Dropped Files | ZeroBOX
Name 6303a4416ac81d41_vpn.exe
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe
Size 1.2MB
Processes 2216 (lv.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5 433094d2225f81b9ac8bd4597d5a56a2
SHA1 664a3a73b2c5ae8b9af8c2800357a2f3ea1cc8a8
SHA256 6303a4416ac81d41d3a9325f27047320b7fd6c63e55fa0fcb5b8144ea43b5c73
CRC32 A1382D78
ssdeep 24576:S53uhFg8LXd91aW3JqrBIlKYY9uCgup4P6WG/ORsTSUKQBs:S5+hFgSNnn3JNQqCg+4RG/ORsTE/
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature Zero
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_files_operation - Affect private profile
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasModified_DOS_Message - DOS Message Check
VirusTotal Search for analysis
Name d1e75a97109a73d3_46173476.txt
Submit file
Filepath C:\ProgramData\mqpdooifn\46173476.txt
Size 46.0B
Processes 2760 (Metto.com) 3292 (cmd.exe)
Type ASCII text, with no line terminators
MD5 b7158315b8dfb0c4c510287b4a760172
SHA1 b9640a88f5a9456bcfe37cf9ebc4be023a3fc6f5
SHA256 d1e75a97109a73d30ffbfd925d3002e361a660c277a454b5582e43c8d89c0247
CRC32 2991DCE2
ssdeep 3:9pW6Xiuf6hUSIVa+:X9S3UQ+
Yara None matched
VirusTotal Search for analysis
Name 2f7f8fc05dc4fd0d_UAC.dll
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\nsq6357.tmp\UAC.dll
Size 14.5KB
Processes 2216 (lv.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
CRC32 1FE27A66
ssdeep 192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs
Yara
  • PE_Header_Zero - PE File Signature Zero
  • escalate_priv - Escalade priviledges
  • win_token - Affect system token
  • IsPE32 - (no description)
  • IsDLL - (no description)
  • IsWindowsGUI - (no description)
  • HasRichSignature - Rich Signature Check
VirusTotal Search for analysis
Name b2d08e145b4561fc__information.txt
Submit file
Filepath C:\ProgramData\mqpdooifn\Files\_information.txt
Size 111.0B
Processes 2760 (Metto.com) 3292 (cmd.exe)
Type UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5 d4856327419f35fbaaed961f623e9957
SHA1 6abc14a331ba75ea7e501a754dbfa32f56ebe21e
SHA256 b2d08e145b4561fc4b5897f9b0af256f9a0e604a0a33f531a05b89722a130b5a
CRC32 DF969B3C
ssdeep 3:Rifr9XFevLzO+A0KeKnSeXQXv9B6uov94uFtQRIv:RixXFe31AzeKnSIQ7hN+v
Yara None matched
VirusTotal Search for analysis
Name e3b0c44298fc1c14_nsb6347.tmp
Empty file or file not found
Filepath C:\Users\test22\AppData\Local\Temp\nsb6347.tmp
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name bdad25d767888dfc_4.exe
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\New Feature\4.exe
Size 323.0KB
Processes 2216 (lv.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 8a352ec9a6a369fb5d6d7512554f9d0f
SHA1 da995a3be655c1580438b200cbd6ba67003a72eb
SHA256 bdad25d767888dfc3b5db69b5fc980e24af208c3c13c7f772fe28adc23adb6fb
CRC32 363FF529
ssdeep 6144:FgdaOz/9yVdDVbXQRNZ4VMVHnDH/mhN8TgmfKZLHGZW:FgdaOzEVpdQRNZ4wDHOhKTMyw
Yara
  • PE_Header_Zero - PE File Signature Zero
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • win_files_operation - Affect private profile
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
VirusTotal Search for analysis
Name 63805918e709f146_mezzo.mp3
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\zzguiZoqUNz\Mezzo.mp3
Size 674.6KB
Processes 492 (vpn.exe)
Type ASCII text, with very long lines, with CRLF, CR, LF line terminators
MD5 22d809197cb78a95b497f71f29147487
SHA1 480b2fb830d276d40d0ad5f57fc64fdc690133de
SHA256 63805918e709f14605287fc80135c11337336949f8569446d5226d00e479a88c
CRC32 C7AF3298
ssdeep 6144:STX3iy6uCNTNtDQY9QUkoN+MUtRN0I/6BA9y0Nt24179+JIivj7rWJdst5I:KHkDtUmQ1ogMkmI/XnA7L74ste
Yara None matched
VirusTotal Search for analysis
Name 6b8f730e214f5114_rimasta.aspx
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Rimasta.aspx
Size 103.2KB
Processes 1536 (6.exe)
Type ASCII text, with very long lines, with CRLF line terminators
MD5 ee22f8eaf1c2b4e0d6363e57f53d5573
SHA1 f2c146287528c37bcec4bbcc8da2a3a1b11f12f3
SHA256 6b8f730e214f5114ff7d30af8bb05871d36578f0e3ccc9a33eceb0b640e8174d
CRC32 D05C696E
ssdeep 3072:tV5rs/pQ7JgFcWohNM3mh5bb5mO0AyUF8I9n9zJ:tV5y67nWgNM3W5bb0O5F99n9zJ
Yara None matched
VirusTotal Search for analysis
Name 1f1319a0db89cb3c_mantenga.eps
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\zzguiZoqUNz\Mantenga.eps
Size 921.8KB
Processes 492 (vpn.exe)
Type data
MD5 52b162f396196896e054aee7cba9ba39
SHA1 273755f8e632bba6a4f64768ba8729ef114c6f85
SHA256 1f1319a0db89cb3c8f0ed2041b66a5078676ce1ef3b713e543b97e5b3a84d841
CRC32 EA61C9E2
ssdeep 24576:pJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:pC7hGOSPT/PxebaiO
Yara
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • inject_thread - Code injection with CreateRemoteThread in a remote process
  • network_http - Communications over HTTP
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration
  • Str_Win32_Wininet_Library - Match Windows Inet API library declaration
  • Str_Win32_Internet_API - Match Windows Inet API call
  • Str_Win32_Http_API - Match Windows Http API call
  • AutoIt - www.autoitscript.com/site/autoit/
VirusTotal Search for analysis
Name 1b5ab1d7ad3cb085_5.exe
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\New Feature\5.exe
Size 145.5KB
Processes 2216 (lv.exe)
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 4dc14f5ee181cdfead747853c869c21c
SHA1 0b7a5bb53e312b96a0ab296778e4061beaa52564
SHA256 1b5ab1d7ad3cb085490c9e96047622d7824c3a943c056d1a5bdda054ff5b926d
CRC32 182D291C
ssdeep 3072:P+wI2RnudqEenYHwaJk5ZN+P9gBWMAsHbL8:GwbnseYNJyZN+PM
Yara
  • PE_Header_Zero - PE File Signature Zero
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • win_registry - Affect system registries
  • win_files_operation - Affect private profile
  • IsPE64 - (no description)
  • IsWindowsGUI - (no description)
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
VirusTotal Search for analysis
Name 05d8cf394190f3a7_Metto.com
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Metto.com
Size 921.7KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
CRC32 DE918CC3
ssdeep 24576:FJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:FC7hGOSPT/PxebaiO
Yara
  • PE_Header_Zero - PE File Signature Zero
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • inject_thread - Code injection with CreateRemoteThread in a remote process
  • network_http - Communications over HTTP
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration
  • Str_Win32_Wininet_Library - Match Windows Inet API library declaration
  • Str_Win32_Internet_API - Match Windows Inet API call
  • Str_Win32_Http_API - Match Windows Http API call
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • AutoIt - www.autoitscript.com/site/autoit/
VirusTotal Search for analysis
Name fa00a8c3680f79a8_talvolta.psd
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Talvolta.psd
Size 18.0KB
Processes 1536 (6.exe)
Type data
MD5 faed59c8318ac38e2b7c9f2bb4ed81bf
SHA1 a9b2bb3afb64a25d7682cf8aa2d30876e7165744
SHA256 fa00a8c3680f79a88bd1ee0d01aa7ceaa8561097d03c8f1a0a21cebde81cb9e2
CRC32 14F77D98
ssdeep 384:cTsSqcVgIR4exedjTkRVnH5Xlqcdk2O/AZZRn1fS:YVg7emkfz5k2O/AZZbS
Yara None matched
VirusTotal Search for analysis
Name 7a260404a4167d0c_KR_2021_03_25___01_19___nfattn_175.208.134.150.zip
Submit file
Filepath C:\ProgramData\mqpdooifn\KR_2021_03_25___01_19___nfattn_175.208.134.150.zip
Size 258.0B
Processes 2760 (Metto.com) 3292 (cmd.exe)
Type Zip archive data, at least v2.0 to extract
MD5 95072322451b28f482bfaf20e8cb1125
SHA1 f36d55bb160525ba82c515e31e1931ceeb5358af
SHA256 7a260404a4167d0c149e72bfbe2727281c940e4559930956c6886daf987870b9
CRC32 1E3C0104
ssdeep 6:5jprMKj0fj3hswMvp3+gpK5Emt4MKjYOjt+lCn:5jFmjFHSK6DtaCn
Yara None matched
VirusTotal Search for analysis
Name 9311d98adf917b57_Gli.mid
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Gli.mid
Size 212.0KB
Processes 1536 (6.exe) 2760 (Metto.com)
Type data
MD5 8c2f7d37a3b93337335828249dd19956
SHA1 8d94b14fd948756462dc835953ccfb1e40525eed
SHA256 9311d98adf917b577153da6bca75b2cd1af827f24774dd121b82d7fc79620899
CRC32 CFA52696
ssdeep 6144:omvh2EgtqlS577labsq2+qQdEIxgWQmtavJcERU9n/:dvhYt977labsE+IxgW8v+r9/
Yara None matched
VirusTotal Search for analysis
Name 5b21161cc7b96f58_confusa.wav
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Confusa.wav
Size 588.8KB
Processes 1536 (6.exe)
Type ASCII text, with very long lines, with CRLF, CR, LF line terminators
MD5 ad0239159feded85b751d8eafeeecccd
SHA1 b28d7bace1c98b62744c5fc81901e246b0d5a330
SHA256 5b21161cc7b96f584b929cf0d0f7a89d7835a9a91476a87992b353980f1988d5
CRC32 E8BFB917
ssdeep 12288:37of/GPg2XJEQQMyWAc1K7rhtCvcrx7EI2mM+C9fEL96FQYZihklls+TMQC9SFlT:aIgd4NAccTC0nC8R6KYZS4y+TMQConxx
Yara None matched
VirusTotal Search for analysis
Name 0a6d0cc02cdccf65_6.exe
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\New Feature\6.exe
Size 1.2MB
Processes 2216 (lv.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5 b4448bc76da3e8d5a60f021cb8b7f9e6
SHA1 ad80a8feaafbe5d94efd83541dd9aa413ddf99e5
SHA256 0a6d0cc02cdccf65ceebee980e82d162a81d73b659b099f7c04e943b499f68de
CRC32 481FA1BE
ssdeep 24576:653uhFqxvysSRytVqXvS+bIKlSoSh274ABZYtn7nEpetSutNzV:65+hFgvlS8+xbaoSh277GtnjEpe57V
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature Zero
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_files_operation - Affect private profile
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasModified_DOS_Message - DOS Message Check
VirusTotal Search for analysis
Name 9685c6a4badbbf42_Benvenuta.vst
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\zzguiZoqUNz\Benvenuta.vst
Size 140.0KB
Processes 492 (vpn.exe) 2412 (Uso.com)
Type data
MD5 1917cc492c37a3192363d5d1ddffdd66
SHA1 30239c834e95e65fcc8f0602a45fee62701e7978
SHA256 9685c6a4badbbf42d4e4e0ff593d19d27fe66a6d4a525b1945539613f0497f14
CRC32 4DFA0A9A
ssdeep 3072:u1SUu6OXR57srdkKA5WE3kbuhcbKWDizgzUUC5D2ILaD/kzlYmNqy1:36OXR5LKUW+hceWDbzRWs/kz+E1
Yara None matched
VirusTotal Search for analysis
Name 4babf27fa4145ed9_conoscerla.wpd
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\zzguiZoqUNz\Conoscerla.wpd
Size 101.7KB
Processes 492 (vpn.exe)
Type ASCII text, with very long lines, with CRLF line terminators
MD5 8a407184b4105c2d4e7c4e5007dc150d
SHA1 c85794d68de6084bb6e83cfbc86a55c8ec0df38e
SHA256 4babf27fa4145ed9da1491b97f26ac439e41b58fb2957a35329eec955e253f6a
CRC32 E25BA46E
ssdeep 1536:YfPWxIFcQZUwixLj8sF9FAYJDE9avomnMGHOZLmC0AHHpt81RIk+W3q+/f:YfPQMXUP/hFYYJ4aQs25PHHWRIfWN3
Yara None matched
VirusTotal Search for analysis
Name 3707280c234843f9_8372422.txt
Submit file
Filepath C:\ProgramData\mqpdooifn\8372422.txt
Size 136.0B
Processes 2760 (Metto.com) 3292 (cmd.exe)
Type ASCII text
MD5 2a6907fe70897ab933500be28cd1c280
SHA1 335cae5285fbd633da32dfed357e66f9ee9e1452
SHA256 3707280c234843f9933b3e9d71f04cc32e8679b5560772d950580f6d4d6e2016
CRC32 A47AEA5B
ssdeep 3:BzrLR/u3MRrEID30wKQtAJAGjulkVX9AJAGjCXQQn:BfLw8xGSleXCWXQQn
Yara None matched
VirusTotal Search for analysis
Name a5fe71e869c29c87_fino.aac
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\BqzrjlvCjf\Fino.aac
Size 921.8KB
Processes 1536 (6.exe)
Type data
MD5 d7c1b23b61d21f275f1ebab8926e99be
SHA1 69396e69d9d6dafcbc4baded16d942a9c08ecfec
SHA256 a5fe71e869c29c875ba9d55e7a5d748c9fee02705fcda5146b83cefe85293ffe
CRC32 951CB2F8
ssdeep 24576:AJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:AC7hGOSPT/PxebaiO
Yara
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • inject_thread - Code injection with CreateRemoteThread in a remote process
  • network_http - Communications over HTTP
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration
  • Str_Win32_Wininet_Library - Match Windows Inet API library declaration
  • Str_Win32_Internet_API - Match Windows Inet API call
  • Str_Win32_Http_API - Match Windows Http API call
  • AutoIt - www.autoitscript.com/site/autoit/
VirusTotal Search for analysis
Name 5668eff751f0fa96_imagine.sldm
Submit file
Filepath C:\Users\test22\AppData\Local\Temp\zzguiZoqUNz\Imagine.sldm
Size 24.0KB
Processes 492 (vpn.exe)
Type data
MD5 5ac1a239bf4783ba2c6bee3c92b034c9
SHA1 ccb2efac393b73bb6c3fcfc5fa42d49dc8ae86bf
SHA256 5668eff751f0fa96e5775c50d8c4481ecc929f33ee6dd760ce53eaebb1673e9e
CRC32 784115A3
ssdeep 768:PMnFcDjjpUL7NH7Yy4i+/wbB7D487SF41XM7l:PquxUL75YyH+/wbBf4LFv7l
Yara None matched
VirusTotal Search for analysis