Notifications
Clear all

Prefetch Query

3 Posts
3 Users
0 Likes
633 Views
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Hi

I'm looking at a Prefetch folder which includes entries for the following
JO34CD.EXE
EX3601.EXE
SAF119.EXE
AC91CA.EXE
ERA7CA.EXE
HTE775.EXE
AM422F.EXE
UE166D.EXE
JED1B3.EXE

I don't recognise any of these. According to Windows File Analyzer, they've all only been run once, run time is within 7 days of the last time the system was used, all have a similar naming convention (i.e. 6 characters including 2 or 3 numerics), and Google doesn't find much at all about them.

Anyone come across them? I wonder if they are traces of some kind of malware - just a thought, that's all.

Regards

 
Posted : 10/02/2010 5:29 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

One thought would be to extract the file paths (embedded in the Prefetch files), and see if those files are still on the system.

Instead of wondering, conducting some investigation might be more revealing.

 
Posted : 10/02/2010 5:40 pm
(@athulin)
Posts: 1156
Noble Member
 

I'm looking at a Prefetch folder which includes entries for the following
JO34CD.EXE
EX3601.EXE

I don't recognise any of these.

What's the context? On a corporate system, where updates and installations are pushed out through some kind of installation manager, you'll often find that these get temporary names, and have been executed only once.

In those cases, I can quite often expect finding the actual files in a system restore point, at least for the systems I've encountered so far.

Serching for the file names (case insensitive) seems the natural second step. Checking time stamps and correlating with other system events a useful third..

 
Posted : 10/02/2010 6:37 pm
Share: