Malware Analysis Report

2025-01-18 21:12

Sample ID 240325-acw7tsdd9y
Target dcbfa5803ca55a47cbca4370532f2499
SHA256 e59edd2e50f4f70f9abe14203d725c0f20043cfd28b2f9d283aafaf6023b6040
Tags
adware discovery spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e59edd2e50f4f70f9abe14203d725c0f20043cfd28b2f9d283aafaf6023b6040

Threat Level: Shows suspicious behavior

The file dcbfa5803ca55a47cbca4370532f2499 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer upx

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Installs/modifies Browser Helper Object

Drops Chrome extension

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious use of WriteProcessMemory

System policy modification

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 00:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 00:04

Reported

2024-03-25 00:07

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dcbfa5803ca55a47cbca4370532f2499.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkijgljgfelnfghnihojmfkahggokpfl\1\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{861BEBBD-A83B-5883-AE96-F6869ECF901B}\ = "Zoomex" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{861BEBBD-A83B-5883-AE96-F6869ECF901B}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{861BEBBD-A83B-5883-AE96-F6869ECF901B} C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{861BEBBD-A83B-5883-AE96-F6869ECF901B}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861BEBBD-A83B-5883-AE96-F6869ECF901B}\InProcServer32\ = "C:\\ProgramData\\Zoomex\\50f903893bff5.dll" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861BEBBD-A83B-5883-AE96-F6869ECF901B}\ = "Zoomex" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861BEBBD-A83B-5883-AE96-F6869ECF901B}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{861BEBBD-A83B-5883-AE96-F6869ECF901B}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Zoomex" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{861BEBBD-A83B-5883-AE96-F6869ECF901B} C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861BEBBD-A83B-5883-AE96-F6869ECF901B}\ProgID\ = "Zoomex.1" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Zoomex\\50f903893bff5.tlb" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{861BEBBD-A83B-5883-AE96-F6869ECF901B} = "1" C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dcbfa5803ca55a47cbca4370532f2499.exe

"C:\Users\Admin\AppData\Local\Temp\dcbfa5803ca55a47cbca4370532f2499.exe"

C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe

.\50f903893bfbc.exe /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 203.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bfbc.exe

MD5 b78633fae8aaf5f7e99e9c736f44f9c5
SHA1 26fc60e29c459891ac0909470ac6c61a1eca1544
SHA256 d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22
SHA512 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

C:\Users\Admin\AppData\Local\Temp\nse37F9.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\settings.ini

MD5 848f691a1a8f1626d45655df3b9c6d8d
SHA1 a40ed5b8a733d868c6fc0e16016b68e381e881ea
SHA256 a5c34eca2366edb42d9d18dbfbfb08c0e19a5f8e62838e47503a9d66e7bbb886
SHA512 bf51622b35fa0a1e1dfda51f2102753f4bad8193d002fd7394c9fd4c200f459bf7af9ee0e245ce9e5be427aede75dc0c4eee8f7aa7dd5db2724a64ebcec6eae3

C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\[email protected]\bootstrap.js

MD5 3e09a09faeaa338c40896b762999be3e
SHA1 e6bed133e76c615a7d38a1060048f09712f7f248
SHA256 877c8712061fb31d00282260cc769027e2b4d7b0167c43e72eae673f299372dd
SHA512 4db61794ee81ae35ac6c7f7c561ac44c52628d3fd5f8163e135ec843ca2ada4ec0436ebd05a89c07010a0663f6376e6a0af449bf35d9234e179756cb63614fc5

C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\[email protected]\install.rdf

MD5 32e7b7da6c9a7475fb96f491064e9a08
SHA1 24bd564ec288b52caa6b033ee36e25514091d01b
SHA256 7f5f848ad6fb5c8d715a0813f0b4b01b8f0bcdc0d95f55619a953b1d533e849b
SHA512 9444367dccfb04d995bd07dc1a17881987b1fb1e58bec0551ff9873d0c556dcbc1090635f4a8723ce4324834b85f158cd5206c15e43e2051962b4821f99c3ca0

C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\[email protected]\chrome.manifest

MD5 865aebd36781e92028cb0e2e4f5faafe
SHA1 f2bbda10fb990c5623abb68ad52cf5a8b10596dd
SHA256 5b2ed41bd33aa54dfdd52a4fb7198a52b65f9458f9f668ea4c531a919abba3cf
SHA512 e2b4e9eb087aa4beeeee97a4892ac9c34cc0cb7d1998e6b31b1336a3d521e9090cc82b3ee1bf38c22289589174ef83b673f4db84cd0bd7c23670da33e9710d3f

C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\[email protected]\content\bg.js

MD5 510bea5d94e11fa98e3cdef52a3490d6
SHA1 e3a05286df6a0b3518c497663eb3cefd40fc4eac
SHA256 b91c0b0b6faad70ac926917a43f6b3e42fd3a492745c65370f3d0c1c597903fe
SHA512 44103b4508317a541dad5c9c586f511e548dff0ee0eaecfe37c260bdc6e2b29da23e37cc5e2885488335cc6b5f75c07504f0fd10353ed9628fe0cbc152fd001d

C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\[email protected]\content\zy.xul

MD5 eac647a8f29cc16b198bbd304d7af699
SHA1 0af632f9b87353881773cd8a61dcf66297c40e9b
SHA256 b1373fb3138db57da294eb2c72fb53f48335887d4a9022bf42cab596acc09b60
SHA512 07a048b3c704420f1bb04fb4a44f5c91daa2c9af54f1017c9fde568cffdbc4f67566e45aed5e73a73ff061dde6e29466c4165e0b5650d0838c86117e72bb9605

C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\bkijgljgfelnfghnihojmfkahggokpfl\50f903893bdbd6.18692402.js

MD5 7f9ae6cd9b8596bb05bfc994038522c1
SHA1 422008f335ecfbf743ff165e55fa9e7a9578907b
SHA256 534e2cdb5142328ff76a7ab7a7b24e8c895fb635e370e9dd4344bc8f7c6288ab
SHA512 77fbd03c0fde74e8a59f81532b220192aaf487083df88792c41f43ef2e1936c38e83de19980580639e350cf258e4b19a3372308c99d53a4209fdf80d62e56dbe

C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\bkijgljgfelnfghnihojmfkahggokpfl\background.html

MD5 8c9559eb686eac45f77ec587bb042f8e
SHA1 43e926ce37d4229848ea9df738b0565288f7ec29
SHA256 2f91d0c1242f67c25d7288176307236a72e712ec88ef7e2c558cf854a408f7fd
SHA512 b4e3830543822bfa5e0dc7d2ea32bcd6c3276ac01f5d0ec05597e779eab1573113e6e176009ab6deaa312443a25a104e7397c7138f5923d8a49f2b35887e5aa7

C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\bkijgljgfelnfghnihojmfkahggokpfl\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\bkijgljgfelnfghnihojmfkahggokpfl\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\bkijgljgfelnfghnihojmfkahggokpfl\manifest.json

MD5 95b6b9aa3a3730d6d373a68eb5b411c9
SHA1 05cc71bfa2d2a2a18e169def790cca29f757dd3e
SHA256 5ac43caaa60d48d2c5bc8059dc845eb344b31c088207c8da714f7a36d500c69e
SHA512 5a178056071d0c94d2cfdf72a60403fbf9703cc28abe560f1f04fc2e073188f595c6bb3b687c7e2654899e103a229fe123c41af8aebbe189c9854ed71d8c672e

C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\bkijgljgfelnfghnihojmfkahggokpfl\sqlite.js

MD5 a638f008bb11ab5ccc728a05cd6f2532
SHA1 c6f3c385d83e473579cb27edce385a1b781ef549
SHA256 399d8914e26495d33f2e611ca558b2fe7fc77a3163593d30b2b65fa699f00c1b
SHA512 688ddf3e621730aa691caa1a816bc381a4ffa0255834ddd27f823a42de1827d9e3faa0720a720ba41a05329da91befa23b416945809264bf6e510129cf36ae5f

C:\Users\Admin\AppData\Local\Temp\nse37F9.tmp\nsJSON.dll

MD5 b9cd1b0fd3af89892348e5cc3108dce7
SHA1 f7bc59bf631303facfc970c0da67a73568e1dca6
SHA256 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384
SHA512 fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

memory/2716-79-0x0000000074AF0000-0x0000000074AFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bff5.dll

MD5 da161da8bcb9b8032908cc303602f2ee
SHA1 8a2d5e5b32376a40f33d6c9881001425ec025205
SHA256 0648d564b30e13a0819f28e00a9af39a6686a4d29ccd265c7d81548e4fe0f67e
SHA512 39e882a371dbce2484324811bffdd7ae7655b57401d07bf264aced6b5dac0ae326bd1945c536f05d8ab3b92ca03ff056c5a7baf54f7eb477b45fc405ec54052c

C:\Users\Admin\AppData\Local\Temp\7zS373C.tmp\50f903893bff5.tlb

MD5 1f14de44d0d63a79f91d3fe90badb5fc
SHA1 7fcc921608d2cf40e81cdd9a98e1a15a6ba1f57e
SHA256 bd3d85c0136a66b2af79d4d91c1c5700c8931937b7e554d5ece946760ef4a99c
SHA512 86eb6ebf9eccf1dcb601db827797ac603c0ebe01b6d73318986275c29bd034c8df5f7c79ddf0b19536faf24bdb11e09ac95ea43e8fe75b0ed3dde76dd139883c

C:\ProgramData\Zoomex\uninstall.exe

MD5 f3c79bda3fdf7c5dd24d60400a57cadb
SHA1 1adb606aaeedb246a371c8877c737f0f8c798625
SHA256 a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b
SHA512 c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 00:04

Reported

2024-03-25 00:07

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dcbfa5803ca55a47cbca4370532f2499.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkijgljgfelnfghnihojmfkahggokpfl\1\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{861BEBBD-A83B-5883-AE96-F6869ECF901B} C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{861BEBBD-A83B-5883-AE96-F6869ECF901B}\ = "Zoomex" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{861BEBBD-A83B-5883-AE96-F6869ECF901B}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{861BEBBD-A83B-5883-AE96-F6869ECF901B}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{861BEBBD-A83B-5883-AE96-F6869ECF901B}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{861BEBBD-A83B-5883-AE96-F6869ECF901B}\ProgID\ = "Zoomex.1" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Zoomex" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{861BEBBD-A83B-5883-AE96-F6869ECF901B}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{861BEBBD-A83B-5883-AE96-F6869ECF901B} C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{861BEBBD-A83B-5883-AE96-F6869ECF901B}\InProcServer32\ = "C:\\ProgramData\\Zoomex\\50f903893bff5.dll" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Zoomex\\50f903893bff5.tlb" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{861BEBBD-A83B-5883-AE96-F6869ECF901B}\ = "Zoomex" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{861BEBBD-A83B-5883-AE96-F6869ECF901B} = "1" C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dcbfa5803ca55a47cbca4370532f2499.exe

"C:\Users\Admin\AppData\Local\Temp\dcbfa5803ca55a47cbca4370532f2499.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe

.\50f903893bfbc.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bfbc.exe

MD5 b78633fae8aaf5f7e99e9c736f44f9c5
SHA1 26fc60e29c459891ac0909470ac6c61a1eca1544
SHA256 d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22
SHA512 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\settings.ini

MD5 848f691a1a8f1626d45655df3b9c6d8d
SHA1 a40ed5b8a733d868c6fc0e16016b68e381e881ea
SHA256 a5c34eca2366edb42d9d18dbfbfb08c0e19a5f8e62838e47503a9d66e7bbb886
SHA512 bf51622b35fa0a1e1dfda51f2102753f4bad8193d002fd7394c9fd4c200f459bf7af9ee0e245ce9e5be427aede75dc0c4eee8f7aa7dd5db2724a64ebcec6eae3

\Users\Admin\AppData\Local\Temp\nsy428D.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\[email protected]\bootstrap.js

MD5 3e09a09faeaa338c40896b762999be3e
SHA1 e6bed133e76c615a7d38a1060048f09712f7f248
SHA256 877c8712061fb31d00282260cc769027e2b4d7b0167c43e72eae673f299372dd
SHA512 4db61794ee81ae35ac6c7f7c561ac44c52628d3fd5f8163e135ec843ca2ada4ec0436ebd05a89c07010a0663f6376e6a0af449bf35d9234e179756cb63614fc5

C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\[email protected]\chrome.manifest

MD5 865aebd36781e92028cb0e2e4f5faafe
SHA1 f2bbda10fb990c5623abb68ad52cf5a8b10596dd
SHA256 5b2ed41bd33aa54dfdd52a4fb7198a52b65f9458f9f668ea4c531a919abba3cf
SHA512 e2b4e9eb087aa4beeeee97a4892ac9c34cc0cb7d1998e6b31b1336a3d521e9090cc82b3ee1bf38c22289589174ef83b673f4db84cd0bd7c23670da33e9710d3f

C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\[email protected]\install.rdf

MD5 32e7b7da6c9a7475fb96f491064e9a08
SHA1 24bd564ec288b52caa6b033ee36e25514091d01b
SHA256 7f5f848ad6fb5c8d715a0813f0b4b01b8f0bcdc0d95f55619a953b1d533e849b
SHA512 9444367dccfb04d995bd07dc1a17881987b1fb1e58bec0551ff9873d0c556dcbc1090635f4a8723ce4324834b85f158cd5206c15e43e2051962b4821f99c3ca0

C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\[email protected]\content\bg.js

MD5 510bea5d94e11fa98e3cdef52a3490d6
SHA1 e3a05286df6a0b3518c497663eb3cefd40fc4eac
SHA256 b91c0b0b6faad70ac926917a43f6b3e42fd3a492745c65370f3d0c1c597903fe
SHA512 44103b4508317a541dad5c9c586f511e548dff0ee0eaecfe37c260bdc6e2b29da23e37cc5e2885488335cc6b5f75c07504f0fd10353ed9628fe0cbc152fd001d

C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\[email protected]\content\zy.xul

MD5 eac647a8f29cc16b198bbd304d7af699
SHA1 0af632f9b87353881773cd8a61dcf66297c40e9b
SHA256 b1373fb3138db57da294eb2c72fb53f48335887d4a9022bf42cab596acc09b60
SHA512 07a048b3c704420f1bb04fb4a44f5c91daa2c9af54f1017c9fde568cffdbc4f67566e45aed5e73a73ff061dde6e29466c4165e0b5650d0838c86117e72bb9605

C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\bkijgljgfelnfghnihojmfkahggokpfl\50f903893bdbd6.18692402.js

MD5 7f9ae6cd9b8596bb05bfc994038522c1
SHA1 422008f335ecfbf743ff165e55fa9e7a9578907b
SHA256 534e2cdb5142328ff76a7ab7a7b24e8c895fb635e370e9dd4344bc8f7c6288ab
SHA512 77fbd03c0fde74e8a59f81532b220192aaf487083df88792c41f43ef2e1936c38e83de19980580639e350cf258e4b19a3372308c99d53a4209fdf80d62e56dbe

C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\bkijgljgfelnfghnihojmfkahggokpfl\background.html

MD5 8c9559eb686eac45f77ec587bb042f8e
SHA1 43e926ce37d4229848ea9df738b0565288f7ec29
SHA256 2f91d0c1242f67c25d7288176307236a72e712ec88ef7e2c558cf854a408f7fd
SHA512 b4e3830543822bfa5e0dc7d2ea32bcd6c3276ac01f5d0ec05597e779eab1573113e6e176009ab6deaa312443a25a104e7397c7138f5923d8a49f2b35887e5aa7

C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\bkijgljgfelnfghnihojmfkahggokpfl\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\bkijgljgfelnfghnihojmfkahggokpfl\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\bkijgljgfelnfghnihojmfkahggokpfl\manifest.json

MD5 95b6b9aa3a3730d6d373a68eb5b411c9
SHA1 05cc71bfa2d2a2a18e169def790cca29f757dd3e
SHA256 5ac43caaa60d48d2c5bc8059dc845eb344b31c088207c8da714f7a36d500c69e
SHA512 5a178056071d0c94d2cfdf72a60403fbf9703cc28abe560f1f04fc2e073188f595c6bb3b687c7e2654899e103a229fe123c41af8aebbe189c9854ed71d8c672e

C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\bkijgljgfelnfghnihojmfkahggokpfl\sqlite.js

MD5 a638f008bb11ab5ccc728a05cd6f2532
SHA1 c6f3c385d83e473579cb27edce385a1b781ef549
SHA256 399d8914e26495d33f2e611ca558b2fe7fc77a3163593d30b2b65fa699f00c1b
SHA512 688ddf3e621730aa691caa1a816bc381a4ffa0255834ddd27f823a42de1827d9e3faa0720a720ba41a05329da91befa23b416945809264bf6e510129cf36ae5f

\Users\Admin\AppData\Local\Temp\nsy428D.tmp\nsJSON.dll

MD5 b9cd1b0fd3af89892348e5cc3108dce7
SHA1 f7bc59bf631303facfc970c0da67a73568e1dca6
SHA256 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384
SHA512 fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

memory/2704-80-0x00000000752C0000-0x00000000752CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bff5.dll

MD5 da161da8bcb9b8032908cc303602f2ee
SHA1 8a2d5e5b32376a40f33d6c9881001425ec025205
SHA256 0648d564b30e13a0819f28e00a9af39a6686a4d29ccd265c7d81548e4fe0f67e
SHA512 39e882a371dbce2484324811bffdd7ae7655b57401d07bf264aced6b5dac0ae326bd1945c536f05d8ab3b92ca03ff056c5a7baf54f7eb477b45fc405ec54052c

C:\Users\Admin\AppData\Local\Temp\7zS4173.tmp\50f903893bff5.tlb

MD5 1f14de44d0d63a79f91d3fe90badb5fc
SHA1 7fcc921608d2cf40e81cdd9a98e1a15a6ba1f57e
SHA256 bd3d85c0136a66b2af79d4d91c1c5700c8931937b7e554d5ece946760ef4a99c
SHA512 86eb6ebf9eccf1dcb601db827797ac603c0ebe01b6d73318986275c29bd034c8df5f7c79ddf0b19536faf24bdb11e09ac95ea43e8fe75b0ed3dde76dd139883c

C:\ProgramData\Zoomex\uninstall.exe

MD5 f3c79bda3fdf7c5dd24d60400a57cadb
SHA1 1adb606aaeedb246a371c8877c737f0f8c798625
SHA256 a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b
SHA512 c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935