Dropped Files | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Dropped Files | ZeroBOX

Name	1beb05868ce93bcc_IE9CompatViewList[1].xml Submit file
Filepath	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\IE9CompatViewList[1].xml
Size	141.8KB
Type	XML 1.0 document, ASCII text, with CRLF line terminators
MD5	`9b63e0fb3785ffa49686dd75e303d177`
SHA1	`e3992de5a1b8f58a11a52ad71f275ae413927eb4`
SHA256	`1beb05868ce93bcc8fafc46adccdda6d104f3c6f6c6ed454d8a6c0c208d9bd0e`
CRC32	`F778EDEF`
ssdeep	`3072:AoSMrEDL1FwhdFFaz6l8vHG+TbFPAzepobjyG7I1K1IB2+Tir8v1IG9aIedyPcFC:dSMrEDL1FwhdFFaz6l8vHG+TbFPAzepR`
Yara	None matched
VirusTotal	Search for analysis

Name	d960bdedfa67b99c_d93f411851d7c929.customdestinations-ms Submit file
Filepath	c:\users\test22\appdata\roaming\microsoft\windows\recent\customdestinations\d93f411851d7c929.customdestinations-ms
Size	7.8KB
Processes	1892 (powershell.exe)
Type	data
MD5	`4debeebdda246e57cb8aa24e3aed6bdc`
SHA1	`b5c5f2e37f05dd94f9bb82cb61647b21d885afe6`
SHA256	`d960bdedfa67b99ccbb8ab256a2d14a4fa1f20928f1f04ee303dea8839c1fa7e`
CRC32	`F4683A7A`
ssdeep	`96:EtuCSGCPDXBqvsqvJCwoJtuCSGCPDXBqvsEHyqvJCworw7HwxClUVul:EtDXoJtDbHnorbxk`
Yara	Antivirus - Contains references to security software
VirusTotal	Search for analysis

Name	9047415f5b43a789_updata.exe Submit file
Filepath	c:\program files (x86)\jcleaner\updata.exe
Size	2.6MB
Processes	2260 (chashepro3.tmp)
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3a1cfca84062f46d08142cc6d413fb5d`
SHA1	`3a14dcbeae24cc455e622c4d67fcf251ffd08bb0`
SHA256	`9047415f5b43a7895ab979c1df6fc81103ce21644e68e95420a5828857d140f1`
CRC32	`A0ADF283`
ssdeep	`49152:V6y3+X897JkQKIXA9YXl8ZmPzdY4ycaDy050BIsm7cIYJoNodMS/:V6y3N7Jk/39YXlCmPztycaDy0LciNo`
Yara	IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check anti_vm_detect - Possibly employs anti-virtualization techniques PE_Header_Zero - PE File Signature Zero
VirusTotal	Search for analysis

Name	3bb0ee5569fe5453_chashepro3.tmp Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\is-LV415.tmp\chashepro3.tmp
Size	702.5KB
Processes	112 (chashepro3.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1afbd25db5c9a90fe05309f7c4fbcf09`
SHA1	`baf330b5c249ca925b4ea19a52fe8b2c27e547fa`
SHA256	`3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c`
CRC32	`811A0355`
ssdeep	`12288:XqIRz+f+ui8TrPO37fzH4A63RRwDFtuXUZERmhrNh4dT9TaC+IGNbDtQPuFyxyR:aIZg+uiirPO37fzH4A6haDbcUZEbdT9+`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) IsWindowsGUI - (no description) borland_delphi - Borland Delphi 2.0 - 7.0 / 2005 - 2007 Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet escalate_priv - Escalade priviledges screenshot - Take screenshot keylogger - Run a keylogger spreading_file - Malware can spread east-west file win_mutex - Create or check mutex win_registry - Affect system registries win_token - Affect system token win_private_profile - Affect private profile win_files_operation - Affect private profile Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero
VirusTotal	Search for analysis

Name	6ec867dc1caa77ec_tmpE7D9.tmp Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\tmpE7D9.tmp
Size	18.0KB
Type	SQLite 3.x database, last written using SQLite version 3021000
MD5	`f3a100cba30b2a07a7af8886e439024e`
SHA1	`a454cca0db028b4d0fb29fa932c9056519efe2cf`
SHA256	`6ec867dc1caa77ecfd8e457d464b6bebc3be8694b4c88734fa83d197c0b214cc`
CRC32	`72CF6AF8`
ssdeep	`24:LLI10KL7G0TMJHUyyJtmCm0XKY6lOKQAE9V8MffD4fOzeCmly6Uwc6KaW:oz+JH3yJUheCVE9V8MX0PFlNU1faW`
Yara	None matched
VirusTotal	Search for analysis

Name	ec96792074372670_recoverystore.{eb196184-7fb6-11eb-bde1-94de278c3274}.dat Submit file
Filepath	C:\Users\test22\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EB196184-7FB6-11EB-BDE1-94DE278C3274}.dat
Size	4.5KB
Processes	1048 (iexplore.exe)
Type	Composite Document File V2 Document, Cannot read section info
MD5	`658d78bb9d10167cbb326bed94754b19`
SHA1	`4b8970c38cf9aef9133eab5a20414e16d9af10e2`
SHA256	`ec96792074372670a8c0d4914b12f3493ae355044452bf5d943f35925b8b47b3`
CRC32	`16E929B0`
ssdeep	`12:rlfF2rrEg5+IaCrI0F7+F2YQrEg5+IaCrI0F7ugQNlTqbaxvoMoTboZNlTqbaxvL:rqr5/1/5/3QNlWUNlW`
Yara	Microsoft_Office_Document_Zero - Microsoft Office Document Signature Zero
VirusTotal	Search for analysis

Name	0152adc16769d7bf_unins000.exe Submit file
Filepath	c:\program files (x86)\jcleaner\unins000.exe
Size	713.7KB
Processes	2260 (chashepro3.tmp)
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4a2f6964da758a6f63d9ac169b65e391`
SHA1	`61de739b897a3d03fe9fc729f7e499fef3e5714c`
SHA256	`0152adc16769d7bfdb9c862e84e149efae5a6b3d8e826380497c05495e429a26`
CRC32	`8D9702BF`
ssdeep	`12288:/qIRz+f+ui8TrPO37fzH4A63RRwDFtuXUZERmhrNh4dT9TaC+IGNbDtQPuFyxyRw:CIZg+uiirPO37fzH4A6haDbcUZEbdT9N`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check borland_delphi - Borland Delphi 2.0 - 7.0 / 2005 - 2007 Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet escalate_priv - Escalade priviledges screenshot - Take screenshot keylogger - Run a keylogger spreading_file - Malware can spread east-west file win_mutex - Create or check mutex win_registry - Affect system registries win_token - Affect system token win_private_profile - Affect private profile win_files_operation - Affect private profile Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero
VirusTotal	Search for analysis

Name	3b046d30dc2e6021_tmpE81E.tmp Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\tmpE81E.tmp
Size	36.0KB
Type	SQLite 3.x database, last written using SQLite version 3021000
MD5	`e185515780e9dcb21c3262899c206308`
SHA1	`230714474693919d93949ab5a291f7ec02fd286f`
SHA256	`3b046d30dc2e6021be55d1bd47c2a92970856526c021df5de6e4ea3c4144659b`
CRC32	`25EF2A64`
ssdeep	`24:TLNg/5UcJOyTGVZTPaFpEvg3obNmCFk6Uwcc85fBvlllYu:TC/ecVTgPOpEveoJZFrU1cQBvlllY`
Yara	None matched
VirusTotal	Search for analysis

Name	38c389720b75365f_tmpE843.tmp Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\tmpE843.tmp
Size	72.0KB
Type	SQLite 3.x database, last written using SQLite version 3021000
MD5	`c480140ee3c5758b968b69749145128d`
SHA1	`035a0656bc0d1d376dfc92f75fa664bdf71b3e4d`
SHA256	`38c389720b75365fcb080b40f7fdc5dc4587f4c264ec4e12a22030d15709e4a9`
CRC32	`954A724F`
ssdeep	`96:f0CWo3dOEctAYyY9MsH738Hsa/NTIdE8uKIaPdUDFBlrrVY/qBOnx4yWTJereWbY:fXtd69TYndTJMb3j0`
Yara	None matched
VirusTotal	Search for analysis

Name	6cf3c26f0b869f1d_chilled.exe Submit file
Filepath	c:\program files (x86)\jcleaner\chilled.exe
Size	214.0KB
Processes	2260 (chashepro3.tmp)
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0af4c5206707c695b1de3ca34b43b491`
SHA1	`5f556355ed43c5ea47ab7a3ff63fd237b046c7ad`
SHA256	`6cf3c26f0b869f1d0fcda771815d4e4600b941a5f142d889292110996ced6fea`
CRC32	`7261A435`
ssdeep	`3072:EDKW1LgppLRHMY0TBfJvjcTp5X7lKKq07dmczxEAXRcskTkpP5e:EDKW1Lgbdl0TBBvjc/7PN7dUAhcskToM`
Yara	IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero
VirusTotal	Search for analysis

Name	afae540f3f12c30b_rd6n37gq.txt Submit file
Filepath	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Cookies\RD6N37GQ.txt
Size	89.0B
Processes	2764 (iexplore.exe)
Type	ASCII text
MD5	`5c60e1d3c40263fb20e3024f40bbac41`
SHA1	`57d29e55464ae74b9998614cc64db6d0b3d3949b`
SHA256	`afae540f3f12c30b1f13f8fec7bbec905310838eafab0701d53837f053360420`
CRC32	`EC50FF3F`
ssdeep	`3:gW9NDjLXQQqDvKvYTvXeTQtdRkXvW4:33XQQeSvYTvXbTRwP`
Yara	None matched
VirusTotal	Search for analysis

Name	388a796580234efc__setup64.tmp Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\is-G8ONP.tmp\_isetup\_setup64.tmp
Size	6.0KB
Processes	2260 (chashepro3.tmp)
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`e4211d6d009757c078a9fac7ff4f03d4`
SHA1	`019cd56ba687d39d12d4b13991c9a42ea6ba03da`
SHA256	`388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95`
CRC32	`2CDCC338`
ssdeep	`96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0`
Yara	IsPE64 - (no description) IsConsole - (no description) HasRichSignature - Rich Signature Check win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero
VirusTotal	Search for analysis

Name	04f451c1c5a6219f_unins000.dat Submit file
Filepath	C:\Program Files (x86)\JCleaner\unins000.dat
Size	1.3KB
Processes	2260 (chashepro3.tmp)
Type	data
MD5	`95e2f47387c271ae31260f55de7256e8`
SHA1	`597ca8c97d7f3dbfc42f27910f9bda24f670ee64`
SHA256	`04f451c1c5a6219fb2f19de326fb0533c2c52f7d120e577d152e4c29e1c95055`
CRC32	`61AD32B3`
ssdeep	`24:ZT2htRllR2KtVMExwR2+L2j2la2x2VMPVMMVMA6DVVt:ZT2n5R2KXxwR2M2j242x2MVBQr`
Yara	None matched
VirusTotal	Search for analysis

Name	049ab8112b1bcb70_favicon[5].png Submit file
Filepath	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\favicon[5].png
Size	588.0B
Type	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
MD5	`a6bbddfa577a51a9e1c9f9d678265cea`
SHA1	`be6bd8beb8a6b0140841bb909d84b5a7a9740daa`
SHA256	`049ab8112b1bcb70e2bc132cda740e3b776953e3b3205050c41a48683d223786`
CRC32	`C6743D26`
ssdeep	`12:6v/7lFexRF5AvpSVhKYY/+zF/8UdodfTFWDGqJccdm1fWaa3dz1:EeRF5iUhKY4GHPCqJtdCfNatz1`
Yara	PNG_Format_Zero - PNG Format
VirusTotal	Search for analysis

Name	507a7b00e9fbe68e_chrome updater.exe Submit file
Filepath	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe
Size	4.4MB
Processes	1436 (flesh.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`029ce2e532fe5c70d3342f978f5463d0`
SHA1	`e4e3041b291f1e581deebc1c219e1df3fccc0a6b`
SHA256	`507a7b00e9fbe68e5dd732bea1bce17f0451ab6c1250970a7cf0ddf5fbc2b83e`
CRC32	`D2D75814`
ssdeep	`98304:QPvYDnmWwqsSgx0Yn+bQVacRCBdYPtON7x2ojsU2xLQ2dG:QPAmfSgx0Y+bQQB7x2ojszxLI`
Yara	IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDigitalSignature - DigitalSignature Check anti_vm_detect - Possibly employs anti-virtualization techniques PE_Header_Zero - PE File Signature Zero
VirusTotal	Search for analysis

Name	49285f51f658de25_jcleaner.lnk Submit file
Filepath	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JCleaner\JCleaner.lnk
Size	812.0B
Processes	2260 (chashepro3.tmp)
Type	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hide
MD5	`ed8a9bcefb38b77bd034f93654173152`
SHA1	`7efd29f7714bd7770109b352381c631e8b2e429d`
SHA256	`49285f51f658de25bf8e5828d3cdd48665eae25072dd469757ff53f3107a2d4b`
CRC32	`AA09092F`
ssdeep	`12:8wl0f2lqqdp8A/M0oSlSVNlNybdpYYsubdpYIcKNUGa4t2YLEPKzlX8:8fqdOAtlClMdYqdnUG2Py`
Yara	Antivirus - Contains references to security software Lnk_Format_Zero - LNK Format
VirusTotal	Search for analysis

Name	e3b0c44298fc1c14_cerA9F4.tmp Empty file or file not found
Filepath	C:\Windows\cerA9F4.tmp
Size	0.0B
Type	empty
MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
CRC32	`00000000`
ssdeep	`3::`
Yara	None matched
VirusTotal	Search for analysis

Name	72774483f63d3398_{eb196185-7fb6-11eb-bde1-94de278c3274}.dat Submit file
Filepath	C:\Users\test22\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EB196185-7FB6-11EB-BDE1-94DE278C3274}.dat
Size	4.5KB
Processes	1048 (iexplore.exe)
Type	Composite Document File V2 Document, Cannot read section info
MD5	`52034923cee3f57c4de66cc5205867ac`
SHA1	`98640219bcf3f767f005b9f81467c564f14b1df5`
SHA256	`72774483f63d3398f076b034841e68b62470263cc54a5fb60fc49cff95899057`
CRC32	`8CB6BA9B`
ssdeep	`12:rl0ZGFvgQrEgmfB06Fv1DrEgmfh0qgNNlTVbaxLNlz9baxzy:rLHGrxGmNNlp+Nlhi`
Yara	Microsoft_Office_Document_Zero - Microsoft Office Document Signature Zero
VirusTotal	Search for analysis