23e857d52a42489a4ab4d2f444607ad6b94b72fe3ce3eb14436cb12c34b279d0

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

349e0faea11882b3c6a9c8b363f79d2e.exe
Size

249KB
MD5

349e0faea11882b3c6a9c8b363f79d2e
SHA1

ea709eb91186f6db7d51295e1aa8ccb6a9a9544c
SHA256

23e857d52a42489a4ab4d2f444607ad6b94b72fe3ce3eb14436cb12c34b279d0
SHA512

99d0b49834bab0d6f06d311cb28fdc5048e2cb683c4922f0f0803e1c5f75fe7a85ea2e9b1c9685d9228b96f4bed86f8cb1b46f3fe513264ebc10696c5c03d747
SSDEEP

6144:h1OgDPdkBAFZWjadD4s5BF7COCV2irqWIpwVd:h1OgLdaOBF7COC2irqWIpw3

Score

7^/10

adware discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000017407-110.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2840	50e9307f793ab.exe

Loads dropped DLL 5 IoCs

pid	Process
1244	349e0faea11882b3c6a9c8b363f79d2e.exe
2840	50e9307f793ab.exe
2840	50e9307f793ab.exe
2840	50e9307f793ab.exe
2840	50e9307f793ab.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000017407-110.dat	upx
behavioral1/memory/2840-81-0x0000000075110000-0x000000007511A000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eikagknggmngojbldehgpinjjenhfhek\1\manifest.json	50e9307f793ab.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7FEEE5A-0EE4-E577-79AF-85F37C29B867}	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E7FEEE5A-0EE4-E577-79AF-85F37C29B867}\ = "Zoomex"	50e9307f793ab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E7FEEE5A-0EE4-E577-79AF-85F37C29B867}\NoExplorer = "1"	50e9307f793ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000600000001650c-33.dat	nsis_installer_1
behavioral1/files/0x000600000001650c-33.dat	nsis_installer_2
behavioral1/files/0x000d0000000185f4-107.dat	nsis_installer_1
behavioral1/files/0x000d0000000185f4-107.dat	nsis_installer_2

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Zoomex"	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{E7FEEE5A-0EE4-E577-79AF-85F37C29B867}\InProcServer32	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7FEEE5A-0EE4-E577-79AF-85F37C29B867}\ = "Zoomex"	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7FEEE5A-0EE4-E577-79AF-85F37C29B867}\InProcServer32\ThreadingModel = "Apartment"	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{E7FEEE5A-0EE4-E577-79AF-85F37C29B867}\ProgID	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7FEEE5A-0EE4-E577-79AF-85F37C29B867}\ProgID\ = "Zoomex.1"	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Zoomex\\50e9307f793e4.tlb"	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7FEEE5A-0EE4-E577-79AF-85F37C29B867}\InProcServer32\ = "C:\\ProgramData\\Zoomex\\50e9307f793e4.dll"	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{E7FEEE5A-0EE4-E577-79AF-85F37C29B867}	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	50e9307f793ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	50e9307f793ab.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2840	1244	349e0faea11882b3c6a9c8b363f79d2e.exe	16
PID 1244 wrote to memory of 2840	1244	349e0faea11882b3c6a9c8b363f79d2e.exe	16
PID 1244 wrote to memory of 2840	1244	349e0faea11882b3c6a9c8b363f79d2e.exe	16
PID 1244 wrote to memory of 2840	1244	349e0faea11882b3c6a9c8b363f79d2e.exe	16
PID 1244 wrote to memory of 2840	1244	349e0faea11882b3c6a9c8b363f79d2e.exe	16
PID 1244 wrote to memory of 2840	1244	349e0faea11882b3c6a9c8b363f79d2e.exe	16
PID 1244 wrote to memory of 2840	1244	349e0faea11882b3c6a9c8b363f79d2e.exe	16

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{E7FEEE5A-0EE4-E577-79AF-85F37C29B867} = "1"	50e9307f793ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	50e9307f793ab.exe

C:\Users\Admin\AppData\Local\Temp\349e0faea11882b3c6a9c8b363f79d2e.exe
"C:\Users\Admin\AppData\Local\Temp\349e0faea11882b3c6a9c8b363f79d2e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\7zS1748.tmp\50e9307f793ab.exe
  .\50e9307f793ab.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - System policy modification
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Zoomex\50e9307f793e4.tlb

Filesize
2KB

MD5
096a65b8a695249d5d554776f1eeace3

SHA1
2f2506b886a59b4408b23653d8734004ec2dda6d

SHA256
a602c790bcf424c154a082a88a495b256dd5456f627943568c358c74f606c568

SHA512
6e832caff1951b4fdb489997af5736fdbafa1de5573f629fc6798666bffd0ca0715311ce6590202cc970cce4492d94994a588547bb579bf70bc264683bc45cdc

Download Submit
C:\ProgramData\Zoomex\settings.ini

Filesize
7KB

MD5
2ca86d70950a82fc7e681a3a32c8608d

SHA1
ef2396d13ced454e63e47d91c38b37d064bacc1d

SHA256
83d584df467b255aeb119b256938f9e430fda22efd979a88af915beffce3aee1

SHA512
8ebe350391c572b925569e3a393429b53e0201eb0ca1eeca1ba1590182e62158eab3d0b1a0fd156b0ede9aacf83bcf2af15eac10ecaeceacd0d78bdfa9d79340

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eikagknggmngojbldehgpinjjenhfhek\1\manifest.json

Filesize
475B

MD5
95b6b9aa3a3730d6d373a68eb5b411c9

SHA1
05cc71bfa2d2a2a18e169def790cca29f757dd3e

SHA256
5ac43caaa60d48d2c5bc8059dc845eb344b31c088207c8da714f7a36d500c69e

SHA512
5a178056071d0c94d2cfdf72a60403fbf9703cc28abe560f1f04fc2e073188f595c6bb3b687c7e2654899e103a229fe123c41af8aebbe189c9854ed71d8c672e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1748.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
caf4dec6254cab000cc7ba40880fcae4

SHA1
690c18bd762cf5f15f4ab1b1620cc7346f9f5648

SHA256
09bad0c78654042828d8ec62d07b61a6f1a168ba557b0cc2190990da8debec43

SHA512
9170ab3d90715e87802b2c8fa3f46bf8c5149fca8aa1969985d79291d6390f4971c97fa39a52256d8c4ea0812cf012a279629c8540e2928f414e3b7d567f4711

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1748.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
a0cf820bc2dbf73b5a5727492ffe66d0

SHA1
3bb7d43ae2a8fa0fa68c5fbc2322f118341fe689

SHA256
8059aa327b46573f587fc5589ce33752ca437b1496a7c287c494df7e9862d51c

SHA512
85ee20c5e00ed0ed96c7679ec8d17a3869d73bce3dc1a07528ca21a05a8c396c84f7b4c4f1d05ca327d3e83b2902b3a418beebce6ea42d1f9533edee0f331706

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1748.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
259c318f34198ea66db6076b591a533d

SHA1
d1458812bf0c906c3c22db7cbf276e4b6d51a7b7

SHA256
2a85ee61d205010f8d295e0d628f5c22a9350cb95bf565b09033f1a44e95b5e8

SHA512
de1b6c50ff1263be3fdaa07892a91a6f899aaafe44b8fe4ba606d42262876845b1d3371fa2c2d010e23d1d7cc58631f39fd26698b21fc4e2aa23762fdc9a1382

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1748.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
481dbd0e34df695f27670dee19414b64

SHA1
8099c931078aa035f86b5905495ea98a92840bc6

SHA256
8d4f10c5b94253a324a67e63f64f7d6f1dbb127c3013e9debe69f9f62394d2ee

SHA512
de46791f9756cffe48f76c36613f421037643c85273b4c4a62987b57f6fd54b93350afabcdc98a844aa40137364777b388fa330221574513af7e7ef9bb5f200c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1748.tmp\[email protected]\install.rdf

Filesize
700B

MD5
24c9dde04f046ac9665afdf6372a0494

SHA1
56bd066963c37c26cd97933897321f4cd595f591

SHA256
99e483a25625eeb1ac02b94ed09c28269cb8f210d4beab56dffc273c2f830b37

SHA512
6dcf205bd3a6f409d4feed8b0b59db062873c30da11a530659f2b3d008554445816e6ea02f3d0fd873617fd9c07cee9aed98c05e2f3995f9a7dd408e0bac7f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1748.tmp\50e9307f793ab.exe

Filesize
71KB

MD5
b78633fae8aaf5f7e99e9c736f44f9c5

SHA1
26fc60e29c459891ac0909470ac6c61a1eca1544

SHA256
d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22

SHA512
3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1748.tmp\eikagknggmngojbldehgpinjjenhfhek\50e9307f791de3.99658359.js

Filesize
4KB

MD5
8cee93201ad62555cdd80067d71fe51f

SHA1
4565373c0a496678ef8041d132f61c40cefb7766

SHA256
941acbcd10c4572356ebaac0920d8221050b124982cfdfb622458d90c144e18c

SHA512
cb3db582390466f7899686bc01ab7da1f107bb9ed770d30d00714374f7aa68fade8d4d46489bdcc19c4fd072f73d4a4af20e4cbae6a38474e5927b04130fd7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1748.tmp\eikagknggmngojbldehgpinjjenhfhek\background.html

Filesize
161B

MD5
60176f1de6eb176769a3ce789a0f64e0

SHA1
60635a3f08203997333503971df0fc4a2bbb485f

SHA256
387c237d072aee618095dfb73daaabc795e5c17adcc76563335a3bf4766f9041

SHA512
d41a3650c49a86a0058127816b7f5dd24e4537a7d88a8bf54e3e496e02b99a41ca143f54effe35cef77051768ddc210bd17d836df6b1182c2c2656d947ccbae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1748.tmp\eikagknggmngojbldehgpinjjenhfhek\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1748.tmp\eikagknggmngojbldehgpinjjenhfhek\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1748.tmp\eikagknggmngojbldehgpinjjenhfhek\sqlite.js

Filesize
1KB

MD5
c64958a3f2bab5597e29b4c49e9c2a5e

SHA1
50c9712d13ebf2ab540427c1fa77bf060589c906

SHA256
645fa5ef2fa0d7232c2435077dd3d1b7d3372536e62eac35208e82ab107bf073

SHA512
4f97dae80add7ffd10b2f53a21018be2693ea4ad83148caf8452d84b73c44962190f36ad7f4a7ba68dfea88613ac8660199eaed30d2d3c5aebd8ad05a2f8058c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi1787.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi1787.tmp\nsJSON.dll

Filesize
7KB

MD5
b9cd1b0fd3af89892348e5cc3108dce7

SHA1
f7bc59bf631303facfc970c0da67a73568e1dca6

SHA256
49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

SHA512
fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

Download Submit
\ProgramData\Zoomex\50e9307f793e4.dll

Filesize
115KB

MD5
6696822add17061dc0bb8ee5b42cc2d4

SHA1
d4622558ba366f2f94560da301a81c6c16f95a3c

SHA256
73c44d8943947e3cf9ecabdeea4d9a37652614f5490a1f972816be4123795125

SHA512
0f1946ce002441d010f67156f67b9d18e01ba35edfeb66ce8096467d3126b547e5040032253275b173f2dba9bce983775f360d83ec026986b55cb85e4b63f099

Download Submit
\ProgramData\Zoomex\uninstall.exe

Filesize
48KB

MD5
f3c79bda3fdf7c5dd24d60400a57cadb

SHA1
1adb606aaeedb246a371c8877c737f0f8c798625

SHA256
a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b

SHA512
c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935

Download Submit
memory/2840-81-0x0000000075110000-0x000000007511A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads