3a5f51e46b9314228955b6e42ba9cf5c37566a69a2f49acb9ad0ee8c3132ba24

Modify Registry

T1112

Processes:

Zamzar.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\electron.app.Zamzar = "C:\\Users\\Admin\\AppData\\Local\\Zamzar\\Zamzar.exe"	Zamzar.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exeZamzar-1.1.0.Setup.exeZamzar-1.1.0.Setup.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\N:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\I:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\J:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\O:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\W:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\V:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\Z:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\E:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\O:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\Q:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\H:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\T:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\R:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\Y:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\Z:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\J:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\A:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\G:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\X:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\T:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\U:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\N:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\K:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\V:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\X:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\Y:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\W:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\P:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\Q:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\K:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	Zamzar-1.1.0.Setup.exe
File opened (read-only)	\??\P:	Zamzar-1.1.0.Setup.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Zamzar.exeZamzar.exeZamzar.exeZamzar.exeMSIF257.tmpZamzar Installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Zamzar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Zamzar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Zamzar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Zamzar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	MSIF257.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Zamzar Installer.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e57d62e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF257.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID7C4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID7D5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID814.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B5B9C0B-75D4-4BE8-871C-B69E1AD59656}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID7A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE3EE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF10E.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d62c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d62c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID716.tmp	msiexec.exe

Executes dropped EXE 15 IoCs

Processes:

MSIF257.tmpZamzar Installer.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exe

pid	process
3976	MSIF257.tmp
3400	Zamzar Installer.exe
4052	Zamzar.exe
2136	Zamzar.exe
4212	Zamzar.exe
2156	Zamzar.exe
3592	Zamzar.exe
3512	Zamzar.exe
1796	Zamzar.exe
5880	Zamzar.exe
6132	Zamzar.exe
5296	Zamzar.exe
5768	Zamzar.exe
5892	Zamzar.exe
5384	Zamzar.exe

Loads dropped DLL 57 IoCs

Processes:

MsiExec.exeMsiExec.exeregsvr32.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exeZamzar.exe

pid	process
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
3596	MsiExec.exe
3596	MsiExec.exe
3596	MsiExec.exe
3596	MsiExec.exe
3596	MsiExec.exe
3596	MsiExec.exe
3596	MsiExec.exe
2764	regsvr32.exe
4580	MsiExec.exe
4052	Zamzar.exe
4580	MsiExec.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
2136	Zamzar.exe
4212	Zamzar.exe
2156	Zamzar.exe
3444
3592	Zamzar.exe
3592	Zamzar.exe
3592	Zamzar.exe
3592	Zamzar.exe
3592	Zamzar.exe
3512	Zamzar.exe
1796	Zamzar.exe
1796	Zamzar.exe
1796	Zamzar.exe
1796	Zamzar.exe
1796	Zamzar.exe
5880	Zamzar.exe
6132	Zamzar.exe
6132	Zamzar.exe
6132	Zamzar.exe
6132	Zamzar.exe
6132	Zamzar.exe
5296	Zamzar.exe
5768	Zamzar.exe
5768	Zamzar.exe
5768	Zamzar.exe
5768	Zamzar.exe
5768	Zamzar.exe
5892	Zamzar.exe
5384	Zamzar.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EECCE8D3-934D-42A4-B58E-DB115B8D8C8F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EECCE8D3-934D-42A4-B58E-DB115B8D8C8F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Zamzar\\DLL\\zamzar.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EECCE8D3-934D-42A4-B58E-DB115B8D8C8F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000081a0e6b9f9d406b40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000081a0e6b90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090081a0e6b9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d81a0e6b9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000081a0e6b900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 22 IoCs

Processes:

regsvr32.exemsiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EECCE8D3-934D-42A4-B58E-DB115B8D8C8F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Zamzar\\DLL\\zamzar.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{EECCE8D3-934D-42A4-B58E-DB115B8D8C8F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{EECCE8D3-934D-42A4-B58E-DB115B8D8C8F}\ = "ZamzarShellExtension.FileContextMenuExt"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Zamzar Ltd.Zamzar.conv\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Zamzar\\Zamzar.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.converting	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Zamzar Ltd.Zamzar.conv\ = "Converting file"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Zamzar Ltd.Zamzar.conv\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EECCE8D3-934D-42A4-B58E-DB115B8D8C8F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Zamzar Ltd.Zamzar.conv\shell	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Zamzar Ltd.Zamzar.conv\shell\open	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Zamzar Ltd.Zamzar.conv\shell\open\ = "&Open"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EECCE8D3-934D-42A4-B58E-DB115B8D8C8F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EECCE8D3-934D-42A4-B58E-DB115B8D8C8F}\ = "ZamzarShellExtension.FileContextMenuExt Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EECCE8D3-934D-42A4-B58E-DB115B8D8C8F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Zamzar Ltd.Zamzar.conv	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Zamzar Ltd.Zamzar.conv\shell\ = "open"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.converting\Zamzar Ltd.Zamzar.conv\ShellNew	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.converting\Zamzar Ltd.Zamzar.conv	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Zamzar Ltd.Zamzar.conv\shell\open\command	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Zamzar Ltd.Zamzar.conv\shell\open\command\command = 2c005d006c00460045005100550066004900400077005e006e0021005b005a003f0054006f0043003e0028005e006000500059002b002d005b002e003d00490030007a002a004f00410033006900700059002000220025003100220000000000	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.converting\ = "Zamzar Ltd.Zamzar.conv"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Zamzar Ltd.Zamzar.conv\DefaultIcon\ = "%APPDATA%\\Microsoft\\Installer\\{5B5B9C0B-75D4-4BE8-871C-B69E1AD59656}\\ext_1.exe,0"	msiexec.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Zamzar-1.1.0.Setup.exeZamzar-1.1.0.Setup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Zamzar-1.1.0.Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Zamzar-1.1.0.Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Zamzar-1.1.0.Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Zamzar-1.1.0.Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Zamzar-1.1.0.Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Zamzar-1.1.0.Setup.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

MsiExec.exeMsiExec.exemsiexec.exemsedge.exemsedge.exeidentity_helper.exeZamzar.exe

pid	process
4580	MsiExec.exe
4580	MsiExec.exe
3596	MsiExec.exe
3596	MsiExec.exe
1060	msiexec.exe
1060	msiexec.exe
2204	msedge.exe
2204	msedge.exe
1368	msedge.exe
1368	msedge.exe
6068	identity_helper.exe
6068	identity_helper.exe
4052	Zamzar.exe
4052	Zamzar.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

1368 msedge.exe
1368 msedge.exe

pid	process
1368	msedge.exe
1368	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeZamzar-1.1.0.Setup.exe

description	pid	process
Token: SeSecurityPrivilege	1060	msiexec.exe
Token: SeCreateTokenPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeAssignPrimaryTokenPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeLockMemoryPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeIncreaseQuotaPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeMachineAccountPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeTcbPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeSecurityPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeTakeOwnershipPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeLoadDriverPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeSystemProfilePrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeSystemtimePrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeProfSingleProcessPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeIncBasePriorityPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeCreatePagefilePrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeCreatePermanentPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeBackupPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeRestorePrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeShutdownPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeDebugPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeAuditPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeSystemEnvironmentPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeChangeNotifyPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeRemoteShutdownPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeUndockPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeSyncAgentPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeEnableDelegationPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeManageVolumePrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeImpersonatePrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeCreateGlobalPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeCreateTokenPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeAssignPrimaryTokenPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeLockMemoryPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeIncreaseQuotaPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeMachineAccountPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeTcbPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeSecurityPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeTakeOwnershipPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeLoadDriverPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeSystemProfilePrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeSystemtimePrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeProfSingleProcessPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeIncBasePriorityPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeCreatePagefilePrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeCreatePermanentPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeBackupPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeRestorePrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeShutdownPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeDebugPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeAuditPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeSystemEnvironmentPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeChangeNotifyPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeRemoteShutdownPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeUndockPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeSyncAgentPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeEnableDelegationPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeManageVolumePrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeImpersonatePrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeCreateGlobalPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeCreateTokenPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeAssignPrimaryTokenPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeLockMemoryPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeIncreaseQuotaPrivilege	1632	Zamzar-1.1.0.Setup.exe
Token: SeMachineAccountPrivilege	1632	Zamzar-1.1.0.Setup.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

Zamzar-1.1.0.Setup.exeZamzar.exemsedge.exe

pid	process
1632	Zamzar-1.1.0.Setup.exe
1632	Zamzar-1.1.0.Setup.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe

Suspicious use of SendNotifyMessage 44 IoCs

Processes:

Zamzar.exemsedge.exe

pid	process
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe
4052	Zamzar.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeZamzar-1.1.0.Setup.exeMSIF257.tmpZamzar Installer.exeZamzar.exesvchost.exeZamzar.exeZamzar.exemsedge.exe

description	pid	process	target process
PID 1060 wrote to memory of 4580	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 4580	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 4580	1060	msiexec.exe	MsiExec.exe
PID 1632 wrote to memory of 2984	1632	Zamzar-1.1.0.Setup.exe	Zamzar-1.1.0.Setup.exe
PID 1632 wrote to memory of 2984	1632	Zamzar-1.1.0.Setup.exe	Zamzar-1.1.0.Setup.exe
PID 1632 wrote to memory of 2984	1632	Zamzar-1.1.0.Setup.exe	Zamzar-1.1.0.Setup.exe
PID 1060 wrote to memory of 4768	1060	msiexec.exe	srtasks.exe
PID 1060 wrote to memory of 4768	1060	msiexec.exe	srtasks.exe
PID 1060 wrote to memory of 3596	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 3596	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 3596	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 3976	1060	msiexec.exe	MSIF257.tmp
PID 1060 wrote to memory of 3976	1060	msiexec.exe	MSIF257.tmp
PID 1060 wrote to memory of 3976	1060	msiexec.exe	MSIF257.tmp
PID 3976 wrote to memory of 3400	3976	MSIF257.tmp	Zamzar Installer.exe
PID 3976 wrote to memory of 3400	3976	MSIF257.tmp	Zamzar Installer.exe
PID 3400 wrote to memory of 2764	3400	Zamzar Installer.exe	regsvr32.exe
PID 3400 wrote to memory of 2764	3400	Zamzar Installer.exe	regsvr32.exe
PID 4052 wrote to memory of 2136	4052	Zamzar.exe	Zamzar.exe
PID 4052 wrote to memory of 2136	4052	Zamzar.exe	Zamzar.exe
PID 4052 wrote to memory of 4212	4052	Zamzar.exe	Zamzar.exe
PID 4052 wrote to memory of 4212	4052	Zamzar.exe	Zamzar.exe
PID 4052 wrote to memory of 2156	4052	Zamzar.exe	Zamzar.exe
PID 4052 wrote to memory of 2156	4052	Zamzar.exe	Zamzar.exe
PID 2852 wrote to memory of 2104	2852	svchost.exe	dashost.exe
PID 2852 wrote to memory of 2104	2852	svchost.exe	dashost.exe
PID 3592 wrote to memory of 3512	3592	Zamzar.exe	Zamzar.exe
PID 3592 wrote to memory of 3512	3592	Zamzar.exe	Zamzar.exe
PID 4212 wrote to memory of 1368	4212	Zamzar.exe	msedge.exe
PID 4212 wrote to memory of 1368	4212	Zamzar.exe	msedge.exe
PID 1368 wrote to memory of 3456	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 3456	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 652	1368	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Zamzar-1.1.0.Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Zamzar-1.1.0.Setup.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\Zamzar-1.1.0.Setup.exe
C:\Users\Admin\AppData\Local\Temp\Zamzar-1.1.0.Setup.exe /i "C:\Users\Admin\AppData\Roaming\Zamzar Ltd\Zamzar 1.1.0\install\x64-build.msi" /L*V C:\Users\Admin\AppData\Local\Temp\zamzar_install.log AI_EUIMSI=1 AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Zamzar-1.1.0.Setup.exe" PrimaryVolumeSpaceRequired="535761" PrimaryVolumeSpaceAvailable="41702840" TARGETDIR="F:\" AppsShutdownOption="All" CustomActionData="Zamzar.exe" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\Zamzar-1.1.0.Setup.exe" AI_INSTALL="1" APPDIR="C:\Users\Admin\AppData\Roaming\Zamzar" SHORTCUTDIR="C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Zamzar" SECONDSEQUENCE="1" CLIENTPROCESSID="1632" CHAINERUIPROCESSID="1632Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_DETECTED_ADMIN_USER="1" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1716226903 "
2⤵
- Enumerates connected drives
- Modifies system certificate store
PID:2984

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D84875A40C3F3169129038CACBB7D664 C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4580

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4768

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 74BB20B38A7473A735040A38F9EBEE4D
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3596

C:\Windows\Installer\MSIF257.tmp
"C:\Windows\Installer\MSIF257.tmp" /RunAsAdmin "C:\Users\Admin\AppData\Local\Zamzar\resources\app\installer\Zamzar Installer.exe" --install "C:\Users\Admin\AppData\Local\Zamzar\resources\app\installer\zamzar.dll" "C:\Users\Admin\AppData\Roaming\Zamzar\DLL\\zamzar.dll"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976

C:\Users\Admin\AppData\Local\Zamzar\resources\app\installer\Zamzar Installer.exe
"C:\Users\Admin\AppData\Local\Zamzar\resources\app\installer\Zamzar Installer.exe" --install "C:\Users\Admin\AppData\Local\Zamzar\resources\app\installer\zamzar.dll" "C:\Users\Admin\AppData\Roaming\Zamzar\DLL\\zamzar.dll"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Roaming\Zamzar\DLL\\zamzar.dll" /s
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2680

C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe
"C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe" --firstrun
1⤵
- Adds Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe
"C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Zamzar" --mojo-platform-channel-handle=2268 --field-trial-handle=2272,i,8773584946124502188,1308467090614240076,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136

C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe
"C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Zamzar" --app-user-model-id=electron.app.Zamzar --app-path="C:\Users\Admin\AppData\Local\Zamzar\resources\app" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2460 --field-trial-handle=2272,i,8773584946124502188,1308467090614240076,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://secure.zamzar.com/signup/?dsk-cl2
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa4a7946f8,0x7ffa4a794708,0x7ffa4a794718
4⤵
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,862957450799353856,8549718547295465593,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
4⤵
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,862957450799353856,8549718547295465593,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,862957450799353856,8549718547295465593,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
4⤵
PID:3036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,862957450799353856,8549718547295465593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
4⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,862957450799353856,8549718547295465593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
4⤵
PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,862957450799353856,8549718547295465593,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
4⤵
PID:5920

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,862957450799353856,8549718547295465593,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:6068

C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe
"C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Zamzar" --app-user-model-id=electron.app.Zamzar --app-path="C:\Users\Admin\AppData\Local\Zamzar\resources\app" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2664 --field-trial-handle=2272,i,8773584946124502188,1308467090614240076,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2156

C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe
"C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Zamzar" --app-user-model-id=Zamzar --app-path="C:\Users\Admin\AppData\Local\Zamzar\resources\app" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=4180 --field-trial-handle=2272,i,8773584946124502188,1308467090614240076,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\system32\dashost.exe
dashost.exe {be0432eb-c839-4539-adf2e01abcd16b04}
2⤵
PID:2104

C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe
C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe "C:\Users\Admin\Desktop\InitializeSkip.midi" mp3
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3592

C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe
"C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Zamzar" --mojo-platform-channel-handle=1940 --field-trial-handle=1952,i,15316911074992812285,15748314512794287929,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5300

C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe
C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe "C:\Users\Admin\Desktop\InitializeSkip.midi" wma
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796

C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe
"C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Zamzar" --mojo-platform-channel-handle=1976 --field-trial-handle=1980,i,2842013454892296587,15036386574929886874,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5880

C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe
C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe "C:\Users\Admin\Desktop\CopyPing.jpeg" png
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6132

C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe
"C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Zamzar" --mojo-platform-channel-handle=2352 --field-trial-handle=2356,i,16609393815172564885,18139422136437486749,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5296

C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe
C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe "C:\Users\Admin\Desktop\UnprotectRegister.gif" png
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5768

C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe
"C:\Users\Admin\AppData\Local\Zamzar\Zamzar.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Zamzar" --mojo-platform-channel-handle=1872 --field-trial-handle=1876,i,569537639151568797,18433108222625296103,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery