Dropped Files | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.13 04:11
hello.exe
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe
11.13 02:11
nb.exe
11.13 02:11
svcyr.exe
11.13 02:11
Ghost_1.5.11.5.exe
11.13 02:11
PowderGpl.exe
11.13 02:11
goodlabel%E6%89%93%E5%...

Latest News
11.14 04:11
Drupal security adviso...
11.14 04:11
Blizzard Brings Back O...
11.14 04:11
GitLab security adviso...
11.14 03:11
Amazon Labor Ruling Ou...
11.14 03:11
PG&amp;E Project A...
11.14 03:11
China’s Trump Cards fo...
11.14 03:11
CVE-2024-43451: A New ...
11.14 03:11
Making Sense of Real-T...
11.14 03:11
Zero-day vulnerability...
11.14 03:11
US indicts alleged Sno...

Dropped Files | ZeroBOX

Name	6303a4416ac81d41_vpn.exe Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe
Size	1.2MB
Processes	3024 (lv.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5	`433094d2225f81b9ac8bd4597d5a56a2`
SHA1	`664a3a73b2c5ae8b9af8c2800357a2f3ea1cc8a8`
SHA256	`6303a4416ac81d41d3a9325f27047320b7fd6c63e55fa0fcb5b8144ea43b5c73`
CRC32	`A1382D78`
ssdeep	`24576:S53uhFg8LXd91aW3JqrBIlKYY9uCgup4P6WG/ORsTSUKQBs:S5+hFgSNnn3JNQqCg+4RG/ORsTE/`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Zero screenshot - Take screenshot keylogger - Run a keylogger win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDigitalSignature - DigitalSignature Check HasModified_DOS_Message - DOS Message Check
VirusTotal	Search for analysis

Name	2f7f8fc05dc4fd0d_UAC.dll Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\nsy63A5.tmp\UAC.dll
Size	14.5KB
Processes	3024 (lv.exe)
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`adb29e6b186daa765dc750128649b63d`
SHA1	`160cbdc4cb0ac2c142d361df138c537aa7e708c9`
SHA256	`2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08`
CRC32	`1FE27A66`
ssdeep	`192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs`
Yara	PE_Header_Zero - PE File Signature Zero escalate_priv - Escalade priviledges win_token - Affect system token IsPE32 - (no description) IsDLL - (no description) IsWindowsGUI - (no description) HasRichSignature - Rich Signature Check
VirusTotal	Search for analysis

Name	b2d08e145b4561fc__information.txt Submit file
Filepath	C:\ProgramData\mlgfccykg\Files\_information.txt
Size	111.0B
Processes	1824 (Metto.com) 3292 (cmd.exe)
Type	UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5	`d4856327419f35fbaaed961f623e9957`
SHA1	`6abc14a331ba75ea7e501a754dbfa32f56ebe21e`
SHA256	`b2d08e145b4561fc4b5897f9b0af256f9a0e604a0a33f531a05b89722a130b5a`
CRC32	`DF969B3C`
ssdeep	`3:Rifr9XFevLzO+A0KeKnSeXQXv9B6uov94uFtQRIv:RixXFe31AzeKnSIQ7hN+v`
Yara	None matched
VirusTotal	Search for analysis

Name	bdad25d767888dfc_4.exe Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\New Feature\4.exe
Size	323.0KB
Processes	3024 (lv.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8a352ec9a6a369fb5d6d7512554f9d0f`
SHA1	`da995a3be655c1580438b200cbd6ba67003a72eb`
SHA256	`bdad25d767888dfc3b5db69b5fc980e24af208c3c13c7f772fe28adc23adb6fb`
CRC32	`363FF529`
ssdeep	`6144:FgdaOz/9yVdDVbXQRNZ4VMVHnDH/mhN8TgmfKZLHGZW:FgdaOzEVpdQRNZ4wDHOhKTMyw`
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description)
VirusTotal	Search for analysis

Name	63805918e709f146_mezzo.mp3 Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\zzguiZoqUNz\Mezzo.mp3
Size	674.6KB
Processes	1048 (vpn.exe)
Type	ASCII text, with very long lines, with CRLF, CR, LF line terminators
MD5	`22d809197cb78a95b497f71f29147487`
SHA1	`480b2fb830d276d40d0ad5f57fc64fdc690133de`
SHA256	`63805918e709f14605287fc80135c11337336949f8569446d5226d00e479a88c`
CRC32	`C7AF3298`
ssdeep	`6144:STX3iy6uCNTNtDQY9QUkoN+MUtRN0I/6BA9y0Nt24179+JIivj7rWJdst5I:KHkDtUmQ1ogMkmI/XnA7L74ste`
Yara	None matched
VirusTotal	Search for analysis

Name	6b8f730e214f5114_rimasta.aspx Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Rimasta.aspx
Size	103.2KB
Processes	596 (6.exe)
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`ee22f8eaf1c2b4e0d6363e57f53d5573`
SHA1	`f2c146287528c37bcec4bbcc8da2a3a1b11f12f3`
SHA256	`6b8f730e214f5114ff7d30af8bb05871d36578f0e3ccc9a33eceb0b640e8174d`
CRC32	`D05C696E`
ssdeep	`3072:tV5rs/pQ7JgFcWohNM3mh5bb5mO0AyUF8I9n9zJ:tV5y67nWgNM3W5bb0O5F99n9zJ`
Yara	None matched
VirusTotal	Search for analysis

Name	e3b0c44298fc1c14_nsj6395.tmp Empty file or file not found
Filepath	C:\Users\test22\AppData\Local\Temp\nsj6395.tmp
Size	0.0B
Type	empty
MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
CRC32	`00000000`
ssdeep	`3::`
Yara	None matched
VirusTotal	Search for analysis

Name	1f1319a0db89cb3c_mantenga.eps Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\zzguiZoqUNz\Mantenga.eps
Size	921.8KB
Processes	1048 (vpn.exe)
Type	data
MD5	`52b162f396196896e054aee7cba9ba39`
SHA1	`273755f8e632bba6a4f64768ba8729ef114c6f85`
SHA256	`1f1319a0db89cb3c8f0ed2041b66a5078676ce1ef3b713e543b97e5b3a84d841`
CRC32	`EA61C9E2`
ssdeep	`24576:pJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:pC7hGOSPT/PxebaiO`
Yara	OS_Processor_Check_Zero - OS Processor Check Signature Zero inject_thread - Code injection with CreateRemoteThread in a remote process network_http - Communications over HTTP escalate_priv - Escalade priviledges screenshot - Take screenshot keylogger - Run a keylogger win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration Str_Win32_Wininet_Library - Match Windows Inet API library declaration Str_Win32_Internet_API - Match Windows Inet API call Str_Win32_Http_API - Match Windows Http API call AutoIt - www.autoitscript.com/site/autoit/
VirusTotal	Search for analysis

Name	1b5ab1d7ad3cb085_5.exe Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\New Feature\5.exe
Size	145.5KB
Processes	3024 (lv.exe)
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`4dc14f5ee181cdfead747853c869c21c`
SHA1	`0b7a5bb53e312b96a0ab296778e4061beaa52564`
SHA256	`1b5ab1d7ad3cb085490c9e96047622d7824c3a943c056d1a5bdda054ff5b926d`
CRC32	`182D291C`
ssdeep	`3072:P+wI2RnudqEenYHwaJk5ZN+P9gBWMAsHbL8:GwbnseYNJyZN+PM`
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero win_registry - Affect system registries win_files_operation - Affect private profile IsPE64 - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check HasRichSignature - Rich Signature Check
VirusTotal	Search for analysis

Name	05d8cf394190f3a7_Metto.com Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com
Size	921.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`78ba0653a340bac5ff152b21a83626cc`
SHA1	`b12da9cb5d024555405040e65ad89d16ae749502`
SHA256	`05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7`
CRC32	`DE918CC3`
ssdeep	`24576:FJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:FC7hGOSPT/PxebaiO`
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero inject_thread - Code injection with CreateRemoteThread in a remote process network_http - Communications over HTTP escalate_priv - Escalade priviledges screenshot - Take screenshot keylogger - Run a keylogger win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration Str_Win32_Wininet_Library - Match Windows Inet API library declaration Str_Win32_Internet_API - Match Windows Inet API call Str_Win32_Http_API - Match Windows Http API call IsPE32 - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check AutoIt - www.autoitscript.com/site/autoit/
VirusTotal	Search for analysis

Name	fa00a8c3680f79a8_talvolta.psd Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Talvolta.psd
Size	18.0KB
Processes	596 (6.exe)
Type	data
MD5	`faed59c8318ac38e2b7c9f2bb4ed81bf`
SHA1	`a9b2bb3afb64a25d7682cf8aa2d30876e7165744`
SHA256	`fa00a8c3680f79a88bd1ee0d01aa7ceaa8561097d03c8f1a0a21cebde81cb9e2`
CRC32	`14F77D98`
ssdeep	`384:cTsSqcVgIR4exedjTkRVnH5Xlqcdk2O/AZZRn1fS:YVg7emkfz5k2O/AZZbS`
Yara	None matched
VirusTotal	Search for analysis

Name	9311d98adf917b57_Gli.mid Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Gli.mid
Size	212.0KB
Processes	596 (6.exe) 1824 (Metto.com)
Type	data
MD5	`8c2f7d37a3b93337335828249dd19956`
SHA1	`8d94b14fd948756462dc835953ccfb1e40525eed`
SHA256	`9311d98adf917b577153da6bca75b2cd1af827f24774dd121b82d7fc79620899`
CRC32	`CFA52696`
ssdeep	`6144:omvh2EgtqlS577labsq2+qQdEIxgWQmtavJcERU9n/:dvhYt977labsE+IxgW8v+r9/`
Yara	None matched
VirusTotal	Search for analysis

Name	5b21161cc7b96f58_confusa.wav Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Confusa.wav
Size	588.8KB
Processes	596 (6.exe)
Type	ASCII text, with very long lines, with CRLF, CR, LF line terminators
MD5	`ad0239159feded85b751d8eafeeecccd`
SHA1	`b28d7bace1c98b62744c5fc81901e246b0d5a330`
SHA256	`5b21161cc7b96f584b929cf0d0f7a89d7835a9a91476a87992b353980f1988d5`
CRC32	`E8BFB917`
ssdeep	`12288:37of/GPg2XJEQQMyWAc1K7rhtCvcrx7EI2mM+C9fEL96FQYZihklls+TMQC9SFlT:aIgd4NAccTC0nC8R6KYZS4y+TMQConxx`
Yara	None matched
VirusTotal	Search for analysis

Name	c05204e7a60a39c2_46173476.txt Submit file
Filepath	C:\ProgramData\mlgfccykg\46173476.txt
Size	44.0B
Processes	1824 (Metto.com) 3292 (cmd.exe)
Type	ASCII text, with no line terminators
MD5	`aab63c61f6a45ad94bf7cf1813ef9829`
SHA1	`19dd8e7df1dc6ac6be009eca79d3043762a3809a`
SHA256	`c05204e7a60a39c261bc506132570dc949532cdeeb072fd9fb75da0cda8b6c0f`
CRC32	`F5706EE4`
ssdeep	`3:9pW6X7f6oa/SIVa+:X9riSb+`
Yara	None matched
VirusTotal	Search for analysis

Name	0a6d0cc02cdccf65_6.exe Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\New Feature\6.exe
Size	1.2MB
Processes	3024 (lv.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5	`b4448bc76da3e8d5a60f021cb8b7f9e6`
SHA1	`ad80a8feaafbe5d94efd83541dd9aa413ddf99e5`
SHA256	`0a6d0cc02cdccf65ceebee980e82d162a81d73b659b099f7c04e943b499f68de`
CRC32	`481FA1BE`
ssdeep	`24576:653uhFqxvysSRytVqXvS+bIKlSoSh274ABZYtn7nEpetSutNzV:65+hFgvlS8+xbaoSh277GtnjEpe57V`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Zero screenshot - Take screenshot keylogger - Run a keylogger win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDigitalSignature - DigitalSignature Check HasModified_DOS_Message - DOS Message Check
VirusTotal	Search for analysis

Name	9685c6a4badbbf42_Benvenuta.vst Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\zzguiZoqUNz\Benvenuta.vst
Size	140.0KB
Processes	1048 (vpn.exe) 2244 (Uso.com)
Type	data
MD5	`1917cc492c37a3192363d5d1ddffdd66`
SHA1	`30239c834e95e65fcc8f0602a45fee62701e7978`
SHA256	`9685c6a4badbbf42d4e4e0ff593d19d27fe66a6d4a525b1945539613f0497f14`
CRC32	`4DFA0A9A`
ssdeep	`3072:u1SUu6OXR57srdkKA5WE3kbuhcbKWDizgzUUC5D2ILaD/kzlYmNqy1:36OXR5LKUW+hceWDbzRWs/kz+E1`
Yara	None matched
VirusTotal	Search for analysis

Name	4babf27fa4145ed9_conoscerla.wpd Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\zzguiZoqUNz\Conoscerla.wpd
Size	101.7KB
Processes	1048 (vpn.exe)
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`8a407184b4105c2d4e7c4e5007dc150d`
SHA1	`c85794d68de6084bb6e83cfbc86a55c8ec0df38e`
SHA256	`4babf27fa4145ed9da1491b97f26ac439e41b58fb2957a35329eec955e253f6a`
CRC32	`E25BA46E`
ssdeep	`1536:YfPWxIFcQZUwixLj8sF9FAYJDE9avomnMGHOZLmC0AHHpt81RIk+W3q+/f:YfPQMXUP/hFYYJ4aQs25PHHWRIfWN3`
Yara	None matched
VirusTotal	Search for analysis

Name	3707280c234843f9_8372422.txt Submit file
Filepath	C:\ProgramData\mlgfccykg\8372422.txt
Size	136.0B
Processes	1824 (Metto.com) 3292 (cmd.exe)
Type	ASCII text
MD5	`2a6907fe70897ab933500be28cd1c280`
SHA1	`335cae5285fbd633da32dfed357e66f9ee9e1452`
SHA256	`3707280c234843f9933b3e9d71f04cc32e8679b5560772d950580f6d4d6e2016`
CRC32	`A47AEA5B`
ssdeep	`3:BzrLR/u3MRrEID30wKQtAJAGjulkVX9AJAGjCXQQn:BfLw8xGSleXCWXQQn`
Yara	None matched
VirusTotal	Search for analysis

Name	5a46e2bb27446710_KR_2021_03_24___19_53___kabp_175.208.134.150.zip Submit file
Filepath	C:\ProgramData\mlgfccykg\KR_2021_03_24___19_53___kabp_175.208.134.150.zip
Size	258.0B
Processes	1824 (Metto.com) 3292 (cmd.exe)
Type	Zip archive data, at least v2.0 to extract
MD5	`251b060615ad369bec1c7dbedbf78509`
SHA1	`37110bd317d7dc3e95ed942ba4866d49ba03a1dc`
SHA256	`5a46e2bb274467105e437bd81d632aea6c37c2a390d87ceb5acfa3c96de2e3e0`
CRC32	`6F363DDB`
ssdeep	`6:5jmrMKjFADVhswMvp3+gpKWEmt4MKjYROB+lCn:5jAyHSKDRBaCn`
Yara	None matched
VirusTotal	Search for analysis

Name	a5fe71e869c29c87_fino.aac Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Fino.aac
Size	921.8KB
Processes	596 (6.exe)
Type	data
MD5	`d7c1b23b61d21f275f1ebab8926e99be`
SHA1	`69396e69d9d6dafcbc4baded16d942a9c08ecfec`
SHA256	`a5fe71e869c29c875ba9d55e7a5d748c9fee02705fcda5146b83cefe85293ffe`
CRC32	`951CB2F8`
ssdeep	`24576:AJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:AC7hGOSPT/PxebaiO`
Yara	OS_Processor_Check_Zero - OS Processor Check Signature Zero inject_thread - Code injection with CreateRemoteThread in a remote process network_http - Communications over HTTP escalate_priv - Escalade priviledges screenshot - Take screenshot keylogger - Run a keylogger win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration Str_Win32_Wininet_Library - Match Windows Inet API library declaration Str_Win32_Internet_API - Match Windows Inet API call Str_Win32_Http_API - Match Windows Http API call AutoIt - www.autoitscript.com/site/autoit/
VirusTotal	Search for analysis

Name	5668eff751f0fa96_imagine.sldm Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\zzguiZoqUNz\Imagine.sldm
Size	24.0KB
Processes	1048 (vpn.exe)
Type	data
MD5	`5ac1a239bf4783ba2c6bee3c92b034c9`
SHA1	`ccb2efac393b73bb6c3fcfc5fa42d49dc8ae86bf`
SHA256	`5668eff751f0fa96e5775c50d8c4481ecc929f33ee6dd760ce53eaebb1673e9e`
CRC32	`784115A3`
ssdeep	`768:PMnFcDjjpUL7NH7Yy4i+/wbB7D487SF41XM7l:PquxUL75YyH+/wbBf4LFv7l`
Yara	None matched
VirusTotal	Search for analysis