popup
Dropped Files | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Dropped Files

Name 8a90c9c732daf1f3_Tuo.xlsx
Submit file
Filepath C:\Users\test22\AppData\Roaming\NCwnGqFlMUwdW\Tuo.xlsx
Size 140.0KB
Processes 1556 (vpn.exe) 2740 (Campeggia.exe.com)
Type data
MD5 48d9d44792d95747db9ae0d0ca064c05
SHA1 251697e2b005bff981f9b095b9bff52f7bcf36c8
SHA256 8a90c9c732daf1f3a2932a1d975d08033c74d33aee50a7e2b5c6ff8f2f3a2887
CRC32 401757B0
ssdeep 3072:Jgh76ECjLBFlvf1mu2u8pdnQQGfgC95NzR3aumqtIrV:eeBF5l8pdQQGoC95Nhvmqtg
Yara None matched
VirusTotal Search for analysis
Name 2f7f8fc05dc4fd0d_UAC.dll
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\nsn6134.tmp\UAC.dll
Size 14.5KB
Processes 2776 (lv.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
CRC32 1FE27A66
ssdeep 192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs
Yara
  • escalate_priv - Escalade priviledges
  • win_token - Affect system token
  • PE_Header_Zero - PE File Signature Zero
  • IsPE32 - (no description)
  • IsDLL - (no description)
  • IsWindowsGUI - (no description)
  • HasRichSignature - Rich Signature Check
VirusTotal Search for analysis
Name 102f72713d16092d_giudichera.xlsx
Submit file
Filepath C:\Users\test22\AppData\Roaming\NCwnGqFlMUwdW\Giudichera.xlsx
Size 921.8KB
Processes 1556 (vpn.exe)
Type data
MD5 edaf8379e0441cd6b2b3e22c98af3d0f
SHA1 60a81fb66f17b08a2830a4c05182df2f70215b22
SHA256 102f72713d16092d8f27f67661aaf48415b1eac92f1665c5161368df7b7b97ab
CRC32 B75CD887
ssdeep 24576:UJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:UC7hGOSPT/PxebaiO
Yara
  • inject_thread - Code injection with CreateRemoteThread in a remote process
  • network_http - Communications over HTTP
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration
  • Str_Win32_Wininet_Library - Match Windows Inet API library declaration
  • Str_Win32_Internet_API - Match Windows Inet API call
  • Str_Win32_Http_API - Match Windows Http API call
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • AutoIt - www.autoitscript.com/site/autoit/
VirusTotal Search for analysis
Name af0624c19fab9990_animatore.xlsx
Submit file
Filepath C:\Users\test22\AppData\Roaming\NCwnGqFlMUwdW\Animatore.xlsx
Size 119.1KB
Processes 1556 (vpn.exe)
Type ASCII text, with very long lines, with CRLF line terminators
MD5 0baf97a3eddbb5d830e0ede91bfb2c30
SHA1 5aa425bbabae7f3d059d4c8f70243288c1ed9e86
SHA256 af0624c19fab99904c5e7bae8267f7620808187fbdf6a0da875c3951282f5a00
CRC32 E1691B00
ssdeep 3072:7CTOZ//ULx/yc8zSmGaWy9+F0xJm3DCZYyMCvMyq6yjH:7CS1/qx/v8zSmGAgF0Dm3H
Yara None matched
VirusTotal Search for analysis
Name e3b0c44298fc1c14_nsy6124.tmp
Empty file or file not found
Filepath C:\Users\test22\AppData\Local\Temp\nsy6124.tmp
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name e8cdf586ace510f9_vpn.exe
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe
Size 1.1MB
Processes 2776 (lv.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5 5d9497e2b90970d82af089718004e80e
SHA1 5a69f6eb77ec465caf754bb5c2ac7f48adb21659
SHA256 e8cdf586ace510f9104e1cc2d8ae33ab220b0cb67782d0035d26afbc62b34e40
CRC32 B5363185
ssdeep 24576:w1qUucZ6kA4M28zCoSRoCmqwAJ3NjvT563f:w1qUuc0kA4M28cMYNrF6v
Yara
  • Malicious_Library_Zero - Malicious_Library
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_files_operation - Affect private profile
  • PE_Header_Zero - PE File Signature Zero
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasModified_DOS_Message - DOS Message Check
VirusTotal Search for analysis
Name 8ac062b42f3a76b3_m
Submit file
Filepath C:\Users\test22\AppData\Roaming\NCwnGqFlMUwdW\m
Size 615.7KB
Type ASCII text, with very long lines, with CRLF, CR, LF line terminators
MD5 6ca944c2258ab56b4b1cf01bbebc9ade
SHA1 2d1855d5f0ea5023ebf6deec8712a143cad4aea1
SHA256 8ac062b42f3a76b381e4f9f54abb43f390307b286c232e4cc5f83214c851d109
CRC32 EA1493B0
ssdeep 6144:DS4cKny29bsJ8PwT33UtHen+TeEMlMd2aqxlyya5U4F0HMamf5rZIMdtE:G4cSPZLEoen+TCaqPja5UU0s5rG
Yara None matched
VirusTotal Search for analysis
Name 568d73074880063d_4.exe
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\New Feature\4.exe
Size 334.5KB
Processes 2776 (lv.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d3452067a01490a4c0ff7cd525ad521c
SHA1 377544b9a8c1b588654f330f397f2b69f243caee
SHA256 568d73074880063d4d2b3e9d3ddb938685de8ec8e24974ff32f5f47d55a2dcb0
CRC32 E971B038
ssdeep 6144:Acqgl6RALT2LnWeuvW/ygGCg5VXqne8TBnmQ8G/f7iPfRY:Acqib3Oz/ygGCqJg9lJf2P5Y
Yara
  • win_files_operation - Affect private profile
  • PE_Header_Zero - PE File Signature Zero
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
VirusTotal Search for analysis