Malware Analysis Report

2024-09-23 15:11

Sample ID 240517-j6m1pahd42
Target zMail_2.6.7_20231206.exe
SHA256 466e16470540e3e0718cc26c29c208b2d555a812f6f7419ef4f6f60bf69f19a5
Tags
execution discovery evasion persistence trojan qr link
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

466e16470540e3e0718cc26c29c208b2d555a812f6f7419ef4f6f60bf69f19a5

Threat Level: Shows suspicious behavior

The file zMail_2.6.7_20231206.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

execution discovery evasion persistence trojan qr link

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Blocklisted process makes network request

Checks whether UAC is enabled

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

One or more HTTP URLs in qr code identified

Enumerates physical storage devices

Unsigned PE

Command and Scripting Interpreter: JavaScript

NSIS installer

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Modifies system certificate store

Enumerates processes with tasklist

Modifies registry class

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-17 08:19

Signatures

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

157s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\push.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\push.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win7-20240508-en

Max time kernel

118s

Max time network

134s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\index.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\index.js

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win7-20240419-en

Max time kernel

122s

Max time network

134s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\is-array.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\is-array.js

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win7-20240508-en

Max time kernel

119s

Max time network

135s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\iterator.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\iterator.js

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win7-20240215-en

Max time kernel

121s

Max time network

132s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\last-index-of.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\last-index-of.js

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win7-20240508-en

Max time kernel

122s

Max time network

136s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\reduce.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\reduce.js

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:22

Platform

win7-20240215-en

Max time kernel

113s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\zMail\appzm\zMail.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe N/A
N/A N/A C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe N/A
N/A N/A C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe N/A
N/A N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMailchs\zMailDataService.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMailchs\zMailDataService.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMailchs\zMailDataService.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{41d7b770-418a-43b7-95a5-f925fff05789} = "\"C:\\ProgramData\\Package Cache\\{41d7b770-418a-43b7-95a5-f925fff05789}\\VC_redist.x86.exe\" /burn.runonce" C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\zMail\appzm\zMail.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140deu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140deu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140ita.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140ita.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\zMail\appzm\locales\ta.pak C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\internals\function-apply.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\modules\esnext.typed-array.group-by.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\vendor\8.13.3\win32-ia32\include\libgsf-1\gsf\gsf-fwd.h C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\Scripts\Components\ZMailMultipleChoice\ZMailMultipleChoice.css C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\es\weak-map\index.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\full\map\index.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\vendor\8.13.3\win32-ia32\include\pango-1.0\pango\pango-renderer.h C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\es\json\index.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\stable\symbol\description.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailPlugins\ueditor\lang\en\images\background.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\node-abi\node_modules\semver\functions\minor.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\full\function\virtual\index.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailControls\Calendar\css\images\filter_type1_02.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\fd-slicer\package.json C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\vendor\8.13.3\win32-ia32\include\pango-1.0\pango\pangofc-font.h C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailCommon\ZmailLanguageResource.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailControls\Calendar\css\images\fancy_title_main.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\stable\math\to-string-tag.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\SiteRoot\Styles\Theme\Icons\theme_bgColor.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\node-addon-api\index.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\features\string\virtual\pad-start.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\SiteRoot\Styles\Index\Icons\messageIcon_success.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailControls\WriteMail\Styles\Icons\icon_round.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailPlugins\bootstrap-switch-master\dist\css\bootstrap2\bootstrap-switch.min.css C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\log4js\node_modules\date-format\lib\index.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\vendor\8.13.3\win32-ia32\include\glib-2.0\gio\gseekable.h C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\internals\weak-map-helpers.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\modules\esnext.map.find.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\proposals\object-iteration.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\simplePcWeb\Scripts\Styles\Images\cludimages\close1.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\simplePcWeb\Scripts\Styles\Images\cludimages\user.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\@electron\remote\main\index.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\Module\ClearSystemData\Styles\ClearSystemData.css C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\loose-envify\replace.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\SiteRoot\Styles\Index\Icons\file\pdf_m.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailControls\AttachControl\Styles\Images\full_ico.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\SiteRoot\Styles\Index\Icons\z25.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailControls\MailBox\Styles\mailbox.html.css C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\iconv-lite\encodings\utf32.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\node-abi\node_modules\semver\classes\semver.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\string\virtual\to-well-formed.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailControls\ReadPanelIframe\ReadToolPanel\Styles\Icons\z11.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\simplePcWeb\Scripts\Styles\Images\cludimages\leftico01.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\features\object\freeze.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\features\symbol\split.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\full\instance\filter.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\full\math\clamp.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\internals\math-scale.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\Scripts\Business\Mail\HistoryLogControl.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\SiteRoot\Styles\Index\Images\loadingLogo.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailControls\Calendar\js\jquery-ui-timepicker-addon.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\string\virtual\trim-right.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\full\weak-set\from.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\SiteRoot\Scripts\UserFolder\Styles\Icons\folder-btn04.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\SiteRoot\Styles\Index\Icons\file\pic_m.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\simplePcWeb\Scripts\Styles\Images\cludimages\logo.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\node-disk-info\package.json C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\modules\esnext.iterator.some.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\stable\symbol\split.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailControls\Calendar\css\images\btn_del.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\features\iterator\reduce.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\vendor\8.13.3\win32-ia32\include\harfbuzz\hb-draw.h C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\vendor\8.13.3\win32-ia32\include\libgsf-1\gsf\gsf-output-stdio.h C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\f76c47a.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76c48d.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c477.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c489.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICF4E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76c48a.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c48d.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICE62.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c4a0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
File opened for modification C:\Windows\Installer\f76c477.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c47a.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICA57.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
File opened for modification C:\Windows\Installer\MSIC99A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c48a.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\ = "{5720EC03-F26F-40B7-980C-50B5D420B5DE}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.31.31103" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14 C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\679E80FBE29B63345BF612177149674C C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\30CE0275F62F7B0489C0055B4D025BED C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{5720EC03-F26F-40B7-980C-50B5D420B5DE}v14.31.31103\\packages\\vcRuntimeAdditional_x86\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.31,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.31.31103" C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.31.31103" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\30CE0275F62F7B0489C0055B4D025BED\Provider C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{4D8DCF8C-A72A-43E1-9833-C12724DB736E} C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.31.31103" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\PackageCode = "995DEE89EAAE96A458EF13C23C3854B3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FFF3E997C507F1644B00D62E37893B5E\VC_Runtime_Minimum C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\ProductName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.31.31103" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\Version = "236943743" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{5720EC03-F26F-40B7-980C-50B5D420B5DE}v14.31.31103\\packages\\vcRuntimeAdditional_x86\\" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\SourceList\PackageName = "vc_runtimeMinimum_x86.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.31,bundle C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.31,bundle\ = "{41d7b770-418a-43b7-95a5-f925fff05789}" C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.31,bundle\Dependents C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\Version = "236943743" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\ProductName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.31.31103" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1\FFF3E997C507F1644B00D62E37893B5E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Version = "14.31.31103" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\30CE0275F62F7B0489C0055B4D025BED C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{799E3FFF-705C-461F-B400-6DE27398B3E5}v14.31.31103\\packages\\vcRuntimeMinimum_x86\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\30CE0275F62F7B0489C0055B4D025BED\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.31,bundle\Dependents\{41d7b770-418a-43b7-95a5-f925fff05789} C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\ = "{799E3FFF-705C-461F-B400-6DE27398B3E5}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FFF3E997C507F1644B00D62E37893B5E\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{799E3FFF-705C-461F-B400-6DE27398B3E5}v14.31.31103\\packages\\vcRuntimeMinimum_x86\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FFF3E997C507F1644B00D62E37893B5E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED C:\Windows\system32\msiexec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Program Files (x86)\zMail\appzm\zMail.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1880 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe
PID 1880 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe
PID 1880 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe
PID 1880 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe
PID 1880 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe
PID 1880 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe
PID 1880 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe
PID 2788 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe
PID 2788 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe
PID 2788 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe
PID 2788 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe
PID 2788 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe
PID 2788 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe
PID 2788 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe
PID 2372 wrote to memory of 808 N/A C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe
PID 2372 wrote to memory of 808 N/A C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe
PID 2372 wrote to memory of 808 N/A C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe
PID 2372 wrote to memory of 808 N/A C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe
PID 2372 wrote to memory of 808 N/A C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe
PID 2372 wrote to memory of 808 N/A C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe
PID 2372 wrote to memory of 808 N/A C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe
PID 808 wrote to memory of 3032 N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 808 wrote to memory of 3032 N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 808 wrote to memory of 3032 N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 808 wrote to memory of 3032 N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 808 wrote to memory of 3032 N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 808 wrote to memory of 3032 N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 808 wrote to memory of 3032 N/A C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3032 wrote to memory of 2540 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3032 wrote to memory of 2540 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3032 wrote to memory of 2540 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3032 wrote to memory of 2540 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3032 wrote to memory of 2540 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3032 wrote to memory of 2540 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3032 wrote to memory of 2540 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2540 wrote to memory of 1228 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2540 wrote to memory of 1228 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2540 wrote to memory of 1228 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2540 wrote to memory of 1228 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2540 wrote to memory of 1228 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2540 wrote to memory of 1228 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2540 wrote to memory of 1228 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 1880 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 1880 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 1880 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 1880 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 2712 wrote to memory of 880 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe

"C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe"

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe

"C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe" /S

C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe

"C:\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /S

C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe

"C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{569C9830-454F-4117-B38E-BE03AC810506} {03C4E0DC-A4D7-4749-95F8-51D76D0FA639} 2372

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002C8" "0000000000000388"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={41d7b770-418a-43b7-95a5-f925fff05789} -burn.filehandle.self=500 -burn.embedded BurnPipe.{46804C9C-BDF2-4246-AA51-6940C5F95D0B} {52420A93-223D-40D8-B8D7-5BA4B7466B43} 808

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 -uninstall -quiet -burn.related.upgrade -burn.ancestors={41d7b770-418a-43b7-95a5-f925fff05789} -burn.filehandle.self=500 -burn.embedded BurnPipe.{46804C9C-BDF2-4246-AA51-6940C5F95D0B} {52420A93-223D-40D8-B8D7-5BA4B7466B43} 808

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{E5410C02-DB6A-402E-851E-B96A30AA89FF} {9239E761-F8D6-4397-9BEA-B48A28DBBF92} 2540

C:\Program Files (x86)\zMail\appzm\zMail.exe

"C:\Program Files (x86)\zMail\appzm\zMail.exe"

C:\Program Files (x86)\zMail\appzm\zMail.exe

"C:\Program Files (x86)\zMail\appzm\zMail.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\zmail" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1036 --field-trial-handle=1120,i,14509814365736490137,572696482343487929,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Program Files (x86)\zMail\appzm\zMail.exe

"C:\Program Files (x86)\zMail\appzm\zMail.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\zmail /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\zmail\Crashpad --annotation=_productName=zmail --annotation=_version=2.6.7 --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=22.3.15 --initial-client-data=0x65c,0x660,0x664,0x52c,0x668,0x914ed38,0x914ed48,0x914ed54

C:\Program Files (x86)\zMail\appzm\zMail.exe

"C:\Program Files (x86)\zMail\appzm\zMail.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --host-resolver-rules="MAP zmail-electron.zte.com.cn 127.0.0.1,MAP localhost 127.0.0.1" --ignore-urlfetcher-cert-requests --ignore-certificate-errors --ignore-certificate-errors --user-data-dir="C:\Users\Admin\AppData\Roaming\zmail" --mojo-platform-channel-handle=1660 --field-trial-handle=1120,i,14509814365736490137,572696482343487929,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Program Files (x86)\zMail\appzm\zMail.exe

"C:\Program Files (x86)\zMail\appzm\zMail.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\zmail" --app-path="C:\Program Files (x86)\zMail\appzm\resources\app" --no-sandbox --no-zygote --first-renderer-process --js-flags=--max_old_space_size=2048 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1900 --field-trial-handle=1120,i,14509814365736490137,572696482343487929,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Program Files (x86)\zMail\appzm\zMail.exe

"C:\Program Files (x86)\zMail\appzm\zMail.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\zmail" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1036 --field-trial-handle=1120,i,14509814365736490137,572696482343487929,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "TASKLIST /FI "IMAGENAME eq zMailDataService.exe" /FO CSV"

C:\Windows\SysWOW64\tasklist.exe

TASKLIST /FI "IMAGENAME eq zMailDataService.exe" /FO CSV

C:\Program Files (x86)\zMail\appzm\zMailchs\zMailDataService.exe

"C:\Program Files (x86)\zMail\appzm\zMailchs\zMailDataService.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
US 2.18.190.80:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
CZ 2.19.217.218:80 www.microsoft.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 r1---sn-aigl6nsr.gvt1.com udp
GB 74.125.105.134:443 r1---sn-aigl6nsr.gvt1.com udp
GB 74.125.105.134:443 r1---sn-aigl6nsr.gvt1.com tcp
N/A 127.0.0.1:9080 tcp
N/A 127.0.0.1:9080 tcp
N/A 127.0.0.1:9080 tcp
N/A 127.0.0.1:9080 tcp
N/A 127.0.0.1:9080 tcp
N/A 127.0.0.1:9080 tcp
N/A 127.0.0.1:9080 tcp
N/A 127.0.0.1:57635 tcp
N/A 127.0.0.1:57640 tcp
N/A 127.0.0.1:57642 tcp
N/A 127.0.0.1:57644 tcp
N/A 127.0.0.1:57646 tcp
N/A 127.0.0.1:57648 tcp
N/A 127.0.0.1:57650 tcp
N/A 127.0.0.1:57652 tcp
N/A 127.0.0.1:57654 tcp
N/A 127.0.0.1:57656 tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
N/A 127.0.0.1:15263 tcp
US 8.8.4.4:443 dns.google udp
N/A 127.0.0.1:15263 tcp
DE 209.9.37.144:443 tcp
HK 63.221.140.234:443 tcp
HK 63.221.140.234:443 tcp
HK 63.221.140.234:443 tcp
US 8.8.8.8:53 zmail.zte.com.cn udp
US 74.116.198.155:80 zmail.zte.com.cn tcp
US 74.116.198.155:80 zmail.zte.com.cn tcp
N/A 127.0.0.1:15263 tcp
US 74.116.198.155:80 zmail.zte.com.cn tcp
US 74.116.198.155:80 zmail.zte.com.cn tcp
US 74.116.198.155:80 zmail.zte.com.cn tcp
N/A 127.0.0.1:9080 tcp
US 74.116.198.155:80 zmail.zte.com.cn tcp
US 74.116.198.155:80 zmail.zte.com.cn tcp
US 74.116.198.155:80 zmail.zte.com.cn tcp
US 74.116.198.155:80 zmail.zte.com.cn tcp
US 74.116.198.155:80 zmail.zte.com.cn tcp
US 74.116.198.155:80 zmail.zte.com.cn tcp
US 74.116.198.155:80 zmail.zte.com.cn tcp
US 74.116.198.155:80 zmail.zte.com.cn tcp
US 74.116.198.155:80 zmail.zte.com.cn tcp
US 74.116.198.155:80 zmail.zte.com.cn tcp
US 8.8.8.8:53 zmail.zte.com.cn udp
DE 209.9.37.144:80 zmail.zte.com.cn tcp
DE 209.9.37.144:80 zmail.zte.com.cn tcp
DE 209.9.37.144:80 zmail.zte.com.cn tcp
DE 209.9.37.144:80 zmail.zte.com.cn tcp
DE 209.9.37.144:80 zmail.zte.com.cn tcp
DE 209.9.37.144:80 zmail.zte.com.cn tcp

Files

\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\LangDLL.dll

MD5 4cdaaf5da900a8eaed090cd22b8f8781
SHA1 6c7d9cfd96e66d236b66b8d50d65083a0dbb1b11
SHA256 09477d605677bea48019b896f068ce6c2e89004e5c5f0a86c0276db30c6515a6
SHA512 3797d59aeb908dcd66c63eca76cb2064416d3b66033dc687bc7a9c50e2979c42ac94773f54bc8ec45a9cd69c8056b83a2bca6efcd703f71a4b5f67e166f1e06d

\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\nsProcess.dll

MD5 faa7f034b38e729a983965c04cc70fc1
SHA1 df8bda55b498976ea47d25d8a77539b049dab55e
SHA256 579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA512 7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\InstallOptions.dll

MD5 046074d285897c008499f7f3ad5be114
SHA1 159040d616a056ee3498ec86debab58ef5036a55
SHA256 254c5ccbce59ad882f7f51d0bf760cabde8c88c5af84e13cc8ad77ba0361055c
SHA512 ab7436fda44e340dd5909ddec809c6b569a90d888529ef9320375e1aae7af85afcab8c1c1618551d3fe8d6ae727f7dca97aa8781b5555da759d501d2ccd749e1

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\ioSpecial.ini

MD5 5f5db871959e501765a005f9417714bd
SHA1 bac485a6c9cffc61e7767ad07a7ed97aeb2d22cf
SHA256 cca789af82fe97fd0af1d464fb5c55eb7b89ffe0af5feecb7fbbfa180ab11ea2
SHA512 065a3c46f357ba2b15c33c1200024a158bf91b714e39b124ffa541e543cde19149b086beef226cbd9563ccf6d01f9bbdb2aa859f27a4e5088122cd9ee1cafd96

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\ioSpecial.ini

MD5 1582447f30aa3e65390a862b7d332cf0
SHA1 c5385100ce6b4486b1268dffe4b0f1bc52c68762
SHA256 b864df4895627f29ef71c0cd536ff3ad0a8d0f196b0d5f270f0af181076c04e9
SHA512 9610be63f2d6b6050a6d464ff2387a4c35a29fb9b234dacb2d1808b672e521744f2b157b172c3ab9d312287bf02dc4e624952f945918aa59f0663613e8ac0975

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\node-abi\node_modules\yallist\LICENSE

MD5 82703a69f6d7411dde679954c2fd9dca
SHA1 bb408e929caeb1731945b2ba54bc337edb87cc66
SHA256 4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b
SHA512 3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\features\typed-array\entries.js

MD5 8565e5c4f039e694c7e51337055437e5
SHA1 b381923a6a2bd3fc437cfdfb9110623c3dde5409
SHA256 97ef425fda3f8b7001e8e05b499724c5895ddbdad6986681c8b7d7c04ba14a3d
SHA512 4598bd276a6bb7b936687314b4fb31be38356dc131814fd445f777aca92eebac591f7e5d052c2a55b4a0242da0ef45f3618f55310e5bb585caf3504a32e1d00e

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\scheduler\LICENSE

MD5 901f6cd9846257b3a9c69dbd0a49caf1
SHA1 1506731a652bba9abdf804ba3c95651ec5a68bdc
SHA256 52412d7bc7ce4157ea628bbaacb8829e0a9cb3c58f57f99176126bc8cf2bfc85
SHA512 547627636339a25d7bf811b98143032ab2c43e0ccc5fe236656a98b98a009312a9abf2f05ab7a898695bbf0d09e727640385c3d7368d1545f13625215696019b

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\scheduler\build-info.json

MD5 daf224998924bf5b6470108ba8c61bf0
SHA1 7d442f4e1d1f2165d576ba9b568d3d58ea400cd0
SHA256 b4ac406c33019facb17bf89bb4b0b1b7af520deefb1d49d7acb95f9f2ab93c7c
SHA512 dab8acb6d036516acde15b9d6f237506da9bbf3280488a0102952fdf76a56ad30926bd0a8500ff95ccbdddc2f1dab29d379b557df8fe26e72210b02d117e7c36

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\scheduler\node_modules\object-assign\index.js

MD5 4eb3c1a156ce2effd67b37a2dfedc632
SHA1 519ffd5a4c91b67302cc9947b794966d629860cd
SHA256 e02cb9714ef6e561e971fe400644330212f07ca86120587199470d8b759a4b7c
SHA512 b08e9da7c516d186ae38b15f4ba796b524fbe8a7fb50775355d645b8c19f70038965374d9f1094f0aa02de94375481c0f9153aed5c48b3fe40ffe84d636790e6

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\scheduler\node_modules\object-assign\license

MD5 a12ebca0510a773644101a99a867d210
SHA1 0c94f137f6e0536db8cb2622a9dc84253b91b90c
SHA256 6fb9754611c20f6649f68805e8c990e83261f29316e29de9e6cedae607b8634c
SHA512 ae79e7a4209a451aef6b78f7b0b88170e7a22335126ac345522bf4eafe0818da5865aae1507c5dc0224ef854548c721df9a84371822f36d50cbcd97fa946eee9

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\scheduler\node_modules\object-assign\package.json

MD5 7cb75c6e5855efa176d05689a7c0cd83
SHA1 3fbaf24f8d5659a998f6ebfcbef1f4ded990dfae
SHA256 66e5eeeeb818df66e6d3a7c0d72c68bb38dc8b4cd57aa4d69018ab975c318081
SHA512 b23f4c00998d39e3f9a6620e21fc6ea30e9f55537f9187f6c9e4da8d0014aaa696d0dba93889551696dbb233009b43aec4111857b774ce61597ec0f6fe98ef42

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\tar-stream\LICENSE

MD5 9befe7026bf915886cd566a98117c80e
SHA1 a95ab3a4b0e4bd978897f09b3b430a449da20a08
SHA256 3fe8d55a98dbf260eace67c00cf9bc53edb46234e840098a0b93df3096b97fb6
SHA512 b52ba143042812d6dd1031a12946afddb6e8f8ebbc7169c59c138d16aafc5e261aae92fe6b1ea94a3d80e39d2415c4b219710ef46939a2df135db24a0cf712fb

C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailControls\MailBox\Styles\Images\zmask-black.png

MD5 ada2d81c103904b90a362ee3d5ccdf32
SHA1 39e498617173b996ff7e74364cceab08f52064c8
SHA256 19a224698e93a1594a6583562361b5c456902afb34e8b3f420bf91566951081a
SHA512 dce1d1796e8523c74d103c1516e1b253e720a8ecb2bd3056d3c9e2c54bc3637f2349d3887efb140ed766e498d4bafe132b3668285e5ccfdfa1167390d63ad33e

C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\simplePcWeb\Scripts\Styles\font\fontawesome-webfont.eot

MD5 5ae23ad29b67289a1375d2043e289c52
SHA1 d7e77928069bdd227f291b9a2c9bdd918793e529
SHA256 a9595e5bf3b6dbbc076902b9abdea356053d69a2fe66506706de9bb39a126b8f
SHA512 78abaadea605e1615e2a40e7dea7456c9dcfe2da62461c6118d494130ab0d36f6943b2b81a4fc4339a12d458989f4433600b7ee2a18c120e1248e744bf8f970f

C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\simplePcWeb\Scripts\Styles\font\glyphicons-halflings-regular.eot

MD5 2469ccfe446daa49d5c1446732d1436d
SHA1 d53dff38dfb5c414015dfb31d30a473c95b50904
SHA256 5ff7c239555476e939e86d457bb78424b945b733b2c23791d9807c2357259d43
SHA512 4594e33e06a8ceab7c842b6867e4334a985091076c88d39c441732caa61c65668c2c0836d4d29f0ac296c6d064f13c89eb89b7342e28da8f43af083369363621

C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\simplePcWeb\Scripts\Styles\font\se7en.eot

MD5 c97922b46d0dec5b6d4e3dd9fd7c3370
SHA1 5aa1eb8e36dfd47b9b124b2ba637b0fca67123f3
SHA256 6c8f8f5b8eeb27df6d27335f000954489db9865e543feae64e92db9a1298bd98
SHA512 8549b3e6d52d8d8e0cd4f5f251b125b28ccb864cf145d22b35e199e77e793141e9af70e4086940058f90f56b0ea2038524f35d365efcdc9a9a80d8a4085e8ced

\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\VS2019runtime.exe

MD5 d3b594464f2312cde31af3f2aa516f9e
SHA1 15fe8e70c3c5582b70df173cd9b580331677735a
SHA256 b7ae307237f869e09f7413691a2cd1944357b5cee28049c0a0d3430b47bb3edc
SHA512 ccb19250b90eb629c35a897aba6d0ab16402305d9ec16b97b902fc810cde5d215cf8149a273cc8f8cae5a4b0665b116c085fe3b01a3ab3860c44f20ca95d6e83

\Windows\Temp\{CEE733EC-FACF-4A0B-9B52-EDF426B37D5B}\.cr\VS2019runtime.exe

MD5 0082d66b4bd5a3f6254dd749fe372cb6
SHA1 9c06222e24276ba02a05767eed04cacdf00e54cf
SHA256 c78b97480214fd42f989eb3b2da72e325e1f6855adb7d4660deeca6ca63d5025
SHA512 727d329dba144ad58996f16de6c1272899fba6a4fa0fbfa7b14454d84ec250e0efe709a46249bcf486f61907aa08fd1c13aa447c7e773030dbff96c08f859f6a

\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\vcRuntimeMinimum_x86

MD5 02484c30642db7c46b8bcd98a0c5a2e2
SHA1 cab48e762c8fcc023e1ef37f773b8d9e404dfa0e
SHA256 f23a7326f2802f253baa0cd93e443a67b6691db70f5c9a1788d4731e5fb168bd
SHA512 49ca0e550d7be548fa41cdeb8bfd1213df4195a8644ab12f83c468db60b93d6f839b0c25daa579902acd41af8c8460431fe750fba574774ec9deea495cd420e1

C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\cab54A5CABBE7274D8A22EB58060AAB7623

MD5 c3fa66895d164ef3aa80d0806ff08434
SHA1 c52df9924dcaac249e319dc773f315e5d5b98458
SHA256 526faf200b6be8c72c7d8f3ff2549bb88417a922112595b03f3092c24a0f1b7f
SHA512 0fc7f0263fcbb8c752748a184fad7c39fa7eba1c2045f8bc51afb74a691ad14ba9483be8d5afbdfc6a8c262a18e87cad0d9d90e68a4a354ef55e0abdbf6904b0

C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\vcRuntimeAdditional_x86

MD5 c8d11825b24628d8f6c9c2e2be75d05e
SHA1 969c73faa769078b7219097ff304a8a497c9fb87
SHA256 48108db0552ed7f8f6631ca8b15e27fc3ea2f21dc6bf3542bb3d76476968ade2
SHA512 3cdf522fca221756cb2534ce88c47606ca74126942a5b2d486bedd5bb943343efc6c688d1e12117e8a05bfb7d9a100fc3548d866d8517c263f9e1bb5b2004796

C:\Windows\Temp\{F1797D6A-E0F9-48D8-8B1D-14DF3BC15113}\cabB3E1576D1FEFBB979E13B1A5379E0B16

MD5 580dd5543bf14d4b20d156631603e07c
SHA1 e8806c59c809e52e61147d10cc8dd27a7c1ae39b
SHA256 3f32dcaf2ac00c12dc03e19a6124ca0dce5e2450be950b39b9702f515efe9188
SHA512 b5f740e140793b91ff5c96b074c316a3fd029cc497d90f4a825182928e5f087d363e3633bd5f77d18e1516032b256fc5ee1aa0c279481818a0754de0138f303e

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240517082110_000_vcRuntimeMinimum_x86.log

MD5 e39796bb00ed7fd151bce90b79d8effd
SHA1 89363949c4cc520e9b992b613ecd8d5941421398
SHA256 4fa58841b31c621bbd1bc0e2b188e580409e9ab44334eba50b3ca20dbaccc792
SHA512 2521dbd69f129050140b31e2f61083e8ffa377a031a1cc993ce9a6eba258b566a4e02f3beab5daad469ace57f11bc84c89e538748df1d9fd02013aa9e5f67a02

C:\Users\Admin\AppData\Local\Temp\CabC499.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarC49C.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarC800.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Config.Msi\f76c488.rbs

MD5 8093c92f2c0033906a143d98ffbe9d31
SHA1 2b2c5faa1607e16f52754af98f418b72031291b3
SHA256 3497126e65df709c65e895553aafc06a6f339d7a07d37c5cdb51f83a0ab052b6
SHA512 0f20f33f4f8b28c42641fb76a68129f0f6ad7fa7e014addbe853608d60ae4526aff111d98586b5213d10fd04bd1613ab53a8989d43ee8d865d4a447e66c89aec

C:\Config.Msi\f76c47d.rbs

MD5 4cb09f1da404f9795e908c886a98a7b0
SHA1 52f9e04d5007c7b0bb6260dca105fa2cbd40ca99
SHA256 c100c6742b77d5f06a4af16b131fd5f3e0278756ef5939d1a4575b266fca64e2
SHA512 2ed3ac4602e5f6a307aae1e4e16ae24a1cd9c84461218cddfe55ae528543f0be9628f365b126ce0c328d40793f37b554824e3f5301d00ca344d5c3d411698d4d

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240517082110_001_vcRuntimeAdditional_x86.log

MD5 de7d7da6b540e680805156a768df25be
SHA1 39f4c55a8ed95c1476cc4c9dc56256dee1f62e6f
SHA256 194ceca09e1e0fa8f6245bfc28e3b1df3b283e51ae2dde046a5ff8ca49921f05
SHA512 3333c12d5e224eb21eca76b9a8927bb66e09a7abaee46768d3e469e35e445fd51d9c2e7f81b5487846fdba47d811e37c7a4758edc7c01b25f391e694121eaa4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d51224299d98d38c36ecfe3c4d542bc0
SHA1 4a946b3b7ef183417d1355da2f9a561e8b5a8a1e
SHA256 05fabca0380426a2417cf73b39a3f52325a54893ecaec0c6db3a08b99f049eaf
SHA512 3c883eab77be0d1ac33960c41db6e37e678975df8fac22a6b14176911ce38ffabd011bdda55bd3aefbf0b17089cab49442a1e2b1ab4d2dc5c3075ad935861403

C:\Config.Msi\f76c490.rbs

MD5 c37917b379db9fe386264e2f704cd5a7
SHA1 b350915f3a1405d1d027b0008ecb406c9c580baf
SHA256 8dbbb75eed130228bc75db70eb849bb980df6de1e5443163094e3c5ddea74fa9
SHA512 12ae63c2d36b2b2f24a86edc0900119d38feb2d2b7c06ecd3fba765fd73d91d79f25e697059f62fd918b9033c2fd676b7fdbb2ed3156b36612781b7799f84833

C:\Config.Msi\f76c49f.rbs

MD5 17952846d79594ebe23ed9f23abc9a22
SHA1 96ca1132a7a45b3414b55bfb44a347bc7a23967f
SHA256 6e7ba8d61aab1deba86616498b0214e49aae9349a816ec40c17f529b0aa18130
SHA512 f34494004f21cbef6ba97733dcff857c46e02ee8c4749355bde27584090bae914b2b5e916355450b9520d214230922cbd4702425cf019af0a615ce3115cdb1fd

C:\Windows\WindowsUpdate.log

MD5 6ae32179d7251480dc5d41b5e7568b31
SHA1 111497dc1e294495181e3dfb99accd58f45ecffd
SHA256 8089d6dadcdd12b4adf046f3d82110c1805c9af9943402b3e9034307d21b24a8
SHA512 85d672c39f158a2f3085f281bbb409e7b4786615f60678f7d3424aed239f454a233dd59071d462f6ca7c535604f29c7d3a769ebca206b831ca83c49c20dc92f2

memory/1228-7936-0x0000000000310000-0x0000000000387000-memory.dmp

memory/3032-7974-0x0000000000310000-0x0000000000387000-memory.dmp

memory/2540-7973-0x0000000000310000-0x0000000000387000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\ioSpecial.ini

MD5 5e15e92f33b18c98f348f320ba972d76
SHA1 f8e91eac542e63ece4d60b62aad6d7c4bdf2e7e7
SHA256 a57b585ca5f961155fb5dc84b9031334727c449905925e6c4767a51cdae86474
SHA512 1cc32387cdb2c460dc6fa6baddfb4c4019eca288b20d6192e88c46de5604bbfa38dc6db42c7b8018bb89a43d634e94d708cc87d39c71b7685f9216701b562207

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\ioSpecial.ini

MD5 acf97ea7dfaf515bf8bc2dddcca3fe52
SHA1 be7ebea32daad29ab1963624ba0f7cc31ad7c536
SHA256 3dced572f8e7c426b304ae1beecc3c5abebd0d7a3570b222eb06714736e4d41e
SHA512 6498b5e45ca7d7db0ae2c15cfd81f45553af6a3561a45ac6dc9f60275fc2b644757f629a610f29f061d10ec6ef02f1f4051ba3813df69df615bd2b8caf663a26

\Program Files (x86)\zMail\appzm\ffmpeg.dll

MD5 b63e9344554c0038deff8cdbb11522bf
SHA1 9875fd48da67ec43fdeda560a5b2d725fb4c619e
SHA256 05c918622b0621148ee260d5cb0660d7f0732deb02ca7d58476741c0be84e412
SHA512 824f0cf8e4c496fa411ff8ecb5acb9c573a562459bbced42c2d7ed5827ce722402d8e6bb658abdd8bb32ddbd4b7c30fe9e675f2db0c24cfecd39ff15f333d5e2

C:\Program Files (x86)\zMail\appzm\v8_context_snapshot.bin

MD5 b59edfc69aba2f4c433d5b0861d9ac31
SHA1 a2adeb4d3b45170351d1c8ba0dafde71fe35b9c7
SHA256 82c3df9c5e8f300b1af7b1d070163b43648a762acff0ce78f801382d9cd58d16
SHA512 b737160e99b6baa6f960316a223b47690335372ee2d9bf0331e331041dd2e8f727805377ee673e3ace494af01914d301b7e27c5fe5f6642ee5d08afa5442f8f9

C:\Program Files (x86)\zMail\appzm\icudtl.dat

MD5 76bef9b8bb32e1e54fe1054c97b84a10
SHA1 05dfea2a3afeda799ab01bb7fbce628cacd596f4
SHA256 97b978a19edd4746e9a44d9a44bb4bc519e127a203c247837ec0922f573449e3
SHA512 7330df8129e7a0b7b3655498b2593321595ec29445ea193c8f473c593590f5701eb7125ff6e5cde970c54765f9565fa51c2c54af6e2127f582ab45efa7a3a0f6

C:\Program Files (x86)\zMail\appzm\resources\app\package.json

MD5 0a9c53b80daf419d0c7ea57fd2ae2ada
SHA1 b148472f0205e60eec5574832ce13fb6f66702d2
SHA256 ae7f31c99d10b60934bd8cb1333c44e3317527bd8758b9b8c9c58349e2d943c6
SHA512 4cf5b462d01bc24ec745031eddc79c39556b54c97fe75de6c0806b873835fb4c5514bc11df8c9af5d52bb75b7601fc724381365bc0dbc8739c942fe0f40aea2b

C:\Program Files (x86)\zMail\appzm\resources\app\main.js

MD5 ff3c6efce245403c3787716cb325195f
SHA1 833e500982fdeee7b000013a2c63eaab6f0464a4
SHA256 6783d0ef79a32688ea27f3a22752a5daaf3bbffc298d03b4d2f2eabac4e13002
SHA512 0081b13f9ea8883e134ecdd89bc2f53ae3c711a7f182df83e7e9eea33cec40dc1b353dd12f46917d10d62e01ba4f03c53d105c014eacfc657e995dd2789aa46c

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transports\console.js

MD5 29a38765ee22f39e1b8213e583c33e18
SHA1 2e887860a77b603c71d7e8e8790c4545805b8bf1
SHA256 be3b503cdf49c5f1315c80b6a3211fe9015f28512f6b3353e7f1d8695d1499ce
SHA512 403dd1516074070e35d1ad283b1082fdc89c0d367e15b7260a8ab18ac9a7c48c343f61175dce2fb56f9d75634059497ad51691ac123475a7d5b9b32c0c66f631

C:\Program Files (x86)\zMail\appzm\resources\app\static\js\mainClass\tools.js

MD5 7a0d0f6d5f7cfceeef5254c4b3b24594
SHA1 03e7072c7c3f9f4b3e77a9968a49d589b1e8cc0b
SHA256 96c0e1a2c8545690fffd676d63609d8669b8d9181083eb8040bec10015f916a3
SHA512 dccb43576902948064c21765b48a974c49ef1b23d87d1a4c15466392206064680002e5679324e06de64b16f5e7734ee7f3db40fc236c3c95aa261fc299461b02

C:\Program Files (x86)\zMail\appzm\resources\app\static\js\mainEnum.js

MD5 8cb0aa172d2ac93a77f71af9bad2a9cd
SHA1 072033e27e6f3c4b6c33782aadea81dad77cb8ea
SHA256 d1020c30a0ccbd733f05350050a8aa838a03b4643e99be7e11e2fc18d74f8ed1
SHA512 9982596cdc410894fec8eec98e8fb3d4fed3235408c61d7e1b4616b1292c0ae360b4b41b441d73d3990e186b5289b01df4ae386313ebf53823f849ccce87244c

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transports\remote.js

MD5 373be0bdf1ee0d64969fd938cafa4a09
SHA1 a29a60e4d537ee80b11538a9f901f002ddbfbb82
SHA256 443b03038dddbf54f150b5998ef42cff549a636b756c2a18b86c0bdd3080f047
SHA512 425ba2cfde6d5f44c64b1d205fabadd1ab957f061e3c2cddb08ed2990d822a0083b731c0bf405c8344a677429e7295fd385fc37ba16d83dcc9833338e2433cbb

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transports\ipc.js

MD5 3d7b72d7bf55364873ea8a01797d2279
SHA1 5cf769350a194c81ca2eda9598b177ab78cfbd17
SHA256 9cf486306cc0f7cb2323bdcfa86b8d9c71126082d4e865c80eb49c1b06180630
SHA512 f5c1eba2b6afd4699823a8c5ff6943fb8d05499763827ac550f9ee8c7727cdedd6ce65a0d4d003f2dc12a8becdc3a770feb120bfadc4ee6575176f9242deeacb

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transports\file\packageJson.js

MD5 d02303a218dc0a76a6a9e63f6b34f30c
SHA1 efb42cc6e7fd80020ce5fcc82bbb1fd379cf0a5a
SHA256 f0294e4908342dfe7e3ba933e348b6a7bc19d38d9dd06687a958eb8e26d923d9
SHA512 ed245018e76fda9aca24001534f59042874254cd706a7a7f07b5225d39161ef51b8f4163707f93d572e58af8560d97a931f6abcfa84099e84eac67f0af25f6cb

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transports\file\variables.js

MD5 78c982f754a24f31c9152dbcca3cc259
SHA1 73f4e43e9ed67d18183024e80b2b0bcf2700477d
SHA256 d8c5a9886d53743eb80e8a077d5d2c3081af25385c02e934804208f2cd4ce576
SHA512 7b0e9f518d28f3e3a5a6c8d64835e0e3192c8a27062324245b700d170f090dcb36deed0ff194de4ca4ed4ad79eb171ac1fecf44fe5df5ffc75d902cd42641bac

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transports\file\file.js

MD5 df5d7f68f0f43351beae46ba15c1f811
SHA1 585fbf7d9d0abea3ef3ec305dc3d2e8f5c28e2eb
SHA256 6671e52a6735a0e5de7db4d4c6049c3c5a7cd3eab6b09c597d9150942ad0f3f9
SHA512 dc671931f6e508a7d8498d61e5d5597ab34e7601119e34bd298404c0334ead05983f8da3b95ba8a37e10425fc2a26ae2a0d12ec5c96c6f7a3f7b003402e59f3d

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transports\file\index.js

MD5 26bb140fab1a9d80cfb7dfb5049c62e1
SHA1 37e67f1481a724c1150945fa4eb5fa40958b595b
SHA256 e1e8710633a744e24dbb59b469e1481a6e1ce7d3cb9ca22db7bbd2a9395ef2ec
SHA512 b78338b536a5ba0ce8c664668b686cee0c22f97d2103286be7f49264ec0fef451aa587e872412b04934c724eccecb7dddd2c2ae12db40c6c5b7746b2e2d22666

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transform\template.js

MD5 8c0a5e07fe58762fbec363c9722bee2b
SHA1 a2599ca68e1d53eefc8b75a7c6a5ef9d6878475e
SHA256 29a26d106bf11b5bae096bf41e091f952c2ba26950bdfc7c39c2f1fb3bd4db55
SHA512 b59e169c0f1e8cda61e27fff78bebd4f0c9bf66642e210776f870f5f0efafeffb578e48bda7d049c431637b4ec2a98aceef2ecc946e4023607c987db455f180d

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transform\style.js

MD5 bfcf10be444b049bd634736ac46093d0
SHA1 21f887e5650ade4b265145abb8f43d6bc0726e7b
SHA256 5fcde50e9349f81838a7238d385bbfd722d13aafc62926664ebb972c49d84035
SHA512 da9b374e09a8e8a263ec669f9ff4990d4cc6622ce29fe2e893c49323a7e5b3fbce1a9f463d5a1bd21c6a2b5e8dc9dc64375b5f1093004af47a81f497816c2e3a

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transform\object.js

MD5 08c3b517cdd1544713c924de2ce33939
SHA1 352ac884d547665edf80b226e7fd214fe62bc7ab
SHA256 300ef90ce0e743fc58a2b84758bc867b49b0283f92daf62834707d03634a5ee9
SHA512 b52f459c35e6f345b72b9806833c8e4a5bcd4b989dc7e6328d8f372ff80d5a50df8109c59e3bec7b63ab5d372b194f45f97daa7ec6d999a60be1cf0802db83bd

C:\Program Files (x86)\zMail\appzm\config.json

MD5 c102c7d9eed200e3b4796d50407fabce
SHA1 201a97eebb85beefc92c63d6dc755de45af288f4
SHA256 97be48d2605edef0a653c538d3ee09a14e5bf84b94fbd59c98a4162c6742b40c
SHA512 ccb99e9b308b0bac10224a771bc44e04f7c3f07f72adbd36c321961d2a665e6d1e5cbb2284b20350840dbdeb39956406ecc85269463419637a2a1061d9c4c920

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\scope.js

MD5 f89e1275dbb8430e47eed45784c2623c
SHA1 dd2c261400c14b6e3790227362d6044a8471e2e6
SHA256 2b5acf7e6d22daee042679754690d02f495a667758a9a61cc463b62ca52568e9
SHA512 5cab4e40e3a3e0896c0022c80fd5764eb3f3d69604d3662296bb9f4ee9253a36a83dfaa61e7daaeca1d3f7c965ab32459d5a40c1fdc0a023b51d6a3f64cc716f

C:\Program Files (x86)\zMail\appzm\resources\app\static\js\mainClass\clientServer.js

MD5 18963e75ca04fcab2f4a30bfc341d2b0
SHA1 04ec39fe68800c472523c3c6f1c65679f949b333
SHA256 896712e2d41c7ae5a9a427a27d45dfdaa245b8ed416ca830258b9912286fe3de
SHA512 539951eb418dfa72245f193a68bd4b42edef7a01b082ded18580633f98e5f3af4bf1dd8e4819f6e73bae2498208bee50386d9484421d0798f3a87755a6d1ce1f

C:\Program Files (x86)\zMail\appzm\resources\app\static\js\mainClass\clientMainWindow.js

MD5 e93d5c197c1c433a72fc0fdc7658f07a
SHA1 71072ed86fe2efc44018795e29e28f1d349a61a7
SHA256 f8dfdce1cca240114bea68f18d23565bc7476ea4e43334ce07763a55f956ed29
SHA512 cc84797be773bca2911d744c78622a565e3d37199a336242966d03b05a905b6dc1b7a94d7950fe387533cb792b03fc9e1f133a7994241e4818640117f14af790

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\log.js

MD5 e61e1a62d73b3f706a9b95072c8a4f0c
SHA1 aab539ea5b6164fe90f6179cfdc4f95d78a42475
SHA256 a30767af0475c7d81d9e13405b86443ad4f7c6f08e2027398a6505469e8cf13a
SHA512 e59374bce44771752b85692abd68888bca42d18aa9963ee99d838d9e0575e7f0da3d960be96911aeb77b978f727b61c5ac7ce31f075131b884d98d6a656c9df5

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\electronApi.js

MD5 16161bef929fa60543df2b532b2b6673
SHA1 eba0ca4b668ebc84843c94b8a8e4866ab5f28490
SHA256 1268f8a7ad980db3c87f97b54be73adaa261fffbe953c1ae8f3aa0a59f4a5ef7
SHA512 23f6ccb17ff96061176bea052a1ee55a56cb8c97d878fbe004a9445f3a577a0b2c05bb2a1842092a5c021de27a78146d7e5eaf69b45f4dcec7dcb2b8745a66eb

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\catchErrors.js

MD5 2b5db023309cfca83aeb860081c24018
SHA1 19c725f5b25d3b247456f063fe3a39488b2e11ac
SHA256 8a1b7f8971cb65a209cef2621ddbf010299bf1d518173013f386008226571977
SHA512 4569f0a3bc60a7f06be4baf63cedea668d1ebe0320374b21049ede613871c07075ddd2ca67ca33453ba3c35b2bbfac47a840f315f655edf28386dfdf66005515

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\index.js

MD5 4d1666f6dbbd53c8b65567d14bd17ccf
SHA1 260396d5de742b160d373be3b85f49671964a949
SHA256 7e7689688fdd340a2d89c30eb9f984353e6b32e240c3d028c2755cb78dd3462c
SHA512 e3491597b6d87bd0c1af2cea8d6583d4174beb3cad430d23fbdbf0fe458a829e1bceb38be3f5aa58ad90881046b1fe72f38e7487105410875fb68cb23f804e3f

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\package.json

MD5 4cf10caffc6a41c411834cf8a073ae62
SHA1 0f3adf66e29efbf807e2912c6b2184bc19d4edbf
SHA256 2b3016fc91432ea8fbcefa9b52440df23febd32b295743236e9e037b313164b0
SHA512 d4a73bb19f0b7dbdd03718e8f588cbffc625c0e70d05968c44961cd33da2518bd91653081e14c7fefce060caf41e03f2dcc60717627c44785081e59eb1777ca9

C:\Program Files (x86)\zMail\appzm\resources\app\static\js\mainClass\configInfo.js

MD5 eff15838302f5109f5f8ca46feabaf32
SHA1 86f630148026ff439c1001c995af1520978a42fa
SHA256 6ce8155b08fef22b886e491672a2cbe6a682463915793d9eaa51890b1d9f1a01
SHA512 4ac88fdfcc1041752ceb19fe02a01fc52b2083cc239ad14d731d8207c0dda47d48292a0b00d51090798105e16a869aa3023d31a586e758c1bab6e94494d2a434

C:\Program Files (x86)\zMail\appzm\resources\app\static\js\helper.js

MD5 d11e93768a7d7aef6c4412f971a65044
SHA1 7cb2a53421cd5787a228ed860f39519ced74bec3
SHA256 f639c3dede8d4808896d6358755653557dbde7efc08d22e35a52bd7815f2c0e5
SHA512 9211dcf9e9d0c0b7d43ca4962de05b6d7b181a8998ef285a8817ab570f23c33c5ae0ed6064d349895b3eaa590d50d58df5ba461c2e172348660c61cfa8fd65a5

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-screenshots\lib\getBoundAndDisplay.js

MD5 cdccfa721f5eb9341af9c159ebcaec9e
SHA1 0a27f942625ef8f350912c1cc2ec1946dcd9637c
SHA256 78a9dae25e92eea55bda0f0c3b0866a42138fecad67d8d1ae06bb45c89e74c77
SHA512 a56dba6c62fdc46b2f0bf18cc9aa49176a8c2250832ab99911acf2e726ad800304b1a9e0e788d92a524b9d2f4a0aa59f36c3874def163b27a936f6c209fcfe95

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-screenshots\lib\padStart0.js

MD5 a15198333f81c7cf28473da19e2492ba
SHA1 51279449c18af7ab5fae139c8c3d3f46c6dd7e6c
SHA256 cd81e24becae1692594a096f34c35706e8468e550e4e03e5d0987c480e2d08d4
SHA512 ca905191113cd6e234919299a380332f0c3e97ed257c1be46c986575cdb7de672bdb79a3e55b954eb81a711cda254556b9250d7900949fbf9d1fe09f542ea873

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-screenshots\lib\event.js

MD5 2459ca68fd107bc4266ff784cb30e452
SHA1 69e808137cfffa5eb1e039992172ad1437f17553
SHA256 b47367bcbbf550adaf180745295e267838f153b650225e35ee811a2a1dbe80b6
SHA512 b63b93fa38c248f83b360c212cca6e7125dcdc1ce84a76d197dffcbad790357a75942fdb1e36b35b14e2e24db0845d3816522b0fa026ec8c6b3d2e1d1372fa34

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-screenshots\lib\screenshots.js

MD5 4b0a1ccf728a53febfe00fd821ece785
SHA1 5af2fb979b53c91761bef792e8e54bdb6d6cfb03
SHA256 89e03f74a131f32c0e93433cbdc50beafdcb7acb2be95fa8eb1aad381ed5de38
SHA512 35e079ae2b67b9e321e7dcafaced59da93cc9d859cd1f034c77c5c7473f70605bf6ebef29051b67ccb1b01603763e75668726e44ea571daaa685c261aee1e817

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-screenshots\package.json

MD5 1aaf2c14829667f816ae3f4737409ca5
SHA1 7697b522dc3ba9d53d7a753e45b2a7f185b4cc25
SHA256 58b39363d7c243002f70d61c4555bddf4a6459714d9e07fbf77597ef0e2c281e
SHA512 b15b6bb83e3a3a3bba75c83f0ffdb20d4422cdb3a83c1bcb8e9f8176ae1340b48c89915298af639bf77f11446c75d0c284ad497decc35d8bcc163521bab7cb8a

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transform\index.js

MD5 3c5fdd8c87c793ed1c4b83b8d0afd46b
SHA1 2aa076fc20d2e38cc17daffa5af124e7d0fa65c8
SHA256 5090938d0760b8511d20baae9367ff6d292a09fae0ebabbc39390054ffb1e026
SHA512 6f349849a78abe425b51b7949f317524ddf3339578529db1764fe79e0f237e1ad965654ed962e64bfa3540df67728eba0685a3848bee58cd65d5bd74791663cb

memory/880-8171-0x0000000000590000-0x0000000000591000-memory.dmp

C:\Users\Admin\AppData\Roaming\zmail\Local Storage\leveldb\CURRENT~RFf7733ec.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\zmail\Session Storage\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Roaming\zmail\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Roaming\zmail\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Roaming\zmail\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Roaming\zmail\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Program Files (x86)\zMail\appzm\zmDiskInfoElectron_v2.node

MD5 30133d6ea83a2ea72301303653dddae8
SHA1 e70e7586de1b6edd76a8700555d9ae09d6675094
SHA256 3a3d554c3aabc3ce8f7345d11e0c233b4f0b16183fbeb82ac4bac7c5796526a9
SHA512 6b2a55c2bda3fd48fcb18db997a5d39e7413c2bcfd4278a79706228b4d48d914f275aabc585f61c1d2f62ae63140f15d28219482dd3b08086427bea5b4bb7b65

C:\Program Files (x86)\zMail\appzm\zMailchs\zchs.conf

MD5 d40f4f1dc595ccd0f9fe6d75a8f9eeee
SHA1 c30316f442f91d6ae119d896fffa58a8c7e753b0
SHA256 9d596d437c8c94179b9ff46e7f39fcddec14dd71947827afbcdb01a8daa08987
SHA512 25c13de5c4b6285e80301546c05a939c03f38e3935991541fdf9052d256acca331f7dd726f196fd0f76ccd6980ec9bbb925d98590bc2c762dc3521a2267bbe4a

C:\Program Files (x86)\zMail\appzm\zMailchs\zMailDataService.exe

MD5 6f2f0f724f3abddcb85dedf8e6404c25
SHA1 1b2b90b77175c1c2e2d7906fc1fbfd1493fc02a6
SHA256 e40069c4361fbad1c897d5fb14b3884d9940cc0e6c0a7cca3fc3784343eb0384
SHA512 7e11287d204457a508cc91af1b6152b7e514f7ff953a58e01ae49f788c5a921e0f0820fa27fdf30b37c760856baa3c7f2c939414eea558f7d17e4cd84af5fb9b

memory/1336-8432-0x00000000006B0000-0x0000000000834000-memory.dmp

C:\Program Files (x86)\zMail\appzm\zMailchs\zMailDbRepair.exe

MD5 1ea8c4d06573c1eae6fd17daad96335a
SHA1 75e4c175dcead1ed5cdfa1d55dfc7a27c041912f
SHA256 c1e08fac9313d95bffd004e9dc4df403eb7a2e5f4f5daec00245d54f29dc02f0
SHA512 f90ae5e3457fcf64e29913d9dae2ee5d129810f0487f31ee3a5ba9b196a2351e0380a2b71901a6c65b9495ee4cbca891eb85c745d6074beac84d2405c57ed917

C:\Program Files (x86)\zMail\appzm\taskdata\TaskLocalMailImport.dll

MD5 cd5f3c123d9c0d8784eae1021fcadab7
SHA1 843e711a933f5a4134c59b9f264c1671eec417ac
SHA256 4398af63205c6e00cabf805a428da3cc3bbc6260d8fc964a9733244456742cab
SHA512 62d2e04a4ecd53450ca435bfa99fd565c53ad912d2f7b247608ece31f79c7ac811cc8e55b882b224d7cd153a4331cc13d2702eb2faf01ff62ed0b6a1f07f51b9

C:\Program Files (x86)\zMail\appzm\taskdata\TaskFreeDisk.dll

MD5 01aae1ebc4fb600d76ff3a98ea412dd7
SHA1 c1a02270b97493596b075cf90c4093cbac4dad62
SHA256 7cd64f6f0158a7f210066fa1a99211747d1fab09301c73ad95ae3c2265704384
SHA512 4ac2868e7c947949e6ea2aa0316943b68e2b73afffed8d984f67df4f1f9140f40c30da24589070bf6e6e7b45ac8a17b107330bccda836202010970c7cfe4d9cb

C:\Program Files (x86)\zMail\appzm\taskdata\TaskSE.dll

MD5 4f853ec60cb38789fe64a3119d49364c
SHA1 f3d30c65b01a2e7dce000c05a2c77d5aca451ea4
SHA256 b9fec850c983980acab2790ae1bb19350a29413dbaceb9fdd7d04a66fc759c21
SHA512 a06ff7f57c610a8f9b1655b63990720c18e6dcac9a5940bb4e8ecb5aa593ceabb97abdf1abcbe5cf760136b66d68ac1fb97580526c4b0d9f0ae9a3d0936fb903

C:\Program Files (x86)\zMail\appzm\taskdata\TaskMoveFile.dll

MD5 6862b76edce1560e319f0d7b7de4e1f7
SHA1 5f64741954e52aae39dfb445ab569b213b834608
SHA256 530a5c58ee0753e9f8c47a8fddaa42377bd7a842ef81e8aab1036ad99e233c8a
SHA512 52d6283aee07a540d778bb5ab5e4b5c883bd18617fa896801cf92b916bf5d2c6a3e9edce5faa5325f55afb1e928958ac7dcf9ee72c141c5652912d4e33022a65

C:\Users\Admin\AppData\Roaming\zmail\Dictionaries\en-US-10-1.bdic

MD5 4604e676a0a7d18770853919e24ec465
SHA1 415ef3b2ca0851e00ebaf0d6c9f6213c561ac98f
SHA256 a075b01d9b015c616511a9e87da77da3d9881621db32f584e4606ddabf1c1100
SHA512 3d89c21f20772a8bebdb70b29c42fca2f6bffcda49dff9d5644f3f3910b7c710a5c20154a7af5134c9c7a8624a1251b5e56ced9351d87463f31bed8188eb0774

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win7-20240508-en

Max time kernel

120s

Max time network

132s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\index-of.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\index-of.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:24

Platform

win10v2004-20240426-en

Max time kernel

157s

Max time network

205s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\index-of.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\index-of.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.162:443 www.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.162:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:24

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

224s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\last-index-of.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\last-index-of.js

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win7-20240220-en

Max time kernel

117s

Max time network

129s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\reduce-right.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\reduce-right.js

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\reduce.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\reduce.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 192.98.74.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win10v2004-20240508-en

Max time kernel

156s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{9371C5EE-D575-42D0-9B44-51FF47A722D3}\.cr\VS2019runtime.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\zMail\appzm\zMail.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Windows\Temp\{9371C5EE-D575-42D0-9B44-51FF47A722D3}\.cr\VS2019runtime.exe N/A
N/A N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMailchs\zMailDataService.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMailchs\zMailDataService.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMailchs\zMailDataService.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMailchs\zMailDataService.exe N/A
N/A N/A C:\Program Files (x86)\zMail\appzm\zMailchs\zMailDataService.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{41d7b770-418a-43b7-95a5-f925fff05789} = "\"C:\\ProgramData\\Package Cache\\{41d7b770-418a-43b7-95a5-f925fff05789}\\VC_redist.x86.exe\" /burn.runonce" C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\zMail\appzm\zMail.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140deu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140ita.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140ita.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140deu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\Module\Mail\ReadMail\Styles\readMail.html.css C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailPlugins\ueditor\third-party\highcharts\themes\dark-green.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\dist\screenshots.css C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\internals\object-define-property.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\modules\es.reflect.prevent-extensions.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-dom\umd\react-dom-server.browser.production.min.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\lib\constructor.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\vendor\8.13.3\win32-ia32\include\freetype2\freetype\tttags.h C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\vendor\8.13.3\win32-ia32\include\libgsf-1\gsf\gsf-output-memory.h C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\vk_swiftshader_icd.json C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\install\dll-copy.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\vendor\8.13.3\win32-ia32\include\libgsf-1\gsf\gsf-input-http.h C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\features\array\from.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailControls\Calendar\eventEdit.html C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\full\promise\index.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\vendor\8.13.3\win32-ia32\include\libgsf-1\gsf\gsf-infile.h C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailControls\Calendar\css\images\downList_hover.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailPlugins\ueditor\third-party\video-js\font\vjs.ttf C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\symbol\replace.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\compressing\lib\utils.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\instance\copy-within.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\full\array\virtual\entries.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\Scripts\Components\TaskInfoControl\TaskInfoControl.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\vendor\8.13.3\win32-ia32\include\glib-2.0\glib\gqsort.h C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\Scripts\Components\GeneralWriteMailHeadControl\GeneralWriteMailHeadControl.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\portal\app\loginPage\css\style.css C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\locales\hi.pak C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-screenshots\lib\getBoundAndDisplay.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\full\math\fscale.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\simplePcWeb\Mail\styles\commonBox.css C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\@electron\remote\dist\src\main\index.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\vendor\8.13.3\win32-ia32\include\harfbuzz\hb-blob.h C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\SiteRoot\Scripts\UserFolder\Scripts\UserFolderRuleEntity.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\full\instance\to-spliced.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\full\map\emplace.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\modules\es.date.set-year.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\stable\object\keys.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\vendor\8.13.3\win32-ia32\include\glib-2.0\gio\gtcpconnection.h C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\nspell\lib\util\add.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\tar-fs\node_modules\readable-stream\GOVERNANCE.md C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailControls\MailBox\Styles\Icons\z46.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\node-addon-api\tools\clang-format.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\full\iterator\find.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\internals\array-for-each.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\modules\web.self.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File opened for modification C:\Program Files (x86)\zMail\appzm\zmDiskInfoElectron_v2.node C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\full\instance\code-points.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\vendor\8.13.3\win32-ia32\include\fontconfig\fontconfig.h C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\SiteRoot\Styles\Index\Icons\icon_more_moveDeleteActive.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\simplePcWeb\Scripts\Styles\Images\cludimages\lefttop.gif C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\internals\array-slice.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailPlugins\ueditor\themes\default\images\scale.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\simplePcWeb\Scripts\Styles\Images\cludimages\list2.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\modules\es.reflect.set-prototype-of.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\vendor\8.13.3\win32-ia32\include\fribidi\fribidi-bidi-types-list.h C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\sharp\vendor\8.13.3\win32-ia32\include\glib-2.0\gio\ginetaddressmask.h C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\SiteRoot\Styles\Common\fonts\icomoon.woff C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\SiteRoot\Styles\Index\Icons\zspamactive.png C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\es\object\define-properties.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\internals\to-integer-or-infinity.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\simplePcWeb\Scripts\Styles\font\se7en.woff C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-dom\cjs\react-dom.production.min.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\features\symbol\async-dispose.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
File created C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\full\typed-array\index-of.js C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI871A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e597fa6.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8360.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e597fb8.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e597fb7.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{5720EC03-F26F-40B7-980C-50B5D420B5DE} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e597fcd.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI81D8.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{799E3FFF-705C-461F-B400-6DE27398B3E5} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e597fb8.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e597fa6.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI88FF.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9712a8ab103c3e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9712a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9712a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9712a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9712a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\30CE0275F62F7B0489C0055B4D025BED\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\SourceList\PackageName = "vc_runtimeAdditional_x86.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{5720EC03-F26F-40B7-980C-50B5D420B5DE}v14.31.31103\\packages\\vcRuntimeAdditional_x86\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\Version = "236943743" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E} C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.31.31103" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FFF3E997C507F1644B00D62E37893B5E\Provider C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{799E3FFF-705C-461F-B400-6DE27398B3E5}v14.31.31103\\packages\\vcRuntimeMinimum_x86\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E} C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\30CE0275F62F7B0489C0055B4D025BED\VC_Runtime_Additional C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle\Dependents C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\30CE0275F62F7B0489C0055B4D025BED C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.31,bundle C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FFF3E997C507F1644B00D62E37893B5E\VC_Runtime_Minimum C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\30CE0275F62F7B0489C0055B4D025BED C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.31,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.31.31103" C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\SourceList\PackageName = "vc_runtimeMinimum_x86.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\PackageCode = "59899928365EBDE4C869391EE33DC0EB" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\ProductName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.31.31103" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\30CE0275F62F7B0489C0055B4D025BED\Provider C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Version = "14.31.31103" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FFF3E997C507F1644B00D62E37893B5E\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\Version = "236943743" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\679E80FBE29B63345BF612177149674C C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.31,bundle\Version = "14.31.31103.0" C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.31,bundle\Dependents\{41d7b770-418a-43b7-95a5-f925fff05789} C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.31.31103" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\30CE0275F62F7B0489C0055B4D025BED\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.31,bundle\Dependents C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\ = "{799E3FFF-705C-461F-B400-6DE27398B3E5}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Dependents\{41d7b770-418a-43b7-95a5-f925fff05789} C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FFF3E997C507F1644B00D62E37893B5E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FFF3E997C507F1644B00D62E37893B5E C:\Windows\system32\msiexec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Program Files (x86)\zMail\appzm\zMail.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Program Files (x86)\zMail\appzm\zMail.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\VS2019runtime.exe
PID 3100 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\VS2019runtime.exe
PID 3100 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\VS2019runtime.exe
PID 5024 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\VS2019runtime.exe C:\Windows\Temp\{9371C5EE-D575-42D0-9B44-51FF47A722D3}\.cr\VS2019runtime.exe
PID 5024 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\VS2019runtime.exe C:\Windows\Temp\{9371C5EE-D575-42D0-9B44-51FF47A722D3}\.cr\VS2019runtime.exe
PID 5024 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\VS2019runtime.exe C:\Windows\Temp\{9371C5EE-D575-42D0-9B44-51FF47A722D3}\.cr\VS2019runtime.exe
PID 1176 wrote to memory of 2740 N/A C:\Windows\Temp\{9371C5EE-D575-42D0-9B44-51FF47A722D3}\.cr\VS2019runtime.exe C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe
PID 1176 wrote to memory of 2740 N/A C:\Windows\Temp\{9371C5EE-D575-42D0-9B44-51FF47A722D3}\.cr\VS2019runtime.exe C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe
PID 1176 wrote to memory of 2740 N/A C:\Windows\Temp\{9371C5EE-D575-42D0-9B44-51FF47A722D3}\.cr\VS2019runtime.exe C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe
PID 2740 wrote to memory of 3460 N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2740 wrote to memory of 3460 N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 2740 wrote to memory of 3460 N/A C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3460 wrote to memory of 3588 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3460 wrote to memory of 3588 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3460 wrote to memory of 3588 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3588 wrote to memory of 612 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3588 wrote to memory of 612 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3588 wrote to memory of 612 N/A C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
PID 3100 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 3100 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 3100 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 404 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 3000 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 3000 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe
PID 4660 wrote to memory of 3000 N/A C:\Program Files (x86)\zMail\appzm\zMail.exe C:\Program Files (x86)\zMail\appzm\zMail.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe

"C:\Users\Admin\AppData\Local\Temp\zMail_2.6.7_20231206.exe"

C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\VS2019runtime.exe

"C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\VS2019runtime.exe" /S

C:\Windows\Temp\{9371C5EE-D575-42D0-9B44-51FF47A722D3}\.cr\VS2019runtime.exe

"C:\Windows\Temp\{9371C5EE-D575-42D0-9B44-51FF47A722D3}\.cr\VS2019runtime.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\VS2019runtime.exe" -burn.filehandle.attached=540 -burn.filehandle.self=648 /S

C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe

"C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{CEB08EB6-F2C9-4007-BA99-FD91CAC8C25A} {0DC1ED55-AD67-412B-9B71-7510D285DE78} 1176

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={41d7b770-418a-43b7-95a5-f925fff05789} -burn.filehandle.self=1064 -burn.embedded BurnPipe.{430C0A9A-E572-42C7-9BBB-8B19310CFF2D} {4139D3CE-232E-463D-976E-4BAFB5D3C162} 2740

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={41d7b770-418a-43b7-95a5-f925fff05789} -burn.filehandle.self=1064 -burn.embedded BurnPipe.{430C0A9A-E572-42C7-9BBB-8B19310CFF2D} {4139D3CE-232E-463D-976E-4BAFB5D3C162} 2740

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{A1642651-CFFF-414E-9784-E97E7F69590E} {8FBC9F91-3E1D-4DE1-94AA-AF4E7E67FB56} 3588

C:\Program Files (x86)\zMail\appzm\zMail.exe

"C:\Program Files (x86)\zMail\appzm\zMail.exe"

C:\Program Files (x86)\zMail\appzm\zMail.exe

"C:\Program Files (x86)\zMail\appzm\zMail.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\zmail" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1784,i,12957852082878474950,3092490297385541017,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Program Files (x86)\zMail\appzm\zMail.exe

"C:\Program Files (x86)\zMail\appzm\zMail.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\zmail /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\zmail\Crashpad --annotation=_productName=zmail --annotation=_version=2.6.7 --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=22.3.15 --initial-client-data=0x8f8,0x8fc,0x900,0x57c,0x904,0x8dced38,0x8dced48,0x8dced54

C:\Program Files (x86)\zMail\appzm\zMail.exe

"C:\Program Files (x86)\zMail\appzm\zMail.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --host-resolver-rules="MAP zmail-electron.zte.com.cn 127.0.0.1,MAP localhost 127.0.0.1" --ignore-urlfetcher-cert-requests --ignore-certificate-errors --ignore-certificate-errors --user-data-dir="C:\Users\Admin\AppData\Roaming\zmail" --mojo-platform-channel-handle=2368 --field-trial-handle=1784,i,12957852082878474950,3092490297385541017,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Program Files (x86)\zMail\appzm\zMail.exe

"C:\Program Files (x86)\zMail\appzm\zMail.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\zmail" --app-path="C:\Program Files (x86)\zMail\appzm\resources\app" --no-sandbox --no-zygote --first-renderer-process --js-flags=--max_old_space_size=2048 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2768 --field-trial-handle=1784,i,12957852082878474950,3092490297385541017,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "TASKLIST /FI "IMAGENAME eq zMailDataService.exe" /FO CSV"

C:\Windows\SysWOW64\tasklist.exe

TASKLIST /FI "IMAGENAME eq zMailDataService.exe" /FO CSV

C:\Program Files (x86)\zMail\appzm\zMailchs\zMailDataService.exe

"C:\Program Files (x86)\zMail\appzm\zMailchs\zMailDataService.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
N/A 127.0.0.1:9080 tcp
US 8.8.8.8:53 zmail.zte.com.cn udp
DE 209.9.37.144:443 zmail.zte.com.cn tcp
US 8.8.8.8:53 uac.zte.com.cn udp
CN 183.62.165.200:443 uac.zte.com.cn tcp
CN 183.62.165.200:443 uac.zte.com.cn tcp
N/A 127.0.0.1:9080 tcp
N/A 127.0.0.1:9080 tcp
N/A 127.0.0.1:9080 tcp
N/A 127.0.0.1:9080 tcp
N/A 127.0.0.1:9080 tcp
N/A 127.0.0.1:9080 tcp
N/A 127.0.0.1:61244 tcp
N/A 127.0.0.1:15263 tcp
N/A 127.0.0.1:61252 tcp
N/A 127.0.0.1:61254 tcp
N/A 127.0.0.1:61256 tcp
N/A 127.0.0.1:61258 tcp
N/A 127.0.0.1:61260 tcp
N/A 127.0.0.1:61262 tcp
N/A 127.0.0.1:61264 tcp
N/A 127.0.0.1:61266 tcp
N/A 127.0.0.1:61268 tcp
N/A 127.0.0.1:15263 tcp
CN 183.62.165.200:443 uac.zte.com.cn tcp
US 8.8.8.8:53 zmail.zte.com.cn udp
US 8.8.8.8:53 144.37.9.209.in-addr.arpa udp
DE 209.9.37.144:80 zmail.zte.com.cn tcp
DE 209.9.37.144:80 zmail.zte.com.cn tcp
N/A 127.0.0.1:15263 tcp
DE 209.9.37.144:80 zmail.zte.com.cn tcp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
DE 209.9.37.144:80 zmail.zte.com.cn tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
DE 209.9.37.144:80 zmail.zte.com.cn tcp
DE 209.9.37.144:80 zmail.zte.com.cn tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\LangDLL.dll

MD5 4cdaaf5da900a8eaed090cd22b8f8781
SHA1 6c7d9cfd96e66d236b66b8d50d65083a0dbb1b11
SHA256 09477d605677bea48019b896f068ce6c2e89004e5c5f0a86c0276db30c6515a6
SHA512 3797d59aeb908dcd66c63eca76cb2064416d3b66033dc687bc7a9c50e2979c42ac94773f54bc8ec45a9cd69c8056b83a2bca6efcd703f71a4b5f67e166f1e06d

C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\nsProcess.dll

MD5 faa7f034b38e729a983965c04cc70fc1
SHA1 df8bda55b498976ea47d25d8a77539b049dab55e
SHA256 579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA512 7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\InstallOptions.dll

MD5 046074d285897c008499f7f3ad5be114
SHA1 159040d616a056ee3498ec86debab58ef5036a55
SHA256 254c5ccbce59ad882f7f51d0bf760cabde8c88c5af84e13cc8ad77ba0361055c
SHA512 ab7436fda44e340dd5909ddec809c6b569a90d888529ef9320375e1aae7af85afcab8c1c1618551d3fe8d6ae727f7dca97aa8781b5555da759d501d2ccd749e1

C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\ioSpecial.ini

MD5 bc46675124b0c8d79b0c36f7e41d79b5
SHA1 6c301b2bf15f5dc0a5e0ede8bf731c4869ef2afb
SHA256 234ef62a73a9803a770b55f04d8ed84c87fa0f8e84470b32afe5477cdaac1ade
SHA512 5af3b415639d1eb3162ba060db2d5cef20044c4f132c74a792f59b489b6948191ea09a474eae41d86845293371da62746e3dff256080bb90744ce326a00ddfad

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\node-abi\node_modules\yallist\LICENSE

MD5 82703a69f6d7411dde679954c2fd9dca
SHA1 bb408e929caeb1731945b2ba54bc337edb87cc66
SHA256 4ec3d4c66cd87f5c8d8ad911b10f99bf27cb00cdfcff82621956e379186b016b
SHA512 3fa748e59fb3af0c5293530844faa9606d9271836489d2c8013417779d10cc180187f5e670477f9ec77d341e0ef64eab7dcfb876c6390f027bc6f869a12d0f46

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\features\typed-array\entries.js

MD5 8565e5c4f039e694c7e51337055437e5
SHA1 b381923a6a2bd3fc437cfdfb9110623c3dde5409
SHA256 97ef425fda3f8b7001e8e05b499724c5895ddbdad6986681c8b7d7c04ba14a3d
SHA512 4598bd276a6bb7b936687314b4fb31be38356dc131814fd445f777aca92eebac591f7e5d052c2a55b4a0242da0ef45f3618f55310e5bb585caf3504a32e1d00e

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\scheduler\build-info.json

MD5 daf224998924bf5b6470108ba8c61bf0
SHA1 7d442f4e1d1f2165d576ba9b568d3d58ea400cd0
SHA256 b4ac406c33019facb17bf89bb4b0b1b7af520deefb1d49d7acb95f9f2ab93c7c
SHA512 dab8acb6d036516acde15b9d6f237506da9bbf3280488a0102952fdf76a56ad30926bd0a8500ff95ccbdddc2f1dab29d379b557df8fe26e72210b02d117e7c36

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\scheduler\LICENSE

MD5 901f6cd9846257b3a9c69dbd0a49caf1
SHA1 1506731a652bba9abdf804ba3c95651ec5a68bdc
SHA256 52412d7bc7ce4157ea628bbaacb8829e0a9cb3c58f57f99176126bc8cf2bfc85
SHA512 547627636339a25d7bf811b98143032ab2c43e0ccc5fe236656a98b98a009312a9abf2f05ab7a898695bbf0d09e727640385c3d7368d1545f13625215696019b

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\scheduler\node_modules\object-assign\index.js

MD5 4eb3c1a156ce2effd67b37a2dfedc632
SHA1 519ffd5a4c91b67302cc9947b794966d629860cd
SHA256 e02cb9714ef6e561e971fe400644330212f07ca86120587199470d8b759a4b7c
SHA512 b08e9da7c516d186ae38b15f4ba796b524fbe8a7fb50775355d645b8c19f70038965374d9f1094f0aa02de94375481c0f9153aed5c48b3fe40ffe84d636790e6

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\scheduler\node_modules\object-assign\license

MD5 a12ebca0510a773644101a99a867d210
SHA1 0c94f137f6e0536db8cb2622a9dc84253b91b90c
SHA256 6fb9754611c20f6649f68805e8c990e83261f29316e29de9e6cedae607b8634c
SHA512 ae79e7a4209a451aef6b78f7b0b88170e7a22335126ac345522bf4eafe0818da5865aae1507c5dc0224ef854548c721df9a84371822f36d50cbcd97fa946eee9

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\scheduler\node_modules\object-assign\package.json

MD5 7cb75c6e5855efa176d05689a7c0cd83
SHA1 3fbaf24f8d5659a998f6ebfcbef1f4ded990dfae
SHA256 66e5eeeeb818df66e6d3a7c0d72c68bb38dc8b4cd57aa4d69018ab975c318081
SHA512 b23f4c00998d39e3f9a6620e21fc6ea30e9f55537f9187f6c9e4da8d0014aaa696d0dba93889551696dbb233009b43aec4111857b774ce61597ec0f6fe98ef42

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\tar-stream\LICENSE

MD5 9befe7026bf915886cd566a98117c80e
SHA1 a95ab3a4b0e4bd978897f09b3b430a449da20a08
SHA256 3fe8d55a98dbf260eace67c00cf9bc53edb46234e840098a0b93df3096b97fb6
SHA512 b52ba143042812d6dd1031a12946afddb6e8f8ebbc7169c59c138d16aafc5e261aae92fe6b1ea94a3d80e39d2415c4b219710ef46939a2df135db24a0cf712fb

C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\pcWeb\Scripts\MailControls\MailBox\Styles\Images\zmask-black.png

MD5 ada2d81c103904b90a362ee3d5ccdf32
SHA1 39e498617173b996ff7e74364cceab08f52064c8
SHA256 19a224698e93a1594a6583562361b5c456902afb34e8b3f420bf91566951081a
SHA512 dce1d1796e8523c74d103c1516e1b253e720a8ecb2bd3056d3c9e2c54bc3637f2349d3887efb140ed766e498d4bafe132b3668285e5ccfdfa1167390d63ad33e

C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\simplePcWeb\Scripts\Styles\font\fontawesome-webfont.eot

MD5 5ae23ad29b67289a1375d2043e289c52
SHA1 d7e77928069bdd227f291b9a2c9bdd918793e529
SHA256 a9595e5bf3b6dbbc076902b9abdea356053d69a2fe66506706de9bb39a126b8f
SHA512 78abaadea605e1615e2a40e7dea7456c9dcfe2da62461c6118d494130ab0d36f6943b2b81a4fc4339a12d458989f4433600b7ee2a18c120e1248e744bf8f970f

C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\simplePcWeb\Scripts\Styles\font\glyphicons-halflings-regular.eot

MD5 2469ccfe446daa49d5c1446732d1436d
SHA1 d53dff38dfb5c414015dfb31d30a473c95b50904
SHA256 5ff7c239555476e939e86d457bb78424b945b733b2c23791d9807c2357259d43
SHA512 4594e33e06a8ceab7c842b6867e4334a985091076c88d39c441732caa61c65668c2c0836d4d29f0ac296c6d064f13c89eb89b7342e28da8f43af083369363621

C:\Program Files (x86)\zMail\appzm\resources\webcontents\zmail\simplePcWeb\Scripts\Styles\font\se7en.eot

MD5 c97922b46d0dec5b6d4e3dd9fd7c3370
SHA1 5aa1eb8e36dfd47b9b124b2ba637b0fca67123f3
SHA256 6c8f8f5b8eeb27df6d27335f000954489db9865e543feae64e92db9a1298bd98
SHA512 8549b3e6d52d8d8e0cd4f5f251b125b28ccb864cf145d22b35e199e77e793141e9af70e4086940058f90f56b0ea2038524f35d365efcdc9a9a80d8a4085e8ced

C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\VS2019runtime.exe

MD5 d3b594464f2312cde31af3f2aa516f9e
SHA1 15fe8e70c3c5582b70df173cd9b580331677735a
SHA256 b7ae307237f869e09f7413691a2cd1944357b5cee28049c0a0d3430b47bb3edc
SHA512 ccb19250b90eb629c35a897aba6d0ab16402305d9ec16b97b902fc810cde5d215cf8149a273cc8f8cae5a4b0665b116c085fe3b01a3ab3860c44f20ca95d6e83

C:\Windows\Temp\{9371C5EE-D575-42D0-9B44-51FF47A722D3}\.cr\VS2019runtime.exe

MD5 0082d66b4bd5a3f6254dd749fe372cb6
SHA1 9c06222e24276ba02a05767eed04cacdf00e54cf
SHA256 c78b97480214fd42f989eb3b2da72e325e1f6855adb7d4660deeca6ca63d5025
SHA512 727d329dba144ad58996f16de6c1272899fba6a4fa0fbfa7b14454d84ec250e0efe709a46249bcf486f61907aa08fd1c13aa447c7e773030dbff96c08f859f6a

C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\vcRuntimeMinimum_x86

MD5 02484c30642db7c46b8bcd98a0c5a2e2
SHA1 cab48e762c8fcc023e1ef37f773b8d9e404dfa0e
SHA256 f23a7326f2802f253baa0cd93e443a67b6691db70f5c9a1788d4731e5fb168bd
SHA512 49ca0e550d7be548fa41cdeb8bfd1213df4195a8644ab12f83c468db60b93d6f839b0c25daa579902acd41af8c8460431fe750fba574774ec9deea495cd420e1

C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\cabB3E1576D1FEFBB979E13B1A5379E0B16

MD5 580dd5543bf14d4b20d156631603e07c
SHA1 e8806c59c809e52e61147d10cc8dd27a7c1ae39b
SHA256 3f32dcaf2ac00c12dc03e19a6124ca0dce5e2450be950b39b9702f515efe9188
SHA512 b5f740e140793b91ff5c96b074c316a3fd029cc497d90f4a825182928e5f087d363e3633bd5f77d18e1516032b256fc5ee1aa0c279481818a0754de0138f303e

C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\vcRuntimeAdditional_x86

MD5 c8d11825b24628d8f6c9c2e2be75d05e
SHA1 969c73faa769078b7219097ff304a8a497c9fb87
SHA256 48108db0552ed7f8f6631ca8b15e27fc3ea2f21dc6bf3542bb3d76476968ade2
SHA512 3cdf522fca221756cb2534ce88c47606ca74126942a5b2d486bedd5bb943343efc6c688d1e12117e8a05bfb7d9a100fc3548d866d8517c263f9e1bb5b2004796

C:\Windows\Temp\{E532AB74-682B-4867-9D26-13E21628E6C4}\cab54A5CABBE7274D8A22EB58060AAB7623

MD5 c3fa66895d164ef3aa80d0806ff08434
SHA1 c52df9924dcaac249e319dc773f315e5d5b98458
SHA256 526faf200b6be8c72c7d8f3ff2549bb88417a922112595b03f3092c24a0f1b7f
SHA512 0fc7f0263fcbb8c752748a184fad7c39fa7eba1c2045f8bc51afb74a691ad14ba9483be8d5afbdfc6a8c262a18e87cad0d9d90e68a4a354ef55e0abdbf6904b0

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240517082244_000_vcRuntimeMinimum_x86.log

MD5 b4682bce60a22c01665445a1a0a08543
SHA1 2cb42d7c24d4832491c206921c3965f3dae09b81
SHA256 36b062670b14b96ea5e9686c40a168f8d5fb81d86f1a06fd249cfb2e7ee33855
SHA512 220ef6d6f3058cfe022182db3e382d16279a80cc0d6192f213f5f61c5f6d2d03fecca242bad82e9162205e6274f23d877b56b832bf2964e537d4972a3f759108

C:\Config.Msi\e597fab.rbs

MD5 f80ce60f0cf8397675a085c64ff0441d
SHA1 101797940bfda8eb928c8b36c12283307df1ed6e
SHA256 2fc9dc0238f72345fd03c3a437fc98223916ec2af3d85a08f691070546861b75
SHA512 2a8011a83240145318f97c5d4df2161532c214593efaf2439f33e98b1573a7cf87aeda18f8d48b4b461543eaede23e7fe2518028e36e85f1709c13e9363c222a

C:\Config.Msi\e597fb0.rbs

MD5 476d7bff80beb3b03f9cd3d9f4bca5c1
SHA1 25459f966ab5aa6ffb6e3977ae210fe6fae55aec
SHA256 3d6b1dad2d9d811de5d6f84de2b3fa980fa380c98c88aa75598abba9fae95153
SHA512 127b2277b11316c74be617c0f78a9e493d0d4d4f5460b96066d9d87ab64bc1540ce9da51fab81bcdc6593f8272874785d3c3ad8072f80a628a59ee087847de0f

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240517082244_001_vcRuntimeAdditional_x86.log

MD5 71fc39c34890602833bbe21d29de3bd1
SHA1 d9a398def606d859a58c332be39cbaf15b7634c6
SHA256 c3ea3eaeb864c73e4c2590129af8e5e589f21902ea7d47391d11bbb23ab02ce9
SHA512 8e9cee894df7b22815a024fd8fdbbb91561af0de83205bda0ccbb37a1075241554f70504b9544357080da6115c6a6c483577078d7902b1c0f336cf82ef2b79a5

C:\Config.Msi\e597fbd.rbs

MD5 254077a9712324c992a8678520a22c5a
SHA1 790fff3bf939dcfd07fc7734a742f805e34fef4d
SHA256 3fe720ab50940fb6e59309ea2a8113bdc577a39ace8762a70c9c2908bf55f4d3
SHA512 63622220f0da0f671da83572282018079a8a7a47b4ed9a5424cddc60967239778455a6d886b25dbc78a4b567cb0bdf3495ed4e30fd375df5a0a97ca68a89635c

C:\Config.Msi\e597fcc.rbs

MD5 6a5c4e2a8dc94a9c83c0a1bec734ccd1
SHA1 a2efd61bda794d624d9c30e568e13614667dae61
SHA256 b65f8480004aa6dcf41c1fe5acdf8804f1c19d02ad655e30635727f26d1d67b5
SHA512 c9bdea66541f61746fb77c0657f26ca298987fb9a93548651cd76de0318c2b2255f7d60f2e04e1837eda80a5930960a05c904547665c82f6929e55156c3fd9e0

memory/612-7753-0x0000000000070000-0x00000000000E7000-memory.dmp

memory/3588-7790-0x0000000000070000-0x00000000000E7000-memory.dmp

memory/3460-7791-0x0000000000070000-0x00000000000E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\ioSpecial.ini

MD5 4cfe6ad50b537b5702254cfadca726d5
SHA1 e6f76bcf97bdf47823ee667b887cb0f6b13cf681
SHA256 3dbf7dd13f6bd9f6615c869807f14dd990719304a6071888ce3b545bc3ca4b91
SHA512 0a6bd2fb0c4df0648a22af986388116f9a30840902ca25f607a32cde0ec994d2a9adbb7a82717eeb2605ca245968a06f193af5697f535b0a74b7060ca65ebe65

C:\Users\Admin\AppData\Local\Temp\nsv6216.tmp\ioSpecial.ini

MD5 55882d5dfad80c9803fb79a41e99ea8c
SHA1 eb6248ef78e85dd39ac444f8254ec2a07112f02d
SHA256 40dd948416977e70cec99931325c385eb196bf3ba1f5531e054432a9f27c5e56
SHA512 11226abe6fe0d9d4831d767b828cd1d6453ade78ee90255e7ad9386e00e1b2fe05465d5d856f3c53603a7596085cfa6b0fc39c3e33c38d3b211fae6260b936fc

C:\Program Files (x86)\zMail\appzm\ffmpeg.dll

MD5 b63e9344554c0038deff8cdbb11522bf
SHA1 9875fd48da67ec43fdeda560a5b2d725fb4c619e
SHA256 05c918622b0621148ee260d5cb0660d7f0732deb02ca7d58476741c0be84e412
SHA512 824f0cf8e4c496fa411ff8ecb5acb9c573a562459bbced42c2d7ed5827ce722402d8e6bb658abdd8bb32ddbd4b7c30fe9e675f2db0c24cfecd39ff15f333d5e2

C:\Program Files (x86)\zMail\appzm\v8_context_snapshot.bin

MD5 b59edfc69aba2f4c433d5b0861d9ac31
SHA1 a2adeb4d3b45170351d1c8ba0dafde71fe35b9c7
SHA256 82c3df9c5e8f300b1af7b1d070163b43648a762acff0ce78f801382d9cd58d16
SHA512 b737160e99b6baa6f960316a223b47690335372ee2d9bf0331e331041dd2e8f727805377ee673e3ace494af01914d301b7e27c5fe5f6642ee5d08afa5442f8f9

C:\Program Files (x86)\zMail\appzm\icudtl.dat

MD5 76bef9b8bb32e1e54fe1054c97b84a10
SHA1 05dfea2a3afeda799ab01bb7fbce628cacd596f4
SHA256 97b978a19edd4746e9a44d9a44bb4bc519e127a203c247837ec0922f573449e3
SHA512 7330df8129e7a0b7b3655498b2593321595ec29445ea193c8f473c593590f5701eb7125ff6e5cde970c54765f9565fa51c2c54af6e2127f582ab45efa7a3a0f6

C:\Program Files (x86)\zMail\appzm\resources\app\main.js

MD5 ff3c6efce245403c3787716cb325195f
SHA1 833e500982fdeee7b000013a2c63eaab6f0464a4
SHA256 6783d0ef79a32688ea27f3a22752a5daaf3bbffc298d03b4d2f2eabac4e13002
SHA512 0081b13f9ea8883e134ecdd89bc2f53ae3c711a7f182df83e7e9eea33cec40dc1b353dd12f46917d10d62e01ba4f03c53d105c014eacfc657e995dd2789aa46c

C:\Program Files (x86)\zMail\appzm\resources\app\package.json

MD5 0a9c53b80daf419d0c7ea57fd2ae2ada
SHA1 b148472f0205e60eec5574832ce13fb6f66702d2
SHA256 ae7f31c99d10b60934bd8cb1333c44e3317527bd8758b9b8c9c58349e2d943c6
SHA512 4cf5b462d01bc24ec745031eddc79c39556b54c97fe75de6c0806b873835fb4c5514bc11df8c9af5d52bb75b7601fc724381365bc0dbc8739c942fe0f40aea2b

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-screenshots\lib\screenshots.js

MD5 4b0a1ccf728a53febfe00fd821ece785
SHA1 5af2fb979b53c91761bef792e8e54bdb6d6cfb03
SHA256 89e03f74a131f32c0e93433cbdc50beafdcb7acb2be95fa8eb1aad381ed5de38
SHA512 35e079ae2b67b9e321e7dcafaced59da93cc9d859cd1f034c77c5c7473f70605bf6ebef29051b67ccb1b01603763e75668726e44ea571daaa685c261aee1e817

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-screenshots\package.json

MD5 1aaf2c14829667f816ae3f4737409ca5
SHA1 7697b522dc3ba9d53d7a753e45b2a7f185b4cc25
SHA256 58b39363d7c243002f70d61c4555bddf4a6459714d9e07fbf77597ef0e2c281e
SHA512 b15b6bb83e3a3a3bba75c83f0ffdb20d4422cdb3a83c1bcb8e9f8176ae1340b48c89915298af639bf77f11446c75d0c284ad497decc35d8bcc163521bab7cb8a

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-screenshots\lib\event.js

MD5 2459ca68fd107bc4266ff784cb30e452
SHA1 69e808137cfffa5eb1e039992172ad1437f17553
SHA256 b47367bcbbf550adaf180745295e267838f153b650225e35ee811a2a1dbe80b6
SHA512 b63b93fa38c248f83b360c212cca6e7125dcdc1ce84a76d197dffcbad790357a75942fdb1e36b35b14e2e24db0845d3816522b0fa026ec8c6b3d2e1d1372fa34

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transform\template.js

MD5 8c0a5e07fe58762fbec363c9722bee2b
SHA1 a2599ca68e1d53eefc8b75a7c6a5ef9d6878475e
SHA256 29a26d106bf11b5bae096bf41e091f952c2ba26950bdfc7c39c2f1fb3bd4db55
SHA512 b59e169c0f1e8cda61e27fff78bebd4f0c9bf66642e210776f870f5f0efafeffb578e48bda7d049c431637b4ec2a98aceef2ecc946e4023607c987db455f180d

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transports\file\packageJson.js

MD5 d02303a218dc0a76a6a9e63f6b34f30c
SHA1 efb42cc6e7fd80020ce5fcc82bbb1fd379cf0a5a
SHA256 f0294e4908342dfe7e3ba933e348b6a7bc19d38d9dd06687a958eb8e26d923d9
SHA512 ed245018e76fda9aca24001534f59042874254cd706a7a7f07b5225d39161ef51b8f4163707f93d572e58af8560d97a931f6abcfa84099e84eac67f0af25f6cb

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transports\remote.js

MD5 373be0bdf1ee0d64969fd938cafa4a09
SHA1 a29a60e4d537ee80b11538a9f901f002ddbfbb82
SHA256 443b03038dddbf54f150b5998ef42cff549a636b756c2a18b86c0bdd3080f047
SHA512 425ba2cfde6d5f44c64b1d205fabadd1ab957f061e3c2cddb08ed2990d822a0083b731c0bf405c8344a677429e7295fd385fc37ba16d83dcc9833338e2433cbb

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transports\ipc.js

MD5 3d7b72d7bf55364873ea8a01797d2279
SHA1 5cf769350a194c81ca2eda9598b177ab78cfbd17
SHA256 9cf486306cc0f7cb2323bdcfa86b8d9c71126082d4e865c80eb49c1b06180630
SHA512 f5c1eba2b6afd4699823a8c5ff6943fb8d05499763827ac550f9ee8c7727cdedd6ce65a0d4d003f2dc12a8becdc3a770feb120bfadc4ee6575176f9242deeacb

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transports\file\variables.js

MD5 78c982f754a24f31c9152dbcca3cc259
SHA1 73f4e43e9ed67d18183024e80b2b0bcf2700477d
SHA256 d8c5a9886d53743eb80e8a077d5d2c3081af25385c02e934804208f2cd4ce576
SHA512 7b0e9f518d28f3e3a5a6c8d64835e0e3192c8a27062324245b700d170f090dcb36deed0ff194de4ca4ed4ad79eb171ac1fecf44fe5df5ffc75d902cd42641bac

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transports\file\file.js

MD5 df5d7f68f0f43351beae46ba15c1f811
SHA1 585fbf7d9d0abea3ef3ec305dc3d2e8f5c28e2eb
SHA256 6671e52a6735a0e5de7db4d4c6049c3c5a7cd3eab6b09c597d9150942ad0f3f9
SHA512 dc671931f6e508a7d8498d61e5d5597ab34e7601119e34bd298404c0334ead05983f8da3b95ba8a37e10425fc2a26ae2a0d12ec5c96c6f7a3f7b003402e59f3d

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transports\file\index.js

MD5 26bb140fab1a9d80cfb7dfb5049c62e1
SHA1 37e67f1481a724c1150945fa4eb5fa40958b595b
SHA256 e1e8710633a744e24dbb59b469e1481a6e1ce7d3cb9ca22db7bbd2a9395ef2ec
SHA512 b78338b536a5ba0ce8c664668b686cee0c22f97d2103286be7f49264ec0fef451aa587e872412b04934c724eccecb7dddd2c2ae12db40c6c5b7746b2e2d22666

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transform\style.js

MD5 bfcf10be444b049bd634736ac46093d0
SHA1 21f887e5650ade4b265145abb8f43d6bc0726e7b
SHA256 5fcde50e9349f81838a7238d385bbfd722d13aafc62926664ebb972c49d84035
SHA512 da9b374e09a8e8a263ec669f9ff4990d4cc6622ce29fe2e893c49323a7e5b3fbce1a9f463d5a1bd21c6a2b5e8dc9dc64375b5f1093004af47a81f497816c2e3a

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transform\object.js

MD5 08c3b517cdd1544713c924de2ce33939
SHA1 352ac884d547665edf80b226e7fd214fe62bc7ab
SHA256 300ef90ce0e743fc58a2b84758bc867b49b0283f92daf62834707d03634a5ee9
SHA512 b52f459c35e6f345b72b9806833c8e4a5bcd4b989dc7e6328d8f372ff80d5a50df8109c59e3bec7b63ab5d372b194f45f97daa7ec6d999a60be1cf0802db83bd

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transform\index.js

MD5 3c5fdd8c87c793ed1c4b83b8d0afd46b
SHA1 2aa076fc20d2e38cc17daffa5af124e7d0fa65c8
SHA256 5090938d0760b8511d20baae9367ff6d292a09fae0ebabbc39390054ffb1e026
SHA512 6f349849a78abe425b51b7949f317524ddf3339578529db1764fe79e0f237e1ad965654ed962e64bfa3540df67728eba0685a3848bee58cd65d5bd74791663cb

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\transports\console.js

MD5 29a38765ee22f39e1b8213e583c33e18
SHA1 2e887860a77b603c71d7e8e8790c4545805b8bf1
SHA256 be3b503cdf49c5f1315c80b6a3211fe9015f28512f6b3353e7f1d8695d1499ce
SHA512 403dd1516074070e35d1ad283b1082fdc89c0d367e15b7260a8ab18ac9a7c48c343f61175dce2fb56f9d75634059497ad51691ac123475a7d5b9b32c0c66f631

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\scope.js

MD5 f89e1275dbb8430e47eed45784c2623c
SHA1 dd2c261400c14b6e3790227362d6044a8471e2e6
SHA256 2b5acf7e6d22daee042679754690d02f495a667758a9a61cc463b62ca52568e9
SHA512 5cab4e40e3a3e0896c0022c80fd5764eb3f3d69604d3662296bb9f4ee9253a36a83dfaa61e7daaeca1d3f7c965ab32459d5a40c1fdc0a023b51d6a3f64cc716f

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\log.js

MD5 e61e1a62d73b3f706a9b95072c8a4f0c
SHA1 aab539ea5b6164fe90f6179cfdc4f95d78a42475
SHA256 a30767af0475c7d81d9e13405b86443ad4f7c6f08e2027398a6505469e8cf13a
SHA512 e59374bce44771752b85692abd68888bca42d18aa9963ee99d838d9e0575e7f0da3d960be96911aeb77b978f727b61c5ac7ce31f075131b884d98d6a656c9df5

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\electronApi.js

MD5 16161bef929fa60543df2b532b2b6673
SHA1 eba0ca4b668ebc84843c94b8a8e4866ab5f28490
SHA256 1268f8a7ad980db3c87f97b54be73adaa261fffbe953c1ae8f3aa0a59f4a5ef7
SHA512 23f6ccb17ff96061176bea052a1ee55a56cb8c97d878fbe004a9445f3a577a0b2c05bb2a1842092a5c021de27a78146d7e5eaf69b45f4dcec7dcb2b8745a66eb

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\catchErrors.js

MD5 2b5db023309cfca83aeb860081c24018
SHA1 19c725f5b25d3b247456f063fe3a39488b2e11ac
SHA256 8a1b7f8971cb65a209cef2621ddbf010299bf1d518173013f386008226571977
SHA512 4569f0a3bc60a7f06be4baf63cedea668d1ebe0320374b21049ede613871c07075ddd2ca67ca33453ba3c35b2bbfac47a840f315f655edf28386dfdf66005515

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\src\index.js

MD5 4d1666f6dbbd53c8b65567d14bd17ccf
SHA1 260396d5de742b160d373be3b85f49671964a949
SHA256 7e7689688fdd340a2d89c30eb9f984353e6b32e240c3d028c2755cb78dd3462c
SHA512 e3491597b6d87bd0c1af2cea8d6583d4174beb3cad430d23fbdbf0fe458a829e1bceb38be3f5aa58ad90881046b1fe72f38e7487105410875fb68cb23f804e3f

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-log\package.json

MD5 4cf10caffc6a41c411834cf8a073ae62
SHA1 0f3adf66e29efbf807e2912c6b2184bc19d4edbf
SHA256 2b3016fc91432ea8fbcefa9b52440df23febd32b295743236e9e037b313164b0
SHA512 d4a73bb19f0b7dbdd03718e8f588cbffc625c0e70d05968c44961cd33da2518bd91653081e14c7fefce060caf41e03f2dcc60717627c44785081e59eb1777ca9

C:\Program Files (x86)\zMail\appzm\resources\app\static\js\mainClass\configInfo.js

MD5 eff15838302f5109f5f8ca46feabaf32
SHA1 86f630148026ff439c1001c995af1520978a42fa
SHA256 6ce8155b08fef22b886e491672a2cbe6a682463915793d9eaa51890b1d9f1a01
SHA512 4ac88fdfcc1041752ceb19fe02a01fc52b2083cc239ad14d731d8207c0dda47d48292a0b00d51090798105e16a869aa3023d31a586e758c1bab6e94494d2a434

C:\Program Files (x86)\zMail\appzm\resources\app\static\js\helper.js

MD5 d11e93768a7d7aef6c4412f971a65044
SHA1 7cb2a53421cd5787a228ed860f39519ced74bec3
SHA256 f639c3dede8d4808896d6358755653557dbde7efc08d22e35a52bd7815f2c0e5
SHA512 9211dcf9e9d0c0b7d43ca4962de05b6d7b181a8998ef285a8817ab570f23c33c5ae0ed6064d349895b3eaa590d50d58df5ba461c2e172348660c61cfa8fd65a5

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-screenshots\lib\getBoundAndDisplay.js

MD5 cdccfa721f5eb9341af9c159ebcaec9e
SHA1 0a27f942625ef8f350912c1cc2ec1946dcd9637c
SHA256 78a9dae25e92eea55bda0f0c3b0866a42138fecad67d8d1ae06bb45c89e74c77
SHA512 a56dba6c62fdc46b2f0bf18cc9aa49176a8c2250832ab99911acf2e726ad800304b1a9e0e788d92a524b9d2f4a0aa59f36c3874def163b27a936f6c209fcfe95

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\electron-screenshots\lib\padStart0.js

MD5 a15198333f81c7cf28473da19e2492ba
SHA1 51279449c18af7ab5fae139c8c3d3f46c6dd7e6c
SHA256 cd81e24becae1692594a096f34c35706e8468e550e4e03e5d0987c480e2d08d4
SHA512 ca905191113cd6e234919299a380332f0c3e97ed257c1be46c986575cdb7de672bdb79a3e55b954eb81a711cda254556b9250d7900949fbf9d1fe09f542ea873

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\mime-db\db.json

MD5 336dfa2070e2463490daf4724a008c46
SHA1 6fe17dfbcf3f67c90dc513148a9191a327e978d3
SHA256 d3cb9cf8c3f96915d4191778405393144117ff6b3cd5fbd958a5cb32bd74a83f
SHA512 54170e3addb6d119ad5ecbdd97ab07fb75dc1772b8cfbddbc438bba8a55a537db1976cdeb1329e8f2638cc9705623b31fb9f02b4f72cc2ab7626020a3117acd6

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\mime-db\index.js

MD5 a3e41e93954b3742ed84d3050d6038cf
SHA1 31180f8d0ae079b1bee7ee03e77ea5323583eb06
SHA256 a2532ace32711ae90deb4ae4654c5bc4e56f0a1e21bdd15ba26334bf723dfb09
SHA512 3fb66322fc8b6bcd9284ca8896d540084a7818aa57239d87ee0dcaf29ba9f529a958906685b2c6bb04daf778faed8158811934e656db968e5dd5ee3184ea6b30

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\mime-db\package.json

MD5 dcea5fa83b4a0a89c9ccde9f31c9cfba
SHA1 a03e52f96368427e1ed47d8e9779e676ab295f29
SHA256 e566e4560ae1087cf21e73b2d02ed5e304ec0f015e82606fbd334650e818a54e
SHA512 e196a2025b420d43cfb3fd377543011952b7b4cf35600b4e6980bc1ac6f29d8229f25194b152e485025c4193eed6e0145f7f3045f0b065c655cea1aabbbbae8b

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\mime-types\index.js

MD5 bf015bb6811afc5c98e3e5f7072fdc79
SHA1 8d1f07ae6192c4dd6bc08a9247a91af4a0a51eca
SHA256 8cfccaac306beb650d60c7f069ae0f4b39d648f1e3914696b18c133ab33e6419
SHA512 c2489de379efa61d68cea7f1d4ce40593a48a86f62c8be1da099a4462df0705c324ce2260b1998e9bde494d2a8158c60d7517be8448d27252379d675d99ae1be

C:\Program Files (x86)\zMail\appzm\resources\app\node_modules\mime-types\package.json

MD5 9aece813437011c814b6c237c6dabe76
SHA1 84dbc55c777d6cf7b4fa6281bab77576baac5130
SHA256 904b03949b9ba863650f15a47efe096e1ac9f0b755d8e05ed097a7bc248fcd91
SHA512 0751a7e4580d93f3daa2cf79c441646bb4fed7bd2a0fe60bec7ef17fb4ffffc00812270174e9deda70d4e17f2045b4ccd451bae38fbe8bafb7418eb2d69a1e8f

C:\Program Files (x86)\zMail\appzm\resources\app\static\js\mainClass\appTray.js

MD5 185ed307895600fd134a610004beb6e8
SHA1 a2a10f41ac509f85b55cdf32d1e42891534fd70d
SHA256 d596a7da6c0e188c1331687ea9f1a20496d5182255170fb89da9fa3f05c8e352
SHA512 46e74813bedf5b6a56691adcb1fea3d136d9e51002dff4ce29004e29608953294e6bf983ec748c5c49c64b509efb63a0ef5eff6d463c9a26d3615007398b1678

C:\Program Files (x86)\zMail\appzm\resources\app\static\js\mainEnum.js

MD5 8cb0aa172d2ac93a77f71af9bad2a9cd
SHA1 072033e27e6f3c4b6c33782aadea81dad77cb8ea
SHA256 d1020c30a0ccbd733f05350050a8aa838a03b4643e99be7e11e2fc18d74f8ed1
SHA512 9982596cdc410894fec8eec98e8fb3d4fed3235408c61d7e1b4616b1292c0ae360b4b41b441d73d3990e186b5289b01df4ae386313ebf53823f849ccce87244c

C:\Program Files (x86)\zMail\appzm\resources\app\static\js\mainClass\clientServer.js

MD5 18963e75ca04fcab2f4a30bfc341d2b0
SHA1 04ec39fe68800c472523c3c6f1c65679f949b333
SHA256 896712e2d41c7ae5a9a427a27d45dfdaa245b8ed416ca830258b9912286fe3de
SHA512 539951eb418dfa72245f193a68bd4b42edef7a01b082ded18580633f98e5f3af4bf1dd8e4819f6e73bae2498208bee50386d9484421d0798f3a87755a6d1ce1f

C:\Program Files (x86)\zMail\appzm\resources\app\static\js\mainClass\clientMainWindow.js

MD5 e93d5c197c1c433a72fc0fdc7658f07a
SHA1 71072ed86fe2efc44018795e29e28f1d349a61a7
SHA256 f8dfdce1cca240114bea68f18d23565bc7476ea4e43334ce07763a55f956ed29
SHA512 cc84797be773bca2911d744c78622a565e3d37199a336242966d03b05a905b6dc1b7a94d7950fe387533cb792b03fc9e1f133a7994241e4818640117f14af790

C:\Program Files (x86)\zMail\appzm\config.json

MD5 c102c7d9eed200e3b4796d50407fabce
SHA1 201a97eebb85beefc92c63d6dc755de45af288f4
SHA256 97be48d2605edef0a653c538d3ee09a14e5bf84b94fbd59c98a4162c6742b40c
SHA512 ccb99e9b308b0bac10224a771bc44e04f7c3f07f72adbd36c321961d2a665e6d1e5cbb2284b20350840dbdeb39956406ecc85269463419637a2a1061d9c4c920

C:\Program Files (x86)\zMail\appzm\resources\app\static\js\mainClass\tools.js

MD5 7a0d0f6d5f7cfceeef5254c4b3b24594
SHA1 03e7072c7c3f9f4b3e77a9968a49d589b1e8cc0b
SHA256 96c0e1a2c8545690fffd676d63609d8669b8d9181083eb8040bec10015f916a3
SHA512 dccb43576902948064c21765b48a974c49ef1b23d87d1a4c15466392206064680002e5679324e06de64b16f5e7734ee7f3db40fc236c3c95aa261fc299461b02

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\zmail\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Program Files (x86)\zMail\appzm\zmDiskInfoElectron_v2.node

MD5 30133d6ea83a2ea72301303653dddae8
SHA1 e70e7586de1b6edd76a8700555d9ae09d6675094
SHA256 3a3d554c3aabc3ce8f7345d11e0c233b4f0b16183fbeb82ac4bac7c5796526a9
SHA512 6b2a55c2bda3fd48fcb18db997a5d39e7413c2bcfd4278a79706228b4d48d914f275aabc585f61c1d2f62ae63140f15d28219482dd3b08086427bea5b4bb7b65

C:\Program Files (x86)\zMail\appzm\zMailchs\zchs.conf

MD5 d40f4f1dc595ccd0f9fe6d75a8f9eeee
SHA1 c30316f442f91d6ae119d896fffa58a8c7e753b0
SHA256 9d596d437c8c94179b9ff46e7f39fcddec14dd71947827afbcdb01a8daa08987
SHA512 25c13de5c4b6285e80301546c05a939c03f38e3935991541fdf9052d256acca331f7dd726f196fd0f76ccd6980ec9bbb925d98590bc2c762dc3521a2267bbe4a

C:\Program Files (x86)\zMail\appzm\zMailchs\zMailDataService.exe

MD5 6f2f0f724f3abddcb85dedf8e6404c25
SHA1 1b2b90b77175c1c2e2d7906fc1fbfd1493fc02a6
SHA256 e40069c4361fbad1c897d5fb14b3884d9940cc0e6c0a7cca3fc3784343eb0384
SHA512 7e11287d204457a508cc91af1b6152b7e514f7ff953a58e01ae49f788c5a921e0f0820fa27fdf30b37c760856baa3c7f2c939414eea558f7d17e4cd84af5fb9b

memory/2372-8139-0x0000000001280000-0x0000000001498000-memory.dmp

C:\Program Files (x86)\zMail\appzm\zMailchs\zMailDbRepair.exe

MD5 1ea8c4d06573c1eae6fd17daad96335a
SHA1 75e4c175dcead1ed5cdfa1d55dfc7a27c041912f
SHA256 c1e08fac9313d95bffd004e9dc4df403eb7a2e5f4f5daec00245d54f29dc02f0
SHA512 f90ae5e3457fcf64e29913d9dae2ee5d129810f0487f31ee3a5ba9b196a2351e0380a2b71901a6c65b9495ee4cbca891eb85c745d6074beac84d2405c57ed917

C:\Program Files (x86)\zMail\appzm\taskdata\TaskLocalMailImport.dll

MD5 cd5f3c123d9c0d8784eae1021fcadab7
SHA1 843e711a933f5a4134c59b9f264c1671eec417ac
SHA256 4398af63205c6e00cabf805a428da3cc3bbc6260d8fc964a9733244456742cab
SHA512 62d2e04a4ecd53450ca435bfa99fd565c53ad912d2f7b247608ece31f79c7ac811cc8e55b882b224d7cd153a4331cc13d2702eb2faf01ff62ed0b6a1f07f51b9

C:\Program Files (x86)\zMail\appzm\taskdata\TaskFreeDisk.dll

MD5 01aae1ebc4fb600d76ff3a98ea412dd7
SHA1 c1a02270b97493596b075cf90c4093cbac4dad62
SHA256 7cd64f6f0158a7f210066fa1a99211747d1fab09301c73ad95ae3c2265704384
SHA512 4ac2868e7c947949e6ea2aa0316943b68e2b73afffed8d984f67df4f1f9140f40c30da24589070bf6e6e7b45ac8a17b107330bccda836202010970c7cfe4d9cb

C:\Program Files (x86)\zMail\appzm\taskdata\TaskSE.dll

MD5 4f853ec60cb38789fe64a3119d49364c
SHA1 f3d30c65b01a2e7dce000c05a2c77d5aca451ea4
SHA256 b9fec850c983980acab2790ae1bb19350a29413dbaceb9fdd7d04a66fc759c21
SHA512 a06ff7f57c610a8f9b1655b63990720c18e6dcac9a5940bb4e8ecb5aa593ceabb97abdf1abcbe5cf760136b66d68ac1fb97580526c4b0d9f0ae9a3d0936fb903

C:\Program Files (x86)\zMail\appzm\taskdata\TaskMoveFile.dll

MD5 6862b76edce1560e319f0d7b7de4e1f7
SHA1 5f64741954e52aae39dfb445ab569b213b834608
SHA256 530a5c58ee0753e9f8c47a8fddaa42377bd7a842ef81e8aab1036ad99e233c8a
SHA512 52d6283aee07a540d778bb5ab5e4b5c883bd18617fa896801cf92b916bf5d2c6a3e9edce5faa5325f55afb1e928958ac7dcf9ee72c141c5652912d4e33022a65

C:\Users\Admin\AppData\Roaming\zmail\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Roaming\zmail\Cache\Cache_Data\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Roaming\zmail\Cache\Cache_Data\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Roaming\zmail\Code Cache\js\index-dir\the-real-index

MD5 58833f8c3b138e651b1768853234801d
SHA1 93e422b0fcd91e46d195b7b0a7b1dd08f144abe9
SHA256 e05574cb4e92c6d75d0456bf74a49372c269204d206b576aca8693459fbb0989
SHA512 ebda03b1c850e638d45f9606562d81f3bb4fe36a455d4383d6f061061b2992c55cc5a282c72ebb38e389be8be141d0db28d4defa7170f79cf6ea8a36d4ea909b

C:\Users\Admin\AppData\Roaming\zmail\Code Cache\js\index-dir\the-real-index

MD5 cdea03745d6bd22a0092023aea47cb96
SHA1 1c892cf23a0e85436e6332484b072bccbdf83bbc
SHA256 86e1df4ac864abcbb00884756fb6aeb5ac74bc480e3cb824178c0d5c0b2970f5
SHA512 a36e6d7680e2e5e93aa210701909ea58a5af22f061f88122673059726d770a9b4617680db394b14baaf3d16863f802e760c4209bd85438fc48415bae40841541

C:\Users\Admin\AppData\Roaming\zmail\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Roaming\zmail\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\iterator.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\iterator.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:24

Platform

win7-20240221-en

Max time kernel

120s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\join.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\join.js

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win7-20240508-en

Max time kernel

121s

Max time network

138s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\group-to-map.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\group-to-map.js

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

158s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\index.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\index.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

162s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\is-array.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\is-array.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 23.62.61.162:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

163s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\of.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\of.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win7-20240221-en

Max time kernel

118s

Max time network

132s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\push.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\push.js

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win10v2004-20240426-en

Max time kernel

128s

Max time network

162s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\keys.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\keys.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win7-20240419-en

Max time kernel

118s

Max time network

129s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\map.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\map.js

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win7-20240508-en

Max time kernel

119s

Max time network

134s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\of.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\of.js

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win10v2004-20240426-en

Max time kernel

139s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\join.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\join.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win7-20240215-en

Max time kernel

121s

Max time network

133s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\keys.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\keys.js

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win10v2004-20240426-en

Max time kernel

125s

Max time network

157s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\map.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\map.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:24

Platform

win10v2004-20240226-en

Max time kernel

98s

Max time network

219s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\group-to-map.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\group-to-map.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

162s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\group.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\group.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.170:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 170.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win7-20240220-en

Max time kernel

120s

Max time network

131s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\includes.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\includes.js

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win7-20240508-en

Max time kernel

119s

Max time network

131s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\group.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\group.js

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\includes.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\includes.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
NL 23.62.61.170:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 170.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-17 08:16

Reported

2024-05-17 08:23

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

157s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\reduce-right.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\appzm\resources\app\node_modules\react-screenshots\node_modules\core-js\actual\array\reduce-right.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
NL 23.62.61.170:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 170.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A