Dropped Files | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Dropped Files | ZeroBOX

Name	04c6c45a3b36bb98_d93f411851d7c929.customdestinations-ms Submit file
Filepath	c:\users\test22\appdata\roaming\microsoft\windows\recent\customdestinations\d93f411851d7c929.customdestinations-ms
Size	7.8KB
Processes	3056 (powershell.exe)
Type	data
MD5	`e8547785803e896eb9d2f56c32ea2c85`
SHA1	`858545374ff3bb795dc2ca4e307d2be66878c646`
SHA256	`04c6c45a3b36bb98ffdc681253a3a2b509fe3ea811d4e3e9955d2c954a0e56d0`
CRC32	`C21DC4EE`
ssdeep	`96:8tuCeGCPDXBqvsqvJCwo5tuCeGCPDXBqvsEHyqvJCworSP7Hwxf2lUVul:8tvXo5tvbHnorrxQ`
Yara	Antivirus - Contains references to security software Generic_Malware_Zero - Generic Malware
VirusTotal	Search for analysis

Name	8a9235655b1a499d_dllhost.exe Submit file
Filepath	C:\ProgramData\Dllhost\dllhost.exe
Size	62.0KB
Processes	2780 (Installer.exe)
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4aa5e32bfe02ac555756dc9a3c9ce583`
SHA1	`50b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f`
SHA256	`8a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967`
CRC32	`8E7E3EE7`
ssdeep	`768:+vfLyCdU0puufOIK1Nekmd52a3bCnP2PmxeETwM:+3LE0pu59ikmdYebCnO+xeEsM`
Yara	Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)
VirusTotal	Search for analysis

Name	1890d75314a2eecc_logs.uce Submit file
Filepath	C:\logs.uce
Size	344.0B
Processes	2780 (Installer.exe)
Type	ASCII text, with CRLF line terminators
MD5	`ed0a14b3d36192450cc104223990ff11`
SHA1	`9f95fa226cf1a30602d84885110838157d45a549`
SHA256	`1890d75314a2eeccf6841b129bd44129bbc65a3d8a3930d1d1f4efc093027cb1`
CRC32	`4AB7FC44`
ssdeep	`6:DiYgE/ov8TSQpg4nSEiYgE/ov8TSQpg4nSdI7wXP1tNa5J/m+iE6+2R5UyGnAK1v:uwg8+qSFwg8+qSktiw2RKFAov`
Yara	None matched
VirusTotal	Search for analysis

Name	9ef2e8714e85dcd1_winlogson.exe Submit file
Filepath	C:\ProgramData\Dllhost\winlogson.exe
Size	7.9MB
Processes	2780 (Installer.exe)
Type	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5	`4813fa6d610e180b097eae0ce636d2aa`
SHA1	`1e9cd17ea32af1337dd9a664431c809dd8a64d76`
SHA256	`9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc`
CRC32	`04A4594C`
ssdeep	`98304:ZLsUYfB9pOp/BWLbrkShfa+XQD/YPLTDtU5SXXMQHJw7ZB87TtIeUK+MzfL7cybS:Kgp/NQ7rfWOlb1paSbkJFsxfKLNIS`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check XMRig_Miner_IN - XMRig Miner IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Generic_Malware_Zero - Generic Malware
VirusTotal	Search for analysis

Name	64929489dc8a0d66_killduplicate.cmd Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\KillDuplicate.cmd
Size	222.0B
Processes	1212 (conhost.exe)
Type	ASCII text, with CRLF line terminators
MD5	`68cecdf24aa2fd011ece466f00ef8450`
SHA1	`2f859046187e0d5286d0566fac590b1836f6e1b7`
SHA256	`64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770`
CRC32	`F14E4A56`
ssdeep	`6:vFuj9HUHOPLtInnIgvRY77flFjfA+qpxuArS3+xTfVk3:duj9HeONgvRYnlfYFrSMTtk3`
Yara	None matched
VirusTotal	Search for analysis

Name	344f076bb1211cb0_7z.exe Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\7z.exe
Size	458.0KB
Processes	1212 (conhost.exe)
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`619f7135621b50fd1900ff24aade1524`
SHA1	`6c7ea8bbd435163ae3945cbef30ef6b9872a4591`
SHA256	`344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2`
CRC32	`085DB415`
ssdeep	`6144:fz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayCV7+DHV:r1gL5pRTcAkS/3hzN8qE43fm78V`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer
VirusTotal	Search for analysis

Name	34ad9bb80fe8bf28_7z.dll Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\7z.dll
Size	1.6MB
Processes	1212 (conhost.exe)
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`72491c7b87a7c2dd350b727444f13bb4`
SHA1	`1e9338d56db7ded386878eab7bb44b8934ab1bc7`
SHA256	`34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891`
CRC32	`D5226149`
ssdeep	`24576:S+clx4tCQJSVAFja8i/RwQQmzgO67V3bYgR+zypEqxr2VSlLP:jclmJSVARa86xzW3xRoyqqxrT`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsDLL - (no description) IsPE64 - (no description) PE_Header_Zero - PE File Signature Microsoft_Office_File_Zero - Microsoft Office File
VirusTotal	Search for analysis

Name	d844121883e3a70c_Installer.exe Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\Installer.exe
Size	21.0KB
Processes	2688 (7z.exe) 2152 (cmd.exe) 1212 (conhost.exe)
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`9150887c23f96c92d6fb69228a524318`
SHA1	`6ff50a91ce7f5927474b71a566c12175a5ac0732`
SHA256	`d844121883e3a70cf99339df6d1c29f0e11de425a154e4c072e3519e40008ca7`
CRC32	`D0BB8E74`
ssdeep	`384:YbjjHZQ3NdofJHFrybCN906pXtM5PFNwN9zmjAsYk15/ufoWrynX:YbjjHe3kBgbGqBFNwAAsY0Nv`
Yara	UPX_Zero - UPX packed file Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware
VirusTotal	Search for analysis

Name	df49bcb0ed15c00a_file_3.zip Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\extracted\file_3.zip
Size	9.7KB
Processes	2536 (7z.exe) 2152 (cmd.exe)
Type	Zip archive data, at least v1.0 to extract
MD5	`c137845ccac9a1f9629cc6849bce8cd6`
SHA1	`70168bf6d013a49f8ce50b7fad1442c7c5f3fe05`
SHA256	`df49bcb0ed15c00a52c6cd71938007a9083ea1c29b47bcb6de68038e579bd392`
CRC32	`2A2436C5`
ssdeep	`192:AMhYR8ii/lW41LJ+k4Xo94/tgrgSVV0FSXwCasMoQRiTk:Apvi/IsknXoS/g0SXwaah`
Yara	zip_file_format - ZIP file format
VirusTotal	Search for analysis

Name	8a7a6d2218bd2639_AntiAV.data Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\extracted\AntiAV.data
Size	2.1MB
Processes	2344 (7z.exe) 2152 (cmd.exe)
Type	ASCII text, with very long lines, with no line terminators
MD5	`8ce3c9b690cc980145aa65008921d84d`
SHA1	`a588a3f8c5da0b4dcf9c771232250fb5ff5273b7`
SHA256	`8a7a6d2218bd2639d883fb1cd5d1122aed702edb8f10aadd138e9e6ed9d965a7`
CRC32	`68ED485C`
ssdeep	`24576:5yZBPkpRrP9pxC+XvoflcYy36s3vb0EecYy37n92k8GtGAQZ67hR7krC/Cyf0/xg:R9kqGu7okoZscCnf0/Zs9T`
Yara	Suspicious_Obfuscation_Script_2 - Suspicious obfuscation script (e.g. executable files)
VirusTotal	Search for analysis

Name	169302e6a7a3c64a_main.bat Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\main.bat
Size	474.0B
Processes	1212 (conhost.exe)
Type	Little-endian UTF-16 Unicode text, with no line terminators
MD5	`7ec1a17851445d988ecce0997436b552`
SHA1	`eb1ce535aeb67b215cf82e4cce1eb669ad2c3f83`
SHA256	`169302e6a7a3c64a00b3fd84cbc0d6afed5add9bc192d51d76240836b1b7af14`
CRC32	`996012DB`
ssdeep	`12:QUp+CF16g64CTFMj2LIQLvoXDyWaCVGrMLvmuCCgXjgrXgX78agXrrEOXUigXY:QUpNF16g632Cke2yWaCVGYTtS0rXS78F`
Yara	None matched
VirusTotal	Search for analysis

Name	c145fb5e1a61d923_file_2.zip Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\extracted\file_2.zip
Size	9.6KB
Processes	2584 (7z.exe) 2152 (cmd.exe)
Type	Zip archive data, at least v2.0 to extract
MD5	`a4dee7d952d8266002f75dd48f3fdda0`
SHA1	`623eb7850b20549a7c0ae1ee59767f64c68d63a5`
SHA256	`c145fb5e1a61d923a97228623961a4cff48704444df6b7d2d7397360f9b231d6`
CRC32	`E9164569`
ssdeep	`192:2MhYR8ii/lW41LJ+k4Xo94/tgrgSVV0FSXwCasMoQRiTW:2pvi/IsknXoS/g0SXwaaD`
Yara	zip_file_format - ZIP file format
VirusTotal	Search for analysis

Name	be568c407d003489_file_7.zip Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\extracted\file_7.zip
Size	10.2KB
Processes	2344 (7z.exe) 2152 (cmd.exe)
Type	Zip archive data, at least v2.0 to extract
MD5	`238ad10d5733a6d7dba140e8c6ae8045`
SHA1	`dabdf06f4558421610a70569ba11d4f9b0af9d3d`
SHA256	`be568c407d00348950834bd1c45a3b95f3d2e25a44ed677fe9f2ef8dcffe383a`
CRC32	`0F037F8D`
ssdeep	`192:WaRHyk5C5cW7G3FbZ6261qUUHP3Lki3a2sGohNxZW2q1I1O5VB5lPCIQ:WahRVW7GVF651qUUvbbQJC2m5LqJ`
Yara	zip_file_format - ZIP file format
VirusTotal	Search for analysis

Name	e7f0ca047e8620e9_file_1.zip Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\extracted\file_1.zip
Size	9.4KB
Processes	2640 (7z.exe) 2152 (cmd.exe)
Type	Zip archive data, at least v2.0 to extract
MD5	`87ef20a3065effccedd91456c6ce4af6`
SHA1	`292394d575c787d23e7e4ac7ffe8c6912a7f59f4`
SHA256	`e7f0ca047e8620e954bc4539531f33331f084985d17058c2b3906a56f8a9d34b`
CRC32	`CB283AD0`
ssdeep	`192:hPH0WOKookTiMLL2TDmaurvclu/Wgukw5U+JfqTNY8:h/5MWTp8vUyXukvCa`
Yara	zip_file_format - ZIP file format
VirusTotal	Search for analysis

Name	4a9ac2596a46eebc_file.bin Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\file.bin
Size	1.5MB
Processes	1212 (conhost.exe) 2152 (cmd.exe)
Type	Zip archive data, at least v2.0 to extract
MD5	`1743d47645f5a5d479cbd1f387b09540`
SHA1	`49bea1153dbb495b424468ab0e2abac1dcdc8e22`
SHA256	`4a9ac2596a46eebc5494a2c4cf54727a3cddf634181581c8226ea7135803d052`
CRC32	`3A0CB473`
ssdeep	`49152:e5W1rQin9nTT5h+DtM8LFqokrmsaVn/jaAHQn0:e5W1rQinwnL/kasq2UA0`
Yara	zip_file_format - ZIP file format
VirusTotal	Search for analysis

Name	44841c11c6ca8a99_file_4.zip Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\extracted\file_4.zip
Size	9.8KB
Processes	2488 (7z.exe) 2152 (cmd.exe)
Type	Zip archive data, at least v2.0 to extract
MD5	`770de2fc008cd58d454340714a969ed2`
SHA1	`232d60deac35cdc2dfd3665bff362046656150a8`
SHA256	`44841c11c6ca8a992e24b51ecd196061c2c2067eedbd9ab98b61ea8adaa512b6`
CRC32	`D5BEBCDA`
ssdeep	`192:lf/KyCkkCQ9T2AH/6UyUWcwY8ErfxR0H47hBE0hBHm0MWMJVOF953Bbk8vfnAXJZ:9+/2AH2Wz0Y00hBG0VMJ8Fv3BbbvfnaX`
Yara	zip_file_format - ZIP file format
VirusTotal	Search for analysis

Name	9b8e6ff405bf34e7_file_8.zip Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\extracted\file_8.zip
Size	1.5MB
Processes	2284 (7z.exe) 2152 (cmd.exe)
Type	Zip archive data, at least v2.0 to extract
MD5	`497562f19c9b30cab21bcfa6d2e856c0`
SHA1	`8a5d7a39977ba8af8386853c0c01f67b9d593d25`
SHA256	`9b8e6ff405bf34e7ad8745a8189d5aa2ad76eaf0d9d1c1f817cbdc2ff66de4b0`
CRC32	`28D254D3`
ssdeep	`24576:HbI/7AAb+JQl3Vd02kOC/l5X4/KiROMdWbBkDC6SX39qbwK1ZNKdvLIJvQ27ly:HujCK3D0AC/l5mwbBkDWYb1ZN4UJ9py`
Yara	zip_file_format - ZIP file format
VirusTotal	Search for analysis

Name	43e5832c12a4627d_file_5.zip Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\extracted\file_5.zip
Size	9.9KB
Processes	2440 (7z.exe) 2152 (cmd.exe)
Type	Zip archive data, at least v2.0 to extract
MD5	`211c79d7f7cd5c8fb46771497b721b82`
SHA1	`d6de530cbd41ef3aad02e98f4a407278b85b3a55`
SHA256	`43e5832c12a4627d6631916f55d5614d9c5b70ea58a6ed6174458f5df7c2a801`
CRC32	`DF1AFD3D`
ssdeep	`192:G23fH8EyHLm4E4RFCcpreS/04jJRzLVS3FASrO6cDz34lKR:TfH4rzE4ic1ek0Yzz4+SK6cDkli`
Yara	zip_file_format - ZIP file format
VirusTotal	Search for analysis

Name	11bd2c9f9e2397c9_winring0x64.sys Submit file
Filepath	C:\ProgramData\Dllhost\WinRing0x64.sys
Size	14.2KB
Processes	2780 (Installer.exe)
Type	PE32+ executable (native) x86-64, for MS Windows
MD5	`0c0195c48b6b8582fa6f6373032118da`
SHA1	`d25340ae8e92a6d29f599fef426a2bc1b5217299`
SHA256	`11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5`
CRC32	`6B0323EB`
ssdeep	`192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature
VirusTotal	Search for analysis

Name	b1b2331f306f6374_file_6.zip Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\extracted\file_6.zip
Size	10.1KB
Processes	2392 (7z.exe) 2152 (cmd.exe)
Type	Zip archive data, at least v2.0 to extract
MD5	`f81079580a700b0aa1bc1595cebca025`
SHA1	`5ab3e6fc7eaee236a725fb1d55c7c1adf52f8b3b`
SHA256	`b1b2331f306f6374daef7aa54a708efedb73cd9859a63397ddc0369022ae4293`
CRC32	`3937342D`
ssdeep	`192:6pLOgvgOmWEo/a0o05HUVUUAyjd/a22zOjARbhXZbAjfkOfLnWb3x+MENhTiKL7:6ZdvgOHztdajJa22zwM1XZM7nW4MKNiu`
Yara	zip_file_format - ZIP file format
VirusTotal	Search for analysis

Name	a9220271c0eb79e5_d93f411851d7c929.customDestinations-ms~RF182654c.TMP Submit file
Filepath	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF182654c.TMP
Size	7.8KB
Type	data
MD5	`b0c9ff441742f3847ea27da9dee7f2cd`
SHA1	`c42a1eb32ba953a0ce5d8635caabf71b5b281495`
SHA256	`a9220271c0eb79e5750e0d0e62058ecac560e09cdf9e82ef61aeeabada5d48a4`
CRC32	`0BBCAB1A`
ssdeep	`96:RutuCOGCPDXBqvsqvJCwo+utuCOGCPDXBqvsEHyqvJCworSP7Hwxf2lUVul:UtvXoxtvbHnorrxQ`
Yara	Antivirus - Contains references to security software Generic_Malware_Zero - Generic Malware
VirusTotal	Search for analysis