739ea054277b4aad3d738d3ac3342db2fed04f0ab8ce977af93cde965f90f96a

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 23:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

739ea054277b4aad3d738d3ac3342db2fed04f0ab8ce977af93cde965f90f96a.exe
Size

250KB
MD5

4522f8b7894a5a43ca8eae348b6df0f8
SHA1

93c3a4cd445ecf790239cce1a75617e7cef4a67a
SHA256

739ea054277b4aad3d738d3ac3342db2fed04f0ab8ce977af93cde965f90f96a
SHA512

2f183208adb2f6a3b4831d871901d989defeaeab7c9cd2fb3d5857daeca195aec6a065e0d4506c8ba620e319c0b8ed37b4cb1eabb8d9ba84879cbcda98ee1134
SSDEEP

6144:h1OgDPdkBAFZWjadD4s5OS16RRtEE01xFCvdaAyNg6C2z:h1OgLdaOOS16RYMvd96z

Score

9^/10

adware discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000139dd-68.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1388	50d6b792c3552.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000139dd-68.dat	upx
behavioral1/memory/1388-73-0x0000000074B90000-0x0000000074B9A000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1048	739ea054277b4aad3d738d3ac3342db2fed04f0ab8ce977af93cde965f90f96a.exe
1388	50d6b792c3552.exe
1388	50d6b792c3552.exe
1388	50d6b792c3552.exe
1388	50d6b792c3552.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}\ = "Zoomex"	50d6b792c3552.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}\NoExplorer = "1"	50d6b792c3552.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}	50d6b792c3552.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral1/files/0x000700000001267b-55.dat	nsis_installer_1
behavioral1/files/0x000700000001267b-55.dat	nsis_installer_2
behavioral1/files/0x000700000001267b-57.dat	nsis_installer_1
behavioral1/files/0x000700000001267b-57.dat	nsis_installer_2
behavioral1/files/0x000700000001267b-59.dat	nsis_installer_1
behavioral1/files/0x000700000001267b-59.dat	nsis_installer_2
behavioral1/files/0x0006000000014118-74.dat	nsis_installer_1
behavioral1/files/0x0006000000014118-74.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\50d6b792c358a.ocx.50d6b792c358a.ocx.3.2\CLSID	50d6b792c3552.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "IIEPluginStorage"	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	50d6b792c3552.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}\VersionIndependentProgID	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\50d6b792c358a.ocx.50d6b792c358a.ocx\CurVer\ = "50d6b792c358a.ocx.3.2"	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}\Programmable	50d6b792c3552.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}\ProgID	50d6b792c3552.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}\Programmable	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}\VersionIndependentProgID	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	50d6b792c3552.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}\InprocServer32	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\50d6b792c358a.ocx.50d6b792c358a.ocx.3.2\CLSID\ = "{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\50d6b792c358a.ocx.50d6b792c358a.ocx\ = "Zoomex"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\50d6b792c358a.ocx.50d6b792c358a.ocx\CLSID\ = "{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}\ = "Zoomex Class"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}\InprocServer32\ThreadingModel = "Apartment"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}\VersionIndependentProgID\ = "50d6b792c358a.ocx"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\50d6b792c358a.ocx.50d6b792c358a.ocx.3.2\ = "Zoomex"	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\50d6b792c358a.ocx.50d6b792c358a.ocx\CLSID	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginBHO"	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}\ProgID	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}\InprocServer32	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "IIEPluginStorage"	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\50d6b792c358a.ocx.50d6b792c358a.ocx\CurVer	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Zoomex\\50d6b792c358a.ocx"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginBHO"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}\InprocServer32\ = "C:\\ProgramData\\Zoomex\\50d6b792c358a.ocx"	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86}\ProgID\ = "50d6b792c358a.ocx.3.2"	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Zoomex"	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\50d6b792c358a.ocx.50d6b792c358a.ocx.3.2	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\50d6b792c358a.ocx.50d6b792c358a.ocx	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	50d6b792c3552.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	50d6b792c3552.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1388	1048	739ea054277b4aad3d738d3ac3342db2fed04f0ab8ce977af93cde965f90f96a.exe	27
PID 1048 wrote to memory of 1388	1048	739ea054277b4aad3d738d3ac3342db2fed04f0ab8ce977af93cde965f90f96a.exe	27
PID 1048 wrote to memory of 1388	1048	739ea054277b4aad3d738d3ac3342db2fed04f0ab8ce977af93cde965f90f96a.exe	27
PID 1048 wrote to memory of 1388	1048	739ea054277b4aad3d738d3ac3342db2fed04f0ab8ce977af93cde965f90f96a.exe	27
PID 1048 wrote to memory of 1388	1048	739ea054277b4aad3d738d3ac3342db2fed04f0ab8ce977af93cde965f90f96a.exe	27
PID 1048 wrote to memory of 1388	1048	739ea054277b4aad3d738d3ac3342db2fed04f0ab8ce977af93cde965f90f96a.exe	27
PID 1048 wrote to memory of 1388	1048	739ea054277b4aad3d738d3ac3342db2fed04f0ab8ce977af93cde965f90f96a.exe	27

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	50d6b792c3552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{8C78BD06-7C1A-F7E0-3FD9-8B32446CAF86} = "1"	50d6b792c3552.exe

C:\Users\Admin\AppData\Local\Temp\739ea054277b4aad3d738d3ac3342db2fed04f0ab8ce977af93cde965f90f96a.exe
"C:\Users\Admin\AppData\Local\Temp\739ea054277b4aad3d738d3ac3342db2fed04f0ab8ce977af93cde965f90f96a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\7zSABB.tmp\50d6b792c3552.exe
  .\50d6b792c3552.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - System policy modification
  PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSABB.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
fb21ee3d69e8005a4442fa87dc3dde57

SHA1
8b5b21d1bea0c2b95db31cda6ec7f417639d930f

SHA256
854c393009d7b76e9bac3a327cee618ce7ead190481209506ba98ca2d2a76d7a

SHA512
7df3f4bb636a0db57e933d9dec687435b76fcd552aa01433e2b5057c7b9928b92ac7236b2953ace0ba60e8ca5ba98d1a3fc65c4f7e67ebeea2ff7aa9cc884ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSABB.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
5ff631c81ef1b160b57807de8812304e

SHA1
6f29a6ce7e2a5d768ea6275013b57ff9340dec36

SHA256
6e395da983c78bcb02a05b495f4b7727b1b85038742e7a432641e3d480bffee5

SHA512
093879e8a1a0bda39d7adfc6969be52b1ba9de2eb4d46c8b9963c73d0932a0b6a7fe076184449e63a61287275df1efb6a8dd81a10dd6048819bc68a89ee45881

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSABB.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
cfadbbd32155bdbadf4969b8a9ba18f3

SHA1
c9d90b27a39881a9ad876de35c9ce2e2028967d5

SHA256
019439a1aa6380829b45d18b727c5533803a5c9dcfc0dcbecd2853bdb1bc5385

SHA512
73732363906ca92225ea6e6607a0210cf41178c0ffaa0b79b3746bb2856ec466faf00020255cfd2371aba8f01dc4c72ad79c56cdf0db35d594da3783fc221d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSABB.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
bb0d2d5e7be76814b1e71787da74e053

SHA1
0b96e66de18519ed0c3ed0ab6035b57c4364ec97

SHA256
ab9efda70db52a18531104665cfa6b02ea636c524d353b74a6496115b9193fb8

SHA512
d1d7e5c3dec99fe4fc175f5168f663db29abed8dd3cac1081066aa2bd7d2f093e0eeaf03c1f52baca585d1e303a470ab4bc1c019c38ab753e23c4d336b776f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSABB.tmp\[email protected]\install.rdf

Filesize
700B

MD5
59490fd71f050da0d9264f0f67c54786

SHA1
441d6154e7e7c707d756a8d1d4274720f06e50d6

SHA256
165cd78e9929018410cc4310445638cf593e4070509287b484f9fd31006c4c00

SHA512
3430bb7d02fabd3106336daee23d034ea2389cc4a03722fc1d753ac88bb1ccbee6d96a0591a5d3268f94c4bda59eb5a8da512fefda69e4ee6c52da36fbc33dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSABB.tmp\50d6b792c3552.exe

Filesize
70KB

MD5
7319db88a44b28a6b71d9f66ad31acdc

SHA1
bdb88b0292f874dc2258ce27dfb67cf60c2a2644

SHA256
a56dcdeccac497635629d0eeef200ee0b9d7edaa80bdc7524d27bfa5ec68c7fa

SHA512
5bd1b8750247c1fcf0f57d4ea4569b727b36d9926c94c02fada307ee4168de45821beea2fe8abeda74a1b488ec7539005d8e80168074a60130cfa46b996ee22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSABB.tmp\50d6b792c3552.exe

Filesize
70KB

MD5
7319db88a44b28a6b71d9f66ad31acdc

SHA1
bdb88b0292f874dc2258ce27dfb67cf60c2a2644

SHA256
a56dcdeccac497635629d0eeef200ee0b9d7edaa80bdc7524d27bfa5ec68c7fa

SHA512
5bd1b8750247c1fcf0f57d4ea4569b727b36d9926c94c02fada307ee4168de45821beea2fe8abeda74a1b488ec7539005d8e80168074a60130cfa46b996ee22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSABB.tmp\50d6b792c358a.ocx

Filesize
126KB

MD5
d637295a8426c7c4a8e9ef3e584839a2

SHA1
55b64f53328498d22d269de2e65be2feeba7da00

SHA256
5cbd7f4b8f991ccab51cfc1fd0a5437013c5196f3c636632d691103aa3708adb

SHA512
f60f908b9f0efd4762255c9c71559bbd554714170262dd556353ddda55789d21cc3a8ade239cdf51da38dfa4e92714749c217095bccac19590ef8347ca501c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSABB.tmp\50d6b792c35c3.html

Filesize
4KB

MD5
85363bb36ccb76d795ba88f7a7a4e665

SHA1
13b0b5dd8a3cf3bc7f185231aa163c1221716c05

SHA256
2be837ba4a61e809752db4fc4cc466cebb16eb84d8ebcfc235a745647e1505ca

SHA512
c19c321d08dcfb5583c73f8769d19e59f6f8a5ddce70a0215d6754631e2bba9693ecda8bbb1d90c6fbffc5a852b574999714d35241c9351cc9082679a73ee371

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSABB.tmp\50d6b792c35fb.js

Filesize
9B

MD5
99fa5d714d971a49b67de27e0d8871be

SHA1
d0621e846ea60fa8d0b2c8e622e495af49cd7359

SHA256
f560d76474380da948a0c5ab8682dc026822d9685268c592f315224b1b968bf6

SHA512
2fec19e4f2a974227922a7e057890141523ae73fbfa127f9e8cd00dff71b29abb93cb865c6d74ecf3df8bca440c558d4fbf2f80e82cc9636320ab5edb95ebad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSABB.tmp\gdhbeejljpjnlplcmjljlgbjcjlmagpp.crx

Filesize
8KB

MD5
b530f5a9ee28b4e26ed0e8f11d3a06b9

SHA1
14f6738a318241a20c945147c7e6fe0319e75b31

SHA256
460a0aa86301f696f5ed432cc1e9ad5827dcf5a7a4564e57389b794efed218ef

SHA512
3ed531661b9691cb07b745d17c4f2abcbb6845db4a9a54d98e015af30c4db73c5924c257247e99de3503eb8dc0052241d2adf4e2024210e87f309f348a3d873d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSABB.tmp\settings.ini

Filesize
906B

MD5
19ff933e17fc90321880094d292b6332

SHA1
090ccce152c946351cb4be6cb70bcd903f866daf

SHA256
d3ffe89e2f15613c145ec0c1b66c2163b975fabf05e5d19d736c5e112085ed2d

SHA512
dbd530c5e0ba9f314102bb8f02dbe1629e7b562816583241275aa0e91bae6b7b05a2b3273eae23d70e511bcdbe1908d6218beb4dadd872de6826d13d1420fa89

Download Submit
\ProgramData\Zoomex\50d6b792c358a.ocx

Filesize
126KB

MD5
d637295a8426c7c4a8e9ef3e584839a2

SHA1
55b64f53328498d22d269de2e65be2feeba7da00

SHA256
5cbd7f4b8f991ccab51cfc1fd0a5437013c5196f3c636632d691103aa3708adb

SHA512
f60f908b9f0efd4762255c9c71559bbd554714170262dd556353ddda55789d21cc3a8ade239cdf51da38dfa4e92714749c217095bccac19590ef8347ca501c8c

Download Submit
\ProgramData\Zoomex\uninstall.exe

Filesize
48KB

MD5
68cbbc94350bf363934311029109102e

SHA1
88cf26282645bfd3f0216c7f30100a0a379407f2

SHA256
3a7740af62d07773e01d2b00fc222af90090e6d2839f37b44e5c353efede0ff4

SHA512
3db4885db6287b1066aeb10be303e0dd2507007025d42039bc1eaa85a950489c004adb9860ae22955c1275189371f4c3e3fda8a005be9ce5c36a261105697a35

Download Submit
\Users\Admin\AppData\Local\Temp\7zSABB.tmp\50d6b792c3552.exe

Filesize
70KB

MD5
7319db88a44b28a6b71d9f66ad31acdc

SHA1
bdb88b0292f874dc2258ce27dfb67cf60c2a2644

SHA256
a56dcdeccac497635629d0eeef200ee0b9d7edaa80bdc7524d27bfa5ec68c7fa

SHA512
5bd1b8750247c1fcf0f57d4ea4569b727b36d9926c94c02fada307ee4168de45821beea2fe8abeda74a1b488ec7539005d8e80168074a60130cfa46b996ee22f

Download Submit
\Users\Admin\AppData\Local\Temp\nsiBC5.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nsiBC5.tmp\nsJSON.dll

Filesize
7KB

MD5
b9cd1b0fd3af89892348e5cc3108dce7

SHA1
f7bc59bf631303facfc970c0da67a73568e1dca6

SHA256
49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

SHA512
fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

Download Submit
memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1388-73-0x0000000074B90000-0x0000000074B9A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads