popup
Dropped Files | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Dropped Files

Name cc64163eb50774d9_e
Submit file
Filepath C:\Users\test22\AppData\Roaming\pEeYJiXbwPzvw\e
Size 571.3KB
Type ASCII text, with very long lines, with CRLF, CR, LF line terminators
MD5 f9ca6f29e8aa8abe9751ce86ed5dd0d4
SHA1 44a783af688c7ce5fa71110e5439938abe7c49f1
SHA256 cc64163eb50774d9137953da90faa4571b7e7ba863404336b1b5aa377767a435
CRC32 35EBBEA4
ssdeep 6144:xj2BPZCAc7nG+aFTQVPX3aUX+5vy6bavXNjWUcKDt58Ax:d2tZC3G+94lbCX7zDth
Yara None matched
VirusTotal Search for analysis
Name e3b0c44298fc1c14_nsb265.tmp
Empty file or file not found
Filepath C:\Users\test22\AppData\Local\Temp\nsb265.tmp
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name 2f7f8fc05dc4fd0d_UAC.dll
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\nsb266.tmp\UAC.dll
Size 14.5KB
Processes 6988 (lv.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
CRC32 1FE27A66
ssdeep 192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs
Yara
  • PE_Header_Zero - PE File Signature Zero
  • escalate_priv - Escalade priviledges
  • win_token - Affect system token
  • IsPE32 - (no description)
  • IsDLL - (no description)
  • IsWindowsGUI - (no description)
  • HasRichSignature - Rich Signature Check
VirusTotal Search for analysis
Name d1f8f823057a7d8d_Col.accde
Submit file
Filepath C:\Users\test22\AppData\Roaming\pEeYJiXbwPzvw\Col.accde
Size 140.0KB
Processes 4232 (vpn.exe) 6744 (Mano.exe.com)
Type data
MD5 a225e68c250bef69734cca3cb6355e5d
SHA1 bba7c7238f3c659f450da3a0c85bb5c584a3c4eb
SHA256 d1f8f823057a7d8d3c434ef85d3ed1a08a184135ad55d06bf53b564727e8f520
CRC32 6690F703
ssdeep 3072:vbGDkXz0g/RtmIId/sYOxmofxQudDFyGp5pwAwa9xwnnbG:D+az0ORFOkYd4tdDfnVwGwnbG
Yara None matched
VirusTotal Search for analysis
Name 3b49b4439709c289_estraneo.accde
Submit file
Filepath C:\Users\test22\AppData\Roaming\pEeYJiXbwPzvw\Estraneo.accde
Size 121.5KB
Processes 4232 (vpn.exe)
Type ASCII text, with very long lines, with CRLF line terminators
MD5 ba8224e5fef37aa50032574ea911d7d0
SHA1 cdecbcf76305b1dfaacdffe9663a80bffb099dab
SHA256 3b49b4439709c289bf245cfc8e9f6a303eaf1bd395d7191dcc0f5d533690c95f
CRC32 3FE0AE14
ssdeep 3072:gJd+uMDCq152jhA+sj4rNJock3DY55bNS:gJd+u+Cq15YW+rrcY55bE
Yara None matched
VirusTotal Search for analysis
Name 2e3934b470ad6dca_vpn.exe
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe
Size 988.5KB
Processes 6988 (lv.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5 66bafc61c451d8a5b4d93bc7e621d337
SHA1 f099bded5da236ffd5cf1bf12d4ca6f1be3516bf
SHA256 2e3934b470ad6dca4e90000ef482c1d7042de9b52c91d11ce20c7572bfa71ea4
CRC32 610416F8
ssdeep 24576:qx4tQdXiD/QkUxkXcYT+X/lxcw1S9AFXluHWfLn33:qx4tbzQjRMW/l+EtFX8i7H
Yara
  • PE_Header_Zero - PE File Signature Zero
  • Malicious_Library_Zero - Malicious_Library
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_files_operation - Affect private profile
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasModified_DOS_Message - DOS Message Check
VirusTotal Search for analysis
Name b983cb64428c4bb8_angolo.accde
Submit file
Filepath C:\Users\test22\AppData\Roaming\pEeYJiXbwPzvw\Angolo.accde
Size 921.8KB
Processes 4232 (vpn.exe)
Type data
MD5 0239542b8274e1f3438c90a4997af442
SHA1 7054ad27838ad2b2f268bba34b0435a6f8261bff
SHA256 b983cb64428c4bb8eead6a3fedb854d49b8c928e0333b8086525e7d2b561ab94
CRC32 4A9AE0CD
ssdeep 24576:RJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:RC7hGOSPT/PxebaiO
Yara
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • inject_thread - Code injection with CreateRemoteThread in a remote process
  • network_http - Communications over HTTP
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration
  • Str_Win32_Wininet_Library - Match Windows Inet API library declaration
  • Str_Win32_Internet_API - Match Windows Inet API call
  • Str_Win32_Http_API - Match Windows Http API call
  • AutoIt - www.autoitscript.com/site/autoit/
VirusTotal Search for analysis
Name 560c78c920a92597_4.exe
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\New Feature\4.exe
Size 287.0KB
Processes 6988 (lv.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 067bd7dce1e0c12e0561788685dfe875
SHA1 f5ca5c5e2f8a8855ccd23927a95671e0b479239a
SHA256 560c78c920a925975680c8ee387a2ceae2678df7335fea19a539e6447742ad87
CRC32 1BA18199
ssdeep 6144:x886dAU7Tw4RbcLa98doLNIOgwSfhU58qTleQwo:xR6SU7Td9c+9woL+1fhQbBe2
Yara
  • PE_Header_Zero - PE File Signature Zero
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • Trojan_Win32_Glupteba_1_Zero - Trojan Win32 Glupteba
  • win_mutex - Create or check mutex
  • win_files_operation - Affect private profile
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
VirusTotal Search for analysis