file.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
|
|
|
Filetype: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.9478346574084195
|
Filename: |
file.exe
|
Filesize: |
1766400
|
MD5: |
3a8e4485dffff1de900b30449b33e56a
|
SHA1: |
b932de6fd713fcdc1f97c8b5f5144ef654f77ac3
|
SHA256: |
624a02ea536c673b4939e19f0509d585afebc7a8d73177d466f1b2b58aa5a901
|
SHA512: |
b16b4dba6b82c5982731dfa44989e14910363c619baa39bcb70b2b64d52adeb8ddb23fc0fc367ef48b0c1f19db365ea8998c199744950d5c81aada5345ebc00b
|
SSDEEP: |
49152:WLaQn6Pg+6UZRNXW1oRlBCO9JwKrUEB4EOIkxZjX5sPOE:WuQnc6SRl1jxHHJOEIx3sGE
|
Preview: |
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........PE..L.....Hg...........
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus / Scanner detection for submitted sample |
AV Detection |
Extra Window Memory Injection
|
Attempt to bypass Chrome Application-Bound Encryption |
Remote Access Functionality |
Extra Window Memory Injection
|
Detected unpacking (changes PE section rights) |
Data Obfuscation |
Extra Window Memory Injection
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Drops PE files to the document folder of the user |
Persistence and Installation Behavior |
|
Found many strings related to Crypto-Wallets (likely being stolen) |
Stealing of Sensitive Information |
|
Hides threads from debuggers |
Anti Debugging |
Extra Window Memory Injection
|
Machine Learning detection for sample |
AV Detection |
|
PE file contains section with special chars |
System Summary |
|
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) |
Boot Survival |
Extra Window Memory Injection
|
Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Extra Window Memory Injection
|
Tries to detect virtualization through RDTSC time measurements |
Malware Analysis System Evasion |
Extra Window Memory Injection
|
Tries to evade debugger and weak emulator (self modifying code) |
Malware Analysis System Evasion |
Extra Window Memory Injection
|
Tries to harvest and steal Bitcoin Wallet information |
Stealing of Sensitive Information |
Extra Window Memory Injection
|
Tries to harvest and steal browser information (history, passwords, etc) |
Stealing of Sensitive Information |
Extra Window Memory Injection
|
Tries to harvest and steal ftp login credentials |
Stealing of Sensitive Information |
|
Tries to steal Crypto Currency Wallets |
Stealing of Sensitive Information |
Extra Window Memory Injection
|
Tries to steal Mail credentials (via file / registry access) |
Stealing of Sensitive Information |
|
Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
|
Contains functionality to call native functions |
System Summary |
|
Contains functionality to check if a debugger is running (IsDebuggerPresent) |
Anti Debugging |
|
Contains functionality to dynamically determine API calls |
Data Obfuscation, Anti Debugging |
|
Contains functionality to open a port and listen for incoming connection (possibly a backdoor) |
Remote Access Functionality |
|
Contains functionality to query CPU information (cpuid) |
Language, Device and Operating System Detection |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
Extra Window Memory Injection
|
Detected potential crypto function |
System Summary |
Extra Window Memory Injection
|
Drops PE files |
Persistence and Installation Behavior |
Extra Window Memory Injection
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Extensive use of GetProcAddress (often used to hide API calls) |
Hooking and other Techniques for Hiding and Protection |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
Extra Window Memory Injection
|
Found large amount of non-executed APIs |
Malware Analysis System Evasion |
|
Found potential string decryption / allocating functions |
System Summary |
Extra Window Memory Injection
Deobfuscate/Decode Files or Information
|
May sleep (evasive loops) to hinder dynamic analysis |
Malware Analysis System Evasion |
|
PE file contains sections with non-standard names |
Data Obfuscation |
Extra Window Memory Injection
|
Queries information about the installed CPU (vendor, model number etc) |
Language, Device and Operating System Detection |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Uses Microsoft's Enhanced Cryptographic Provider |
Cryptography |
|
Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
|
Binary may include packed or encrypted code |
Data Obfuscation |
Obfuscated Files or Information
|
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011) |
System Summary |
|
Contains functionality for error logging |
System Summary |
|
Contains functionality to add an ACL to a security descriptor |
HIPS / PFW / Operating System Protection Evasion |
|
Contains functionality to download additional files from the internet |
Networking |
|
Contains functionality to query local / system time |
Language, Device and Operating System Detection |
System Information Discovery
|
Contains functionality to query system information |
Malware Analysis System Evasion |
|
Contains functionality to register its own exception handler |
Anti Debugging |
|
Creates files inside the user directory |
System Summary |
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
Extra Window Memory Injection
|
Enumerates the file system |
Spreading, Malware Analysis System Evasion |
Extra Window Memory Injection
File and Directory Discovery
|
May try to detect the Windows Explorer process (often used for injection) |
HIPS / PFW / Operating System Protection Evasion |
|
Queries a list of all running drivers |
Malware Analysis System Evasion |
|
Queries a list of all running processes |
Malware Analysis System Evasion |
Extra Window Memory Injection
|
Reads ini files |
System Summary |
Extra Window Memory Injection
|
Reads software policies |
System Summary |
|
Sample is known by Antivirus |
System Summary |
|
Sample might require command line arguments |
System Summary |
Extra Window Memory Injection
|
Tries to load missing DLLs |
System Summary |
Extra Window Memory Injection
|
URLs found in memory or binary data |
Networking |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file has a big raw section |
System Summary |
Extra Window Memory Injection
|
Checks if Microsoft Office is installed |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
Extra Window Memory Injection
|
|
C:\ProgramData\freebl3.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\freebl3.dll
|
Category: |
dropped
|
Dump: |
freebl3.dll.0.dr
|
ID: |
dr_14
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.872871740790978
|
Encrypted: |
false
|
Ssdeep: |
12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
|
Size: |
685392
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\ProgramData\mozglue.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\mozglue.dll
|
Category: |
dropped
|
Dump: |
mozglue.dll.0.dr
|
ID: |
dr_16
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.833616094889818
|
Encrypted: |
false
|
Ssdeep: |
12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
|
Size: |
608080
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
|
C:\ProgramData\nss3.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\nss3.dll
|
Category: |
dropped
|
Dump: |
nss3.dll.0.dr
|
ID: |
dr_20
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.787733948558952
|
Encrypted: |
false
|
Ssdeep: |
49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
|
Size: |
2046288
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\ProgramData\softokn3.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\softokn3.dll
|
Category: |
dropped
|
Dump: |
softokn3.dll.0.dr
|
ID: |
dr_22
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.727482641240852
|
Encrypted: |
false
|
Ssdeep: |
6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
|
Size: |
257872
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll
|
Category: |
dropped
|
Dump: |
freebl3[1].dll.0.dr
|
ID: |
dr_15
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.872871740790978
|
Encrypted: |
false
|
Ssdeep: |
12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
|
Size: |
685392
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll
|
Category: |
dropped
|
Dump: |
mozglue[1].dll.0.dr
|
ID: |
dr_17
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.833616094889818
|
Encrypted: |
false
|
Ssdeep: |
12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
|
Size: |
608080
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll
|
Category: |
dropped
|
Dump: |
nss3[1].dll.0.dr
|
ID: |
dr_21
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.787733948558952
|
Encrypted: |
false
|
Ssdeep: |
49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
|
Size: |
2046288
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe
|
Category: |
dropped
|
Dump: |
random[1].exe.0.dr
|
ID: |
dr_7
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.9487970968386765
|
Encrypted: |
false
|
Ssdeep: |
49152:BU3M/NF3eOV8d94fGPrYFOa0GW8V34+M:4M/eY8kfGzYFOa0GW8V
|
Size: |
1890304
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll
|
Category: |
dropped
|
Dump: |
softokn3[1].dll.0.dr
|
ID: |
dr_23
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.727482641240852
|
Encrypted: |
false
|
Ssdeep: |
6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
|
Size: |
257872
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
|
Category: |
dropped
|
Dump: |
skotes.exe.14.dr
|
ID: |
dr_47
|
Target ID: |
14
|
Process: |
C:\Users\user\Documents\EBGDAAKJJD.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.9487970968386765
|
Encrypted: |
false
|
Ssdeep: |
49152:BU3M/NF3eOV8d94fGPrYFOa0GW8V34+M:4M/eY8kfGzYFOa0GW8V
|
Size: |
1890304
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Detected unpacking (changes PE section rights) |
Data Obfuscation |
|
Hides threads from debuggers |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Machine Learning detection for dropped file |
AV Detection |
|
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) |
Boot Survival |
Security Software Discovery
|
Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
Tries to detect sandboxes and other dynamic analysis tools (window names) |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Checks for debuggers (devices) |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Contains capabilities to detect virtual machines |
Malware Analysis System Evasion |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Contains functionality to read the PEB |
Anti Debugging |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) |
Malware Analysis System Evasion |
System Information Discovery
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Sample execution stops while process was sleeping (likely an evasion) |
Malware Analysis System Evasion |
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates mutexes |
System Summary |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Sample might require command line arguments |
System Summary |
Command and Scripting Interpreter
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Users\user\Documents\EBGDAAKJJD.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\Documents\EBGDAAKJJD.exe
|
Category: |
dropped
|
Dump: |
EBGDAAKJJD.exe.0.dr
|
ID: |
dr_8
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.9487970968386765
|
Encrypted: |
false
|
Ssdeep: |
49152:BU3M/NF3eOV8d94fGPrYFOa0GW8V34+M:4M/eY8kfGzYFOa0GW8V
|
Size: |
1890304
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Detected unpacking (changes PE section rights) |
Data Obfuscation |
|
Drops PE files to the document folder of the user |
Persistence and Installation Behavior |
|
Hides threads from debuggers |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Machine Learning detection for dropped file |
AV Detection |
|
Potentially malicious time measurement code found |
Anti Debugging |
|
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) |
Boot Survival |
Security Software Discovery
|
Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Malware Analysis System Evasion |
Security Software Discovery
|
Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Contains functionality for execution timing, often used to detect debuggers |
Malware Analysis System Evasion, Anti Debugging |
Security Software Discovery
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Creates files inside the system directory |
System Summary |
|
Creates job files (autostart) |
Boot Survival |
|
Drops PE files |
Persistence and Installation Behavior |
|
Searches for user specific document files |
Stealing of Sensitive Information |
File and Directory Discovery
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Sample might require command line arguments |
System Summary |
Command and Scripting Interpreter
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\ProgramData\AFIEGCAECGCAEBFHDHIE
|
ASCII text, with very long lines (1743), with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\AFIEGCAECGCAEBFHDHIE
|
Category: |
dropped
|
Dump: |
AFIEGCAECGCAEBFHDHIE.0.dr
|
ID: |
dr_6
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
ASCII text, with very long lines (1743), with CRLF line terminators
|
Entropy: |
5.512408163813622
|
Encrypted: |
false
|
Ssdeep: |
192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sl:PeegJUaJHEw90
|
Size: |
9504
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\FIJECAEH
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
dropped
|
|
|
|
File: |
C:\ProgramData\FIJECAEH
|
Category: |
dropped
|
Dump: |
FIJECAEH.0.dr
|
ID: |
dr_11
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
Entropy: |
1.136413900497188
|
Encrypted: |
false
|
Ssdeep: |
192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
|
Size: |
106496
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\IDHIDBAEGIIIDHJKEGDB
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
dropped
|
|
|
|
File: |
C:\ProgramData\IDHIDBAEGIIIDHJKEGDB
|
Category: |
dropped
|
Dump: |
IDHIDBAEGIIIDHJKEGDB.0.dr
|
ID: |
dr_10
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
Entropy: |
0.8553638852307782
|
Encrypted: |
false
|
Ssdeep: |
48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
|
Size: |
40960
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\IJKFCFHJ
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie
0x36, schema 4, UTF-8, version-valid-for 8
|
dropped
|
|
|
|
File: |
C:\ProgramData\IJKFCFHJ
|
Category: |
dropped
|
Dump: |
IJKFCFHJ.0.dr
|
ID: |
dr_13
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie
0x36, schema 4, UTF-8, version-valid-for 8
|
Entropy: |
1.121297215059106
|
Encrypted: |
false
|
Ssdeep: |
384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
|
Size: |
196608
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\JDHJKKFBAEGDGDGCBKEC
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie
0xe, schema 4, UTF-8, version-valid-for 1
|
dropped
|
|
|
|
File: |
C:\ProgramData\JDHJKKFBAEGDGDGCBKEC
|
Category: |
dropped
|
Dump: |
JDHJKKFBAEGDGDGCBKEC.0.dr
|
ID: |
dr_12
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie
0xe, schema 4, UTF-8, version-valid-for 1
|
Entropy: |
0.8746135976761988
|
Encrypted: |
false
|
Ssdeep: |
96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
|
Size: |
51200
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\JKFHIIEHIEGDHJJJKFIIIIDGID
|
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
|
dropped
|
|
|
|
File: |
C:\ProgramData\JKFHIIEHIEGDHJJJKFIIIIDGID
|
Category: |
dropped
|
Dump: |
JKFHIIEHIEGDHJJJKFIIIIDGID.0.dr
|
ID: |
dr_2
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
|
Entropy: |
0.08235737944063153
|
Encrypted: |
false
|
Ssdeep: |
12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
|
Size: |
98304
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\KJEHCGDBFCBAKECBKKEBKEBFCA
|
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
|
dropped
|
|
|
|
File: |
C:\ProgramData\KJEHCGDBFCBAKECBKKEBKEBFCA
|
Category: |
dropped
|
Dump: |
KJEHCGDBFCBAKECBKKEBKEBFCA.0.dr
|
ID: |
dr_4
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version
2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
|
Entropy: |
0.03859996294213402
|
Encrypted: |
false
|
Ssdeep: |
192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
|
Size: |
5242880
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\msvcp140.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\msvcp140.dll
|
Category: |
dropped
|
Dump: |
msvcp140.dll.0.dr
|
ID: |
dr_18
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
Entropy: |
6.673992339875127
|
Encrypted: |
false
|
Ssdeep: |
12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
|
Size: |
450024
|
Whitelisted: |
true
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
|
C:\ProgramData\vcruntime140.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\vcruntime140.dll
|
Category: |
dropped
|
Dump: |
vcruntime140.dll.0.dr
|
ID: |
dr_0
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
Entropy: |
6.920480786566406
|
Encrypted: |
false
|
Ssdeep: |
1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
|
Size: |
80880
|
Whitelisted: |
true
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\30e89fff-668c-4214-acf7-132f1426e2ae.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\30e89fff-668c-4214-acf7-132f1426e2ae.tmp
|
Category: |
dropped
|
Dump: |
30e89fff-668c-4214-acf7-132f1426e2ae.tmp.6.dr
|
ID: |
dr_35
|
Target ID: |
6
|
Process: |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
|
Type: |
JSON data
|
Entropy: |
6.090740442533821
|
Encrypted: |
false
|
Ssdeep: |
768:zDXzgWPsj/qlGJqIY8GB4kkBM5wuF9hDO6vP6O+4tbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE165tbz8hu3VlXr4CRo1
|
Size: |
44137
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\4eed8ea2-d17e-4d91-9d2e-901dcea053d9.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\4eed8ea2-d17e-4d91-9d2e-901dcea053d9.tmp
|
Category: |
dropped
|
Dump: |
4eed8ea2-d17e-4d91-9d2e-901dcea053d9.tmp.8.dr
|
ID: |
dr_41
|
Target ID: |
8
|
Process: |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
|
Type: |
JSON data
|
Entropy: |
6.096875151317424
|
Encrypted: |
false
|
Ssdeep: |
768:zDXzgWPsj/qlGJqIY8GB4kkBiwu2hDO6vP6OLN+6ulqFDPl4wcGoup1Xl3jVzXr2:z/Ps+wsI7ynE06rHchu3VlXr4CRo1
|
Size: |
44643
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\58a8b97a-0c72-4138-b547-7916e16022c2.tmp
|
JSON data
|
modified
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\58a8b97a-0c72-4138-b547-7916e16022c2.tmp
|
Category: |
modified
|
Dump: |
58a8b97a-0c72-4138-b547-7916e16022c2.tmp.6.dr
|
ID: |
dr_38
|
Target ID: |
6
|
Process: |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
|
Type: |
JSON data
|
Entropy: |
6.097029812691297
|
Encrypted: |
false
|
Ssdeep: |
768:zDXzgWPsj/qlGJqIY8GB4kkB+wu2hDO6vP6OLN+CmjBqmcGoup1Xl3jVzXr4CCAg:z/Ps+wsI7ynEI6richu3VlXr4CRo1
|
Size: |
44620
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\8891fdfd-eb28-4ba8-a708-ad2299871ea9.tmp
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\8891fdfd-eb28-4ba8-a708-ad2299871ea9.tmp
|
Category: |
dropped
|
Dump: |
8891fdfd-eb28-4ba8-a708-ad2299871ea9.tmp.6.dr
|
ID: |
dr_37
|
Target ID: |
6
|
Process: |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
|
Type: |
JSON data
|
Entropy: |
6.097029812691297
|
Encrypted: |
false
|
Ssdeep: |
768:zDXzgWPsj/qlGJqIY8GB4kkB+wu2hDO6vP6OLN+CmjBqmcGoup1Xl3jVzXr4CCAg:z/Ps+wsI7ynEI6richu3VlXr4CRo1
|
Size: |
44620
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-674A960A-15A4.pma
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-674A960A-15A4.pma
|
Category: |
dropped
|
Dump: |
BrowserMetrics-674A960A-15A4.pma.8.dr
|
ID: |
dr_43
|
Target ID: |
8
|
Process: |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
|
Type: |
data
|
Entropy: |
0.04666570148660471
|
Encrypted: |
false
|
Ssdeep: |
192:gVhS0pqtm2nOAWVKYoJgA8x5XSggykfhMNNEaqIw/ERQcUdBvxDNQWn8y08Tcm2D:ao0ctZMggk9hgaYIdTDf08T2RGOD
|
Size: |
4194304
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
|
Category: |
dropped
|
Dump: |
settings.dat.6.dr
|
ID: |
dr_33
|
Target ID: |
6
|
Process: |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
|
Type: |
data
|
Entropy: |
4.132041621771752
|
Encrypted: |
false
|
Ssdeep: |
3:FiWWltlApdeXKeQwFMYLAfJrAazlYBVP/Sh/JzvPWVcRVEVg3WWD5x1:o1ApdeaEqYsMazlYBVsJDu2ziy5
|
Size: |
280
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version
|
Category: |
dropped
|
Dump: |
Last Version.6.dr
|
ID: |
dr_36
|
Target ID: |
6
|
Process: |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
2.7192945256669794
|
Encrypted: |
false
|
Ssdeep: |
3:NYLFRQI:ap2I
|
Size: |
13
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)
|
Category: |
dropped
|
Dump: |
30e89fff-668c-4214-acf7-132f1426e2ae.tmp.6.dr
|
ID: |
dr_39
|
Target ID: |
6
|
Process: |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
|
Type: |
JSON data
|
Entropy: |
6.090740442533821
|
Encrypted: |
false
|
Ssdeep: |
768:zDXzgWPsj/qlGJqIY8GB4kkBM5wuF9hDO6vP6O+4tbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE165tbz8hu3VlXr4CRo1
|
Size: |
44137
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37996.TMP (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37996.TMP (copy)
|
Category: |
dropped
|
Dump: |
30e89fff-668c-4214-acf7-132f1426e2ae.tmp.6.dr
|
ID: |
dr_40
|
Target ID: |
6
|
Process: |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
|
Type: |
JSON data
|
Entropy: |
6.090740442533821
|
Encrypted: |
false
|
Ssdeep: |
768:zDXzgWPsj/qlGJqIY8GB4kkBM5wuF9hDO6vP6O+4tbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE165tbz8hu3VlXr4CRo1
|
Size: |
44137
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF385ac.TMP (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF385ac.TMP (copy)
|
Category: |
dropped
|
Dump: |
30e89fff-668c-4214-acf7-132f1426e2ae.tmp.6.dr
|
ID: |
dr_44
|
Target ID: |
8
|
Process: |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
|
Type: |
JSON data
|
Entropy: |
6.090740442533821
|
Encrypted: |
false
|
Ssdeep: |
768:zDXzgWPsj/qlGJqIY8GB4kkBM5wuF9hDO6vP6O+4tbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE165tbz8hu3VlXr4CRo1
|
Size: |
44137
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF385bb.TMP (copy)
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF385bb.TMP (copy)
|
Category: |
dropped
|
Dump: |
30e89fff-668c-4214-acf7-132f1426e2ae.tmp.6.dr
|
ID: |
dr_45
|
Target ID: |
8
|
Process: |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
|
Type: |
JSON data
|
Entropy: |
6.090740442533821
|
Encrypted: |
false
|
Ssdeep: |
768:zDXzgWPsj/qlGJqIY8GB4kkBM5wuF9hDO6vP6O+4tbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE165tbz8hu3VlXr4CRo1
|
Size: |
44137
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations
|
Category: |
dropped
|
Dump: |
Variations.6.dr
|
ID: |
dr_34
|
Target ID: |
6
|
Process: |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
|
Type: |
JSON data
|
Entropy: |
4.3488360343066725
|
Encrypted: |
false
|
Ssdeep: |
3:YQ3JYq9xSs0dMEJAELJ25AmIpozQw:YQ3Kq9X0dMgAEiLI2
|
Size: |
85
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\b3309569-4258-4903-866d-02c733cde60a.tmp
|
JSON data
|
modified
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\b3309569-4258-4903-866d-02c733cde60a.tmp
|
Category: |
modified
|
Dump: |
b3309569-4258-4903-866d-02c733cde60a.tmp.8.dr
|
ID: |
dr_42
|
Target ID: |
8
|
Process: |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
|
Type: |
JSON data
|
Entropy: |
6.096875151317424
|
Encrypted: |
false
|
Ssdeep: |
768:zDXzgWPsj/qlGJqIY8GB4kkBiwu2hDO6vP6OLN+6ulqFDPl4wcGoup1Xl3jVzXr2:z/Ps+wsI7ynE06rHchu3VlXr4CRo1
|
Size: |
44643
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll
|
Category: |
dropped
|
Dump: |
msvcp140[1].dll.0.dr
|
ID: |
dr_19
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
Entropy: |
6.673992339875127
|
Encrypted: |
false
|
Ssdeep: |
12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
|
Size: |
450024
|
Whitelisted: |
true
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll
|
Category: |
dropped
|
Dump: |
vcruntime140[1].dll.0.dr
|
ID: |
dr_1
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
Entropy: |
6.920480786566406
|
Encrypted: |
false
|
Ssdeep: |
1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
|
Size: |
80880
|
Whitelisted: |
true
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\json[1].json
|
JSON data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\json[1].json
|
Category: |
dropped
|
Dump: |
json[1].json.0.dr
|
ID: |
dr_9
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
JSON data
|
Entropy: |
5.3396734918493
|
Encrypted: |
false
|
Ssdeep: |
24:OBfNaoQC+2cINePKllDQCIBfNaoQMgQcBYpDQM6BfNaoQDYPP1UQDK:SfNaoQCTcTEQC4fNaoQUQrfNaoQDEWQm
|
Size: |
1267
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Nov 30 03:35:16 2024, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
|
Category: |
dropped
|
Dump: |
Docs.lnk.2.dr
|
ID: |
dr_29
|
Target ID: |
2
|
Process: |
C:\Program Files\Google\Chrome\Application\chrome.exe
|
Type: |
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Nov 30 03:35:16 2024, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
Entropy: |
3.9742670303011853
|
Encrypted: |
false
|
Ssdeep: |
48:8zfd8oTcsXow5HmidAKZdA19ehwiZUklqeh7y+3:8io45wKcy
|
Size: |
2677
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Stores files to the Windows start menu directory |
Boot Survival |
Registry Run Keys / Startup Folder
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Nov 30 03:35:16 2024, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
|
Category: |
dropped
|
Dump: |
Gmail.lnk.2.dr
|
ID: |
dr_27
|
Target ID: |
2
|
Process: |
C:\Program Files\Google\Chrome\Application\chrome.exe
|
Type: |
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Nov 30 03:35:16 2024, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
Entropy: |
3.991386848117952
|
Encrypted: |
false
|
Ssdeep: |
48:8/d8oTcsXow5HmidAKZdA1weh/iZUkAQkqehMy+2:8mo45wA9Q9y
|
Size: |
2679
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Stores files to the Windows start menu directory |
Boot Survival |
Registry Run Keys / Startup Folder
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
|
Category: |
dropped
|
Dump: |
Google Drive.lnk.2.dr
|
ID: |
dr_24
|
Target ID: |
2
|
Process: |
C:\Program Files\Google\Chrome\Application\chrome.exe
|
Type: |
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
Entropy: |
4.0046003846365865
|
Encrypted: |
false
|
Ssdeep: |
48:8x6d8oTcsXowsHmidAKZdA14tseh7sFiZUkmgqeh7suy+BX:8xPo45w3nAy
|
Size: |
2693
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Stores files to the Windows start menu directory |
Boot Survival |
Registry Run Keys / Startup Folder
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Nov 30 03:35:16 2024, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
|
Category: |
dropped
|
Dump: |
Sheets.lnk.2.dr
|
ID: |
dr_26
|
Target ID: |
2
|
Process: |
C:\Program Files\Google\Chrome\Application\chrome.exe
|
Type: |
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Nov 30 03:35:16 2024, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
Entropy: |
3.990841389547833
|
Encrypted: |
false
|
Ssdeep: |
48:8rd8oTcsXow5HmidAKZdA1vehDiZUkwqehYy+R:8ao45wLmy
|
Size: |
2681
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Stores files to the Windows start menu directory |
Boot Survival |
Registry Run Keys / Startup Folder
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Nov 30 03:35:16 2024, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
|
Category: |
dropped
|
Dump: |
Slides.lnk.2.dr
|
ID: |
dr_28
|
Target ID: |
2
|
Process: |
C:\Program Files\Google\Chrome\Application\chrome.exe
|
Type: |
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Nov 30 03:35:16 2024, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
Entropy: |
3.9807844723896606
|
Encrypted: |
false
|
Ssdeep: |
48:8Wd8oTcsXow5HmidAKZdA1hehBiZUk1W1qehyy+C:8Do45wL9Sy
|
Size: |
2681
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Stores files to the Windows start menu directory |
Boot Survival |
Registry Run Keys / Startup Folder
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Nov 30 03:35:16 2024, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
|
Category: |
dropped
|
Dump: |
YouTube.lnk.2.dr
|
ID: |
dr_25
|
Target ID: |
2
|
Process: |
C:\Program Files\Google\Chrome\Application\chrome.exe
|
Type: |
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Nov 30 03:35:16 2024, atime=Wed Sep 27 04:28:28
2023, length=1210144, window=hide
|
Entropy: |
3.987651463355351
|
Encrypted: |
false
|
Ssdeep: |
48:85d8oTcsXow5HmidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbAy+yT+:8wo45wrT/TbxWOvTbAy7T
|
Size: |
2683
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Stores files to the Windows start menu directory |
Boot Survival |
Registry Run Keys / Startup Folder
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
|
Category: |
dropped
|
Dump: |
cookies.sqlite-shm.0.dr
|
ID: |
dr_3
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
data
|
Entropy: |
0.017262956703125623
|
Encrypted: |
false
|
Ssdeep: |
3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
|
Size: |
32768
|
Whitelisted: |
true
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Tries to harvest and steal browser information (history, passwords, etc) |
Stealing of Sensitive Information |
|
|
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm
|
Category: |
dropped
|
Dump: |
places.sqlite-shm.0.dr
|
ID: |
dr_5
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\file.exe
|
Type: |
data
|
Entropy: |
0.017262956703125623
|
Encrypted: |
false
|
Ssdeep: |
3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
|
Size: |
32768
|
Whitelisted: |
true
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Tries to harvest and steal browser information (history, passwords, etc) |
Stealing of Sensitive Information |
|
|
C:\Windows\Tasks\skotes.job
|
data
|
dropped
|
|
|
|
File: |
C:\Windows\Tasks\skotes.job
|
Category: |
dropped
|
Dump: |
skotes.job.14.dr
|
ID: |
dr_46
|
Target ID: |
14
|
Process: |
C:\Users\user\Documents\EBGDAAKJJD.exe
|
Type: |
data
|
Entropy: |
3.3977462527562414
|
Encrypted: |
false
|
Ssdeep: |
6:5jhwX55ZsUEZ+lX1CGdKUe6tFXqYEp5t/uy0lBZdt0:OuQ1CGAFifXVBZdt0
|
Size: |
290
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates files inside the system directory |
System Summary |
|
Creates job files (autostart) |
Boot Survival |
|
|
Chrome Cache Entry: 103
|
Unicode text, UTF-8 text, with very long lines (766)
|
downloaded
|
|
|
|
File: |
Chrome Cache Entry: 103
|
Category: |
downloaded
|
Dump: |
chromecache_103.4.dr
|
ID: |
dr_48
|
Target ID: |
4
|
Process: |
C:\Program Files\Google\Chrome\Application\chrome.exe
|
Type: |
Unicode text, UTF-8 text, with very long lines (766)
|
Entropy: |
5.191607526596143
|
Encrypted: |
false
|
Ssdeep: |
24:wF6Ef3IGBHslgT9lCuABuoB7HHHHHHHYqmffffffo:wF6EfIGKlgZ01BuSEqmffffffo
|
Size: |
772
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
Chrome Cache Entry: 104
|
ASCII text
|
downloaded
|
|
|
|
File: |
Chrome Cache Entry: 104
|
Category: |
| |