query firmware table information (likely to detect VMs) |
Malware Analysis System Evasion |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
Tries to harvest and steal browser information (history, passwords, etc) |
Stealing of Sensitive Information |
|
Tries to steal Mail credentials (via file / registry access) |
Stealing of Sensitive Information |
|
Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Contains capabilities to detect virtual machines |
Malware Analysis System Evasion |
Security Software Discovery
Virtualization/Sandbox Evasion
|
One or more processes crash |
System Summary |
|
Queries information about the installed CPU (vendor, model number etc) |
Language, Device and Operating System Detection |
System Information Discovery
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Sample execution stops while process was sleeping (likely an evasion) |
Malware Analysis System Evasion |
|
Queries a list of all running processes |
Malware Analysis System Evasion |
|
Reads ini files |
System Summary |
File and Directory Discovery
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Checks if Microsoft Office is installed |
System Summary |
System Information Discovery
|
|
C:\Users\user\AppData\Local\Temp\Oh3LlYeM6Hc4fU6JG8kBRXb.zip
|
Zip archive data, at least v2.0 to extract, compression method=deflate
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\Oh3LlYeM6Hc4fU6JG8kBRXb.zip
|
Category: |
dropped
|
Dump: |
Oh3LlYeM6Hc4fU6JG8kBRXb.zip.11.dr
|
ID: |
dr_18
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
Zip archive data, at least v2.0 to extract, compression method=deflate
|
Entropy: |
7.8965573815896875
|
Encrypted: |
false
|
Ssdeep: |
96:tWGzqeAoMq+YK0KF8cAJiI2i+u/c7KtkbUudTGB9kSyzS3KJVV:hqASpF8wFlRNTe9kSX6Jn
|
Size: |
5533
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Yara detected RisePro Stealer |
Stealing of Sensitive Information, Remote Access Functionality |
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER464C.tmp.dmp
|
Mini DuMP crash report, 15 streams, Sat Jun 22 21:42:00 2024, 0x1205a4 type
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER464C.tmp.dmp
|
Category: |
dropped
|
Dump: |
WER464C.tmp.dmp.15.dr
|
ID: |
dr_26
|
Target ID: |
15
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Mini DuMP crash report, 15 streams, Sat Jun 22 21:42:00 2024, 0x1205a4 type
|
Entropy: |
2.0465064576935625
|
Encrypted: |
false
|
Ssdeep: |
384:WSep8dMlFtvvwBo1dfgwPiwh5jWK+y9JuJ2yP4St2y1F:/+plFtvF0well1
|
Size: |
104482
|
Whitelisted: |
false
|
Reputation: |
low
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4803.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4803.tmp.WERInternalMetadata.xml
|
Category: |
dropped
|
Dump: |
WER4803.tmp.WERInternalMetadata.xml.15.dr
|
ID: |
dr_27
|
Target ID: |
15
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
3.6975382896142612
|
Encrypted: |
false
|
Ssdeep: |
192:R6l7wVeJPK6llmUO6Y9MSUIgmfBJJWRprr89bN9sf+ITPm:R6lXJy6lAUO6YmSUIgmfBJJ5N2f+p
|
Size: |
8396
|
Whitelisted: |
false
|
Reputation: |
low
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4852.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4852.tmp.xml
|
Category: |
dropped
|
Dump: |
WER4852.tmp.xml.15.dr
|
ID: |
dr_28
|
Target ID: |
15
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
Entropy: |
4.508185219787914
|
Encrypted: |
false
|
Ssdeep: |
48:cvIwWl8zs5Jg77aI99KWpW8VYbYm8M4JlqFM0+q8Jzn8fnceAd:uIjfLI7Dr7VjJqA8fncDd
|
Size: |
4708
|
Whitelisted: |
false
|
Reputation: |
low
|
|
C:\Users\user\AppData\Local\Temp\rage131MP.tmp
|
ASCII text, with no line terminators
|
modified
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\rage131MP.tmp
|
Category: |
modified
|
Dump: |
rage131MP.tmp.0.dr
|
ID: |
dr_3
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\BqqQh4Jr7L.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
2.6612262562697895
|
Encrypted: |
false
|
Ssdeep: |
3:LEkYA:I9A
|
Size: |
13
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates temporary files |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\02zdBXl47cvzcookies.sqlite
|
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\02zdBXl47cvzcookies.sqlite
|
Category: |
dropped
|
Dump: |
02zdBXl47cvzcookies.sqlite.11.dr
|
ID: |
dr_20
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
|
Entropy: |
0.08235737944063153
|
Encrypted: |
false
|
Ssdeep: |
12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
|
Size: |
98304
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\0KkfNlrcRm1qWeb Data
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\0KkfNlrcRm1qWeb Data
|
Category: |
dropped
|
Dump: |
0KkfNlrcRm1qWeb Data.11.dr
|
ID: |
dr_24
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
Entropy: |
1.1358696453229276
|
Encrypted: |
false
|
Ssdeep: |
192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
|
Size: |
106496
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\3b6N2Xdh3CYwplaces.sqlite
|
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\3b6N2Xdh3CYwplaces.sqlite
|
Category: |
dropped
|
Dump: |
3b6N2Xdh3CYwplaces.sqlite.11.dr
|
ID: |
dr_21
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
|
Entropy: |
0.037963276276857943
|
Encrypted: |
false
|
Ssdeep: |
192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
|
Size: |
5242880
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\D87fZN3R3jFeplaces.sqlite
|
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\D87fZN3R3jFeplaces.sqlite
|
Category: |
dropped
|
Dump: |
D87fZN3R3jFeplaces.sqlite.11.dr
|
ID: |
dr_19
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
|
Entropy: |
0.037963276276857943
|
Encrypted: |
false
|
Ssdeep: |
192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
|
Size: |
5242880
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\O7KE8nvUodlUWeb Data
|
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\O7KE8nvUodlUWeb Data
|
Category: |
dropped
|
Dump: |
O7KE8nvUodlUWeb Data.11.dr
|
ID: |
dr_10
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
Entropy: |
0.9746603542602881
|
Encrypted: |
false
|
Ssdeep: |
192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
|
Size: |
114688
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\OD5iAVeDXtaqWeb Data
|
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\OD5iAVeDXtaqWeb Data
|
Category: |
dropped
|
Dump: |
OD5iAVeDXtaqWeb Data.11.dr
|
ID: |
dr_12
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
Entropy: |
0.9746603542602881
|
Encrypted: |
false
|
Ssdeep: |
192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
|
Size: |
114688
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\RPeiaMgqE3WHWeb Data
|
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\RPeiaMgqE3WHWeb Data
|
Category: |
dropped
|
Dump: |
RPeiaMgqE3WHWeb Data.11.dr
|
ID: |
dr_14
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie
0x24, schema 4, UTF-8, version-valid-for 2
|
Entropy: |
0.9746603542602881
|
Encrypted: |
false
|
Ssdeep: |
192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
|
Size: |
114688
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\Vw4BVaQyHMhtLogin Data For Account
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\Vw4BVaQyHMhtLogin Data For Account
|
Category: |
dropped
|
Dump: |
Vw4BVaQyHMhtLogin Data For Account.11.dr
|
ID: |
dr_23
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
Entropy: |
0.8553638852307782
|
Encrypted: |
false
|
Ssdeep: |
48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
|
Size: |
40960
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\Vx_X0jnKJEwoCookies
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8,
version-valid-for 11
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\Vx_X0jnKJEwoCookies
|
Category: |
dropped
|
Dump: |
Vx_X0jnKJEwoCookies.11.dr
|
ID: |
dr_6
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8,
version-valid-for 11
|
Entropy: |
2.5793180405395284
|
Encrypted: |
false
|
Ssdeep: |
96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
|
Size: |
28672
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\WG8uD7f7bdsYWeb Data
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\WG8uD7f7bdsYWeb Data
|
Category: |
dropped
|
Dump: |
WG8uD7f7bdsYWeb Data.11.dr
|
ID: |
dr_8
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
Entropy: |
1.1358696453229276
|
Encrypted: |
false
|
Ssdeep: |
192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
|
Size: |
106496
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\WLZTFMBUMZWbHistory
|
SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4,
UTF-8, version-valid-for 2
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\WLZTFMBUMZWbHistory
|
Category: |
dropped
|
Dump: |
WLZTFMBUMZWbHistory.11.dr
|
ID: |
dr_13
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4,
UTF-8, version-valid-for 2
|
Entropy: |
0.47147045728725767
|
Encrypted: |
false
|
Ssdeep: |
96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
|
Size: |
126976
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\aeDD7pYnP_3THistory
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\aeDD7pYnP_3THistory
|
Category: |
dropped
|
Dump: |
aeDD7pYnP_3THistory.11.dr
|
ID: |
dr_7
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
Entropy: |
0.7873599747470391
|
Encrypted: |
false
|
Ssdeep: |
96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
|
Size: |
159744
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\bzE_GuQuX4wzLogin Data
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\bzE_GuQuX4wzLogin Data
|
Category: |
dropped
|
Dump: |
bzE_GuQuX4wzLogin Data.11.dr
|
ID: |
dr_22
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
Entropy: |
0.8553638852307782
|
Encrypted: |
false
|
Ssdeep: |
48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
|
Size: |
40960
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\gCOPRjU6mlYqLogin Data
|
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie
0xe, schema 4, UTF-8, version-valid-for 1
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\gCOPRjU6mlYqLogin Data
|
Category: |
dropped
|
Dump: |
gCOPRjU6mlYqLogin Data.11.dr
|
ID: |
dr_9
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie
0xe, schema 4, UTF-8, version-valid-for 1
|
Entropy: |
0.8180424350137764
|
Encrypted: |
false
|
Ssdeep: |
96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
|
Size: |
49152
|
Whitelisted: |
true
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\gLk3dE9_lXR1History
|
SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4,
UTF-8, version-valid-for 2
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\gLk3dE9_lXR1History
|
Category: |
dropped
|
Dump: |
gLk3dE9_lXR1History.11.dr
|
ID: |
dr_11
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4,
UTF-8, version-valid-for 2
|
Entropy: |
0.47147045728725767
|
Encrypted: |
false
|
Ssdeep: |
96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
|
Size: |
126976
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\n6RXdwyEVS1qHistory
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\n6RXdwyEVS1qHistory
|
Category: |
dropped
|
Dump: |
n6RXdwyEVS1qHistory.11.dr
|
ID: |
dr_25
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 4
|
Entropy: |
0.7873599747470391
|
Encrypted: |
false
|
Ssdeep: |
96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
|
Size: |
159744
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\tcATMc9tGZ4JWeb Data
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\span7AaJtvoQ2WL1\tcATMc9tGZ4JWeb Data
|
Category: |
dropped
|
Dump: |
tcATMc9tGZ4JWeb Data.11.dr
|
ID: |
dr_5
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
Entropy: |
1.1358696453229276
|
Encrypted: |
false
|
Ssdeep: |
192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
|
Size: |
106496
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\trixy7AaJtvoQ2WL1\Cookies\Chrome_Default.txt
|
ASCII text, with very long lines (769), with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\trixy7AaJtvoQ2WL1\Cookies\Chrome_Default.txt
|
Category: |
dropped
|
Dump: |
Chrome_Default.txt.11.dr
|
ID: |
dr_16
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
ASCII text, with very long lines (769), with CRLF line terminators
|
Entropy: |
6.038274200863744
|
Encrypted: |
false
|
Ssdeep: |
96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
|
Size: |
6085
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\trixy7AaJtvoQ2WL1\information.txt
|
ASCII text, with CRLF, LF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\trixy7AaJtvoQ2WL1\information.txt
|
Category: |
dropped
|
Dump: |
information.txt.11.dr
|
ID: |
dr_17
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
ASCII text, with CRLF, LF line terminators
|
Entropy: |
5.469332433440987
|
Encrypted: |
false
|
Ssdeep: |
96:xRwffORfFcT4AisphstDc+MnVBsdANUbg3x:xLVFvAtphQoVB
|
Size: |
7361
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Temp\trixy7AaJtvoQ2WL1\passwords.txt
|
Unicode text, UTF-8 text, with CRLF, LF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\trixy7AaJtvoQ2WL1\passwords.txt
|
Category: |
dropped
|
Dump: |
passwords.txt.11.dr
|
ID: |
dr_15
|
Target ID: |
11
|
Process: |
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
|
Type: |
Unicode text, UTF-8 text, with CRLF, LF line terminators
|
Entropy: |
2.518316437186352
|
Encrypted: |
false
|
Ssdeep: |
48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
|
Size: |
4897
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|