Malware Analysis Report

2024-11-30 13:04

Sample ID 240620-kkg3zsseqr
Target ZoomInfoContactContributor.exe
SHA256 2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b
Tags
discovery persistence pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b

Threat Level: Shows suspicious behavior

The file ZoomInfoContactContributor.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence pyinstaller

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Unsigned PE

Detects Pyinstaller

Enumerates physical storage devices

Program crash

NSIS installer

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 08:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 08:39

Reported

2024-06-20 08:41

Platform

win7-20240419-en

Max time kernel

114s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZoomInfo Contact Contributor = "C:\\Users\\Admin\\AppData\\Local\\ZoomInfoCEUtility\\launch.bat" C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A

Checks installed software on the system

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AD7FAB41-2EE0-11EF-91AC-F2A35BA0AE8D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425034666" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000000b7d9b4136b54d6de301bca8c03c69333111eedac4962a6a2a731e0c673b6495000000000e80000000020000200000002ebffc2d41526cc4843ee36b9c1d7562e0a73094a953fbe230c41cc87d7b2eb09000000050ceda53ca5efeb4d77b48eeec60c64ffeb900d37a943e0a0ee4403fec3b8f3b325efff87c40b4725083ae864b98c742556ab3844c5ed98ad3ecfae1fb689047d56c41d122caa96302a2f475c6f1a7d7d917eedceea5dbfe7417e95dc513fc1f6bf7e2593b7c3df7219ecbf5c871b7cf8c431e6df0756d1522bf835d579a9b90d87b00ec5336fdda78cae2bf461682494000000006e73f62422e5bc47cc8a6317c0de675c685470a87b084da7a63c084c5c5272565c596220481558a0dc8128448c6287756bdfceb1624b1ff065141a5e5c4726f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0995090edc2da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000108edcbb5a7f55bdbb887bd8ebd2b57de89137516a53849c1ebf755d9c4acb59000000000e8000000002000020000000fe03d5e3461af71d702f252d01b0cb882fa94707c9303191ce2d1946a043a3e720000000d40adbf079cb9267c7f963203190d44de486bab488ce01cf1b988913754a342e40000000bb23456e561f59b4e5736d6ad28407f184dac8d3cb26fc6fbf0160b11af566a0ac54288d45b27ddc2a18d7a5cb8294321599ef2e0892f86324bb0dca7a58d733 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe
PID 1424 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe
PID 1424 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe
PID 1424 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe
PID 1424 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe
PID 1424 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe
PID 1884 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1884 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1884 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1884 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1916 wrote to memory of 2244 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1916 wrote to memory of 2244 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1916 wrote to memory of 2244 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1916 wrote to memory of 2244 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1916 wrote to memory of 1316 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1916 wrote to memory of 1316 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1916 wrote to memory of 1316 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1916 wrote to memory of 1316 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe

"C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\launch.bat""

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe

"C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://cswapper.freshcontacts.com/client/installsuccess?client_version=62&os_version=Windows 6.1 Service Pack 1 7601 64 [ ]&outlook_version=14&outlook_bitness=32&autostart=1&client_id={522486F9-8A3B-4854-B1CF-F3C35FE4C11D}&reachout=true&appid=3

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:668681 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 cswapper.freshcontacts.com udp
GB 142.250.200.51:80 cswapper.freshcontacts.com tcp
GB 142.250.200.51:80 cswapper.freshcontacts.com tcp
US 8.8.8.8:53 storage.googleapis.com udp
GB 142.250.179.251:80 storage.googleapis.com tcp
US 8.8.8.8:53 cswapper.freshcontacts.com udp
US 8.8.8.8:53 cswapper.freshcontacts.com udp
GB 142.250.200.51:80 cswapper.freshcontacts.com tcp
GB 142.250.200.51:80 cswapper.freshcontacts.com tcp
US 8.8.8.8:53 www.zoominfo.com udp
US 104.16.118.43:443 www.zoominfo.com tcp
US 104.16.118.43:443 www.zoominfo.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.171:80 apps.identrust.com tcp
NL 23.63.101.171:80 apps.identrust.com tcp
US 8.8.8.8:53 cswapper.appspot.com udp
GB 172.217.169.20:443 cswapper.appspot.com tcp
GB 172.217.169.20:443 cswapper.appspot.com tcp
US 104.16.118.43:443 www.zoominfo.com tcp
US 104.16.118.43:443 www.zoominfo.com tcp
US 104.16.118.43:443 www.zoominfo.com tcp
US 104.16.118.43:443 www.zoominfo.com tcp
US 104.16.118.43:443 www.zoominfo.com tcp
US 8.8.8.8:53 client.px-cloud.net udp
US 2.20.12.105:443 client.px-cloud.net tcp
US 2.20.12.105:443 client.px-cloud.net tcp
US 2.20.12.105:443 client.px-cloud.net tcp
US 2.20.12.105:443 client.px-cloud.net tcp
US 8.8.8.8:53 client.px-cdn.net udp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.105:443 client.px-cloud.net tcp
US 2.20.12.105:443 client.px-cloud.net tcp
US 2.20.12.105:443 client.px-cloud.net tcp
US 2.20.12.105:443 client.px-cloud.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.105:443 client.px-cloud.net tcp
US 2.20.12.105:443 client.px-cloud.net tcp
US 2.20.12.105:443 client.px-cloud.net tcp
US 2.20.12.105:443 client.px-cloud.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.105:443 client.px-cloud.net tcp
US 2.20.12.105:443 client.px-cloud.net tcp
US 2.20.12.105:443 client.px-cloud.net tcp
US 2.20.12.105:443 client.px-cloud.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 104.16.118.43:80 www.zoominfo.com tcp
US 104.16.118.43:80 www.zoominfo.com tcp
US 104.16.118.43:443 www.zoominfo.com tcp
US 8.8.8.8:53 client.px-cloud.net udp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 8.8.8.8:53 client.px-cdn.net udp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.106:443 client.px-cloud.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp
US 2.20.12.68:443 client.px-cdn.net tcp

Files

\Users\Admin\AppData\Local\Temp\nsd1F54.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsd1F54.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

\Users\Admin\AppData\Local\Temp\nsd1F54.tmp\GetVersion.dll

MD5 2e2412281a205ed8d53aafb3ef770a2d
SHA1 3cae4138e8226866236cf34f8fb00dafb0954d97
SHA256 db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00
SHA512 6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

\Users\Admin\AppData\Local\Temp\nsd1F54.tmp\FindProcDLL.dll

MD5 83cd62eab980e3d64c131799608c8371
SHA1 5b57a6842a154997e31fab573c5754b358f5dd1c
SHA256 a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294
SHA512 91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

memory/1884-50-0x0000000000590000-0x000000000059B000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd1F54.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

\Users\Admin\AppData\Local\Temp\nsd1F54.tmp\nsisunz.dll

MD5 5f13dbc378792f23e598079fc1e4422b
SHA1 5813c05802f15930aa860b8363af2b58426c8adf
SHA256 6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d
SHA512 9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\pytz\zoneinfo\Africa\Dakar

MD5 09a9397080948b96d97819d636775e33
SHA1 5cc9b028b5bd2222200e20091a18868ea62c4f18
SHA256 d2efac4e5f23d88c95d72c1db42807170f52f43dd98a205af5a92a91b9f2d997
SHA512 2eccf2515599ed261e96da3fbcfbab0b6a2dfc86a1d87e3814091709f0bfe2f600c3044c8555ed027978a8ae9045666ee639a8c249f48d665d8e5c60f0597799

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\pytz\zoneinfo\Africa\Djibouti

MD5 9953f5fda89eba25650d5e42adda36cd
SHA1 cc8958cc687a1f8169316cd7a93764403e935740
SHA256 52e9bc212ce945a0e1f37d223647d1bdaf919fa353bae1873568e28390b6f59a
SHA512 61b92a1a9978a58597f2fec6949605ee0fbcd7e4a4e31861a0647c20d1ebbdefb01c72a9f24a77807a1129c6720f3a1fc0e7fc9ab83789caebfc69a9540ce763

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\pytz\zoneinfo\Africa\Kigali

MD5 b77fb20b4917d76b65c3450a7117023c
SHA1 b99f3115100292d9884a22ed9aef9a9c43b31ccd
SHA256 93f19e9551d58868ae5820752d2c93a486124c364463dc9c9489d0458f8bc682
SHA512 a088c2a4c7d72717257c3125c7c2aca28463d68306ea452afaad75b8a0f9e5730a8d9c430d14668809717a672dc63c4816762acb046b339da662da421a6d65df

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\pytz\zoneinfo\Africa\Lagos

MD5 3b4db0742fa8267a2d7efa548a30f9a2
SHA1 cdca88d4a729d78b572a5d3cc84f3e99989e4f46
SHA256 c6a2cd1aa6e31d9d49b881ec1173fdb6d5d26f7bfe196a7df12275e292fab14c
SHA512 fa356585caa8325d3f74251256c3ca2b894904dcdb7ad5f2ed6bb7ec12c98fdf3d69a080a0af413ef7ca101f9ccbc2fb28fb6d5d6a6d2f84281ccbd798fbb6da

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\pytz\zoneinfo\America\Guadeloupe

MD5 ea7e528e528955259af3e65d86ba8e49
SHA1 8ee1b0d3b895b4195e0b580b67c0b2ee1010d29d
SHA256 d7b813d9e39530528917fb32a700cfb9d905c061228eb45f90153e68adc52fad
SHA512 95996a13576f1b9b6a58c4636dd56ce44e5c702416ad83d59cbaa588962c9a5865ff1c5f3769a475eaf9994d2baaa429eb99869fd4110b93679d94f81cbb1304

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\pytz\zoneinfo\Etc\Greenwich

MD5 9cd2aef183c064f630dfcf6018551374
SHA1 2a8483df5c2809f1dfe0c595102c474874338379
SHA256 6d9f378883c079f86c0387a5547a92c449869d806e07de10084ab04f0249018d
SHA512 dafa0cb9d0a8e0ff75a19be499751ad85372aafa856ff06dd68ecf2b1c5578bb98a040becaecf0aed2c3e4ff7372ff200fe7614334756d19fe79dd61c01d4e92

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\pytz\zoneinfo\Europe\London

MD5 3d9add8c0dd4f406b8a9ad6f1219fb95
SHA1 c0b30d0940f65b8819cd6628d0670784dcb6b344
SHA256 c69d3cc15e384d932601d06aa69b6d0c285001bf2d44dd3719c121b7df5162d6
SHA512 9c82987fa7919fc333f3f04b309345b91240fa60d205a144b6ca10fcb586fddc3e9725e71da5a588eddd21bf99265dfe1495bb16df4367a82df57e103a324c78

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\pytz\zoneinfo\Europe\Skopje

MD5 6213fc0a706f93af6ff6a831fecbc095
SHA1 961a2223fd1573ab344930109fbd905336175c5f
SHA256 3a95adb06156044fd2fa662841c0268c2b5af47c1b19000d9d299563d387093a
SHA512 8149de3fd09f8e0f5a388f546ffe8823bdcda662d3e285b5cebc92738f0c6548ccb6ed2a5d086fd738cb3edc8e9e1f81c5e2e48edb0571e7ea7f131675b99327

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\pytz\zoneinfo\PRC

MD5 9b64de8bf3f5a017fa738f8275a3fb3e
SHA1 cb663cebe33dc8ed38cd468158ba36e8571db71a
SHA256 f9f9ba4b5a12dc3d8cd6a6698190651909f242b1308b15e6cf836c1f3983cd65
SHA512 4bb877e20f7754ca4c1b1f1f324267a076bcff9021bc7f36d386b351c727129679576404f4be45ed25718c3acb8d7fe76b3cd61ce11dff3634037c0b9b0c78d5

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\pytz\zoneinfo\UCT

MD5 38bb24ba4d742dd6f50c1cba29cd966a
SHA1 d0b8991654116e9395714102c41d858c1454b3bd
SHA256 8b85846791ab2c8a5463c83a5be3c043e2570d7448434d41398969ed47e3e6f2
SHA512 194867d0cf66c2de4969dbfeb58c775964ecb2132acdc1b000b5ef0998cefde4a2979ffc04ec8b7dcb430e43326a79d9cedb28ecea184345aa7d742eaf9234ac

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\launch.bat

MD5 91722760201e203958b44cfa04ff4c97
SHA1 0a72b17b2c37cf0d1dec8ba6cfd1b64f8ecc7c40
SHA256 d9a2c668a9a058a5d32e278c4051f482797c5a664a33e69213ba7f953535cba5
SHA512 b2f5ba5da04c512b6e86a679a7545d3da28f5a5f27b2ae30d5ad3a4fa5e8f7dad9f8fdbc9f56a10f150ca892fcfff0f1aae18bdbc81eeef60bbdd9ba4f0b451a

\Users\Admin\AppData\Local\ZoomInfoCEUtility\uninstall.exe

MD5 80c52c4e77d49a21c61cd1f2809e82c2
SHA1 ffc2bdc4c18c60340c04b65e19b19479e3447f52
SHA256 4e12c7c834cc57263432dd0925de522a4aab07a0532a4693ea5d90aca6aaaa38
SHA512 1a96e0978f9837f870fb95e9922b54263852a814a444a9dd692d41671f2e711080940734327eba32cdd12e71048fbe250b3ea7b4033ff834f4beff26b0939fea

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\coordinator.exe

MD5 15fe73ffa2aeec4efca8dd4d1c2e89e2
SHA1 0bdbba2768084a08aab0383e69071f719999ecb7
SHA256 ce1eb9a201a4aa6b710be2fac9058e26059a227b7f39522e9e5c190ff5e6bfc9
SHA512 b59be6469dca1716fcf88a73736cb88d49e33e6d7b186adcfba009d690f354b3e96e4f043dbbce56bb0b5e71e84bb9862e1a17596963abe9ef139173f46fe6ad

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\version.dat

MD5 2d3acd3e240c61820625fff66a19938f
SHA1 247317edd2fbed736ea0c9d3ea37d66a738ad34a
SHA256 ea215720034a4c3073d7a7886b27431b89805c01b18329b8af22bc4113a668a4
SHA512 b2b6d686c170f75cd59257b994b47f33797eb181e41f65943a79e4cef1461efb4c58a26a7956d25f91370dbb2b8b8fa58756ffdf78ae51b8b3679cd4d9e82f23

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\_ctypes.pyd

MD5 6daf8b55801a602f84d7d568a142459c
SHA1 57a80ca9621b282727d45caa5ae1c5e3c7e93f60
SHA256 66d0cb13569e9798b04c5d049cff25bd4c7c8e7ddd885b62f523d90a65d0ce88
SHA512 abb1c17aea3edb46c096ca3d8cbf74c9dccad36a7b83be8cf30697760ad49f3bd3a38dc4ff1f0b715ad7996c3a23ea1c855fffd62af01d15935abc73378dcc2e

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\_hashlib.pyd

MD5 55a29ec9721c509a5b20d1a037726cfa
SHA1 eaba230581d7b46f316d6603ea15c1e3c9740d04
SHA256 dbdcf9e8cba52043b5246ad0d234da8ba4d6534b326bbbb28a6a391edf6fa4ce
SHA512 e1a2993d4dd5f2e81f299fe158ee6d1f8ef95983113c9bea9a087e42205ff06ac563762de5a0b70b535efe8cf9f980ffc14c1318aaf58de3644277e3602e0ab3

\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\bz2.pyd

MD5 813c016e2898c6a2c1825b586de0ae61
SHA1 7113efcccb6ab047cdfdb65ba4241980c88196f4
SHA256 693dfc5ccb8555a4183d4e196865ef0a766d7e53087c39059d096d03d6f64724
SHA512 dbb4add301ea127669d5dac4226ce0f5d6e5b2e50773db5c8083a9045a3cba0fcf6ea253a1183a4c87752bd3c5eb84128103a6d8ade71a7e410831b826d323ad

\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\msvcr90.dll

MD5 c57d4e31734fa87dc4d5dd236fbf534c
SHA1 a918b8bbe6f91b94c95f00046719ff05f01e2db7
SHA256 d7566fb962532f1250eeb1149fd65a9f5abce97995cfa5b89d5cb8f502f08dee
SHA512 4aa9dd98fedf22f77b113195ad58c27dd02bd7bbc41942aaa837f303d9ed0b7d39a7573befc33dade229c82634adc9238aa7e5f9018e60d97ac9e0340d2f1e76

\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\win32api.pyd

MD5 6f5128e23614a2ae965c15de810f07c6
SHA1 dd71b2d31bdbf97066aa5a219b785a22952e73df
SHA256 55b349a0763f7f9cad008b4d2fc8a58cdd7487108367244e83671d1fe8573dd5
SHA512 5df4e3f2668b01239a7e23ee72f945e5131ae72ea88181d9a098b98dbab6f9461dca05fe2ac14dfe0a41922d4b351eae019da3ee597605fcd97fbda88ecbde9a

\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\python27.dll

MD5 613dd91d9c52a44fdc10f42bea01604d
SHA1 3e2c30d3df6429581a6a67959c5ea9d1a903662c
SHA256 1bde4066d790acb822b93fcbe9d4f855330a55f571d0f9f2ae5b45d2e88b1c9c
SHA512 bd42162e39ed2087243fd0488a03aa9aca129eb1f62f81e4df6021859973ec466c16cb7a8d9f80c1539f159524074dcec4f6912da60fb5d100838672bfc41b6f

\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\pythoncom27.dll

MD5 cfd57d41cb51aac047b528d79bf90c70
SHA1 38267d810f572aec496b01bd0ccc5406efe1b4e0
SHA256 6fbbcbe7d37a1dff04c14729d9e70e3251ff69f3a1d9f591d9c53cf779a7d408
SHA512 007076c5f5345f64aa1b237663e2901cf11aa0ebbeb9f863fe60aa986999e9eff37ca72703f7b3c6fceb0ae1497fc2fac67ec37860be8e82fb7fc3ea7ca57a2c

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\_socket.pyd

MD5 3986998b3753483f8b28c721fef6f8e4
SHA1 2ef3c0fac94c85276721ee2980f49b1bafef597d
SHA256 cbc23d6c2e3e2950452c7d255da1452338301a4c9a0b09eba83287709d2a5000
SHA512 258e2805440b36e20702c1447597698ef18a5a7f890cfece55bd4f797073c87e7bde659db3e2474e9b998213d76e2c3d5221659c6827237e06b3b6f4b3643ae6

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\_ssl.pyd

MD5 9be53b53c1ec6b56663f45464edfcde9
SHA1 f8f5dd5640d594a2b53f5bbd12893c11cf4b7d55
SHA256 b572bf14ca3d3e5158b89314b6fe2129a753edaca1958e252784561f33f9ecda
SHA512 a52727b54a03246b74460a2741324b371ccaa083a4f3123fd1175a3061d3b6707ddbaaa73b3e39435cffd8d3018ee2dee8bad6c58a17faa55b6d05a3b38ee78b

\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\pywintypes27.dll

MD5 2921df2f141e073919851a0c6a7f0142
SHA1 730f3cea134364ac05eeb7f9bfeac43e071aad75
SHA256 b83296020559af5db04deedaa081c0af7d7d511fdf20a31338d2dff002d1c236
SHA512 8c78dfd54dd83d89aab95507a49844c21d78ef0d027742a62f319533e7730a1d3966a4f302148cb3b83411fe450b87635c808db3e3657919b35c6a33b879e0f4

\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\win32gui.pyd

MD5 455330c8c112be0ec7f8885e4ad9b1d1
SHA1 98c97d1ba67e39198b8079ee6b26986a21b0d1c6
SHA256 c0456b9b09de78ba53acd18a7d86be7ebb201dee7f830e530684760ecb28dc12
SHA512 3675013bdbe6b3c1e2b6421e0b88c13c0c5bb33182b721849305f37830e52078bd77eb7e2410f08d48ad83a27e146b485acfff15e642521e17cd2d1ec0cc5977

\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\win32evtlog.pyd

MD5 1eded6a87c16c1e50ddfaf288a4fab47
SHA1 8b75ef278300ba3633eb5d7e317f5ca7f88db9dc
SHA256 5a0a4165a24a33ccee722b6ff349d9e4d33cd3aede37bcb172ac22049543221d
SHA512 18a907fe3c37aba26de737340733bfb3df5ef055e1e1d6dc019bfacf792d11fe6c437c8d2257e58dcf8e0af85ef639d14af124d420e4191a0dc019265cf79ea6

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\BadEmailDomains.txt

MD5 ae5004674ad28322574bd7097f425209
SHA1 7bc14eac631e8240ef4e3c945be485b5acce9baf
SHA256 b67973189cfc7895c6efd3c189164781152115fdaf3ae11180619d7e98092ba4
SHA512 638b36ef57ae4d89a4b54c37ad7f3296813921ce2d243e872b5abf77253b07d3eca5c3a7e0c12b317ea92fe7e6ddac9bd82dcc59e5a7ae4a175029c08cf6468d

\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\unicodedata.pyd

MD5 a46e180e03ab5c2d802b8e6214067500
SHA1 5de5efbce2e6e81b6b954b843090b387b7ba927e
SHA256 689e5061cefda6223477a6a05906a500d59bd1b2a7458730b8d43c9d3b43bdba
SHA512 68bd7ae714fb4f117eb53a0fb968083772aaeaa6428ae8510e5c109361b140c98415a1955fca49db3e9e1b6ae19909e9c50110f499306476d01141c479c16335

\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\libopenblas.FN5FF57TWHUYLRG54LA6B33EZPHYZZL4.gfortran-win32.dll

MD5 019a0538a7c02c6ea6c9cabb2d0b4ca8
SHA1 a02cd1d696ebade64b9d6c1a077ef2ff37ec6a92
SHA256 78b51e486d27e50a6cb6696fe50d7cd0a610386fc3b38e5c0b6eea61f2bafb55
SHA512 5060f79e99e202355e3c6cfb98bccba01ff9d3c36b0254d9297625b8582be2415d569859c6cce803bacc5092d01974f5e0adda561ea7c97e66959155211f0d64

\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\numpy.core._multiarray_umath.pyd

MD5 97617f3fdf4777ba5a8831238997fe83
SHA1 72cb72df3939e25ec3403150b08b632d42864914
SHA256 8762a101d61d1002c1d4ef5f03c0c37808479780db08ee86ee4b4d753b7e0df9
SHA512 9357af2d951b356691d8cde948939f0389005ac99c60392595a5ea11d2cbd6eb27842db30399aca01b521352d72f406658a0dc82d46a81318a3abf093ac34cea

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\dict.json

MD5 f43235c8de41d14ba5f644990762ec8d
SHA1 405d1f6c699b6fcec1dc107404172b2f51cdaf9c
SHA256 21710e73d34c735eeda671955210acfa8a0cb1888e2f6f607c8681488b9f187a
SHA512 ab46137e577cd0743dcc65acf7cd2b3e321d39822e85930dded5a2dfcbc52df3f5d35301b6cb1fdfe653c3cb7558896bcff315307294708dea9531c66607e99a

memory/1304-1976-0x00000000096A0000-0x000000000973D000-memory.dmp

\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\numpy.random.mtrand.pyd

MD5 5fe8c1276430cdd6257efcdf6f9cef3d
SHA1 a5ef1644748568f49aa01e26f0858956187b2b98
SHA256 18c5b7de110c6980c031c5cffbbecbd993f38a0c278afecb04827da05e2a4c46
SHA512 f53f516b87829fb81e7a4f9e011c7f0e18b78ac5144a3d24d65408d82186c3f214a29c32cdc8396df2ff32853411a819f83a811bdbf064e3df24a19a8798d1a1

memory/1304-1973-0x0000000003680000-0x0000000003693000-memory.dmp

\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\numpy.fft.fftpack_lite.pyd

MD5 5a2b42596fb8b7e84f08878a24ad239a
SHA1 13b28629bdf977388f8f3176338c63a807a995b5
SHA256 a1e151c4fe07b98e9419b09cb54b1af4414e979f0c8fd5890773ff25c124d1b3
SHA512 e1defbed533346bdf8eef4efc120631220effc2aee3d1d48d0bf09cb523b44cffeb9a3204b36bff1769217c03a2f7b335947dffb5ea4d53742137579cd36369b

memory/1304-1970-0x0000000003660000-0x000000000367C000-memory.dmp

\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\numpy.linalg._umath_linalg.pyd

MD5 0b144e1aedf71c739a126c3f97dc3c28
SHA1 022bbd86776fb2e290972f7ef6c1109e1ef3952d
SHA256 97eafcf147812eff9aafccb6b39535e7c2c625b50c0df26da57c087e5ba4910c
SHA512 98fd79dc0bde0d2f7994a6b091f0eb94f7fd12c7d3ee5aa93c246be38179d158125fd21104a1e7194f1bce7a1384afe55f1f2a946436406e81499180be0db5b8

C:\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\pandas._libs.tslibs.conversion.pyd

MD5 c357578577e088e3ea7012a65b153bd7
SHA1 6dab52203e56f255fa74b7ac3a56224e43fd64fa
SHA256 9594a1712c62d0c4cfa5c7034f7ad9573471ad483169ca320ee08aa0aaecbe28
SHA512 5874521019d026c32a2e8b6e8992713dd382f80c05104769ac6f1d2b04848ea2704d94ae6b9dc2b76d2472ae1ccf331b61ab2fbbda1863d1aca3cea2c5329b16

memory/1304-1987-0x000000000B820000-0x000000000B867000-memory.dmp

memory/1304-1983-0x000000000B770000-0x000000000B7C6000-memory.dmp

memory/1304-1988-0x000000000B870000-0x000000000B89B000-memory.dmp

memory/1304-1982-0x00000000006C0000-0x00000000006CD000-memory.dmp

memory/1304-1980-0x000000000B740000-0x000000000B763000-memory.dmp

memory/1304-1986-0x00000000036F0000-0x00000000036FE000-memory.dmp

memory/1304-1985-0x000000000B7D0000-0x000000000B81C000-memory.dmp

memory/1304-1979-0x00000000036A0000-0x00000000036E5000-memory.dmp

\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\numpy.linalg.lapack_lite.pyd

MD5 8e0c45ef63dbae83f9cde7b9fe4c654a
SHA1 59b51c8cffe9fbffa39b40cf2a9581fed530907f
SHA256 00e450c5e3bedc396fd7d116457fb955c3f11d377af8420414431661c6f7e4ef
SHA512 583684f77fd2f31a816046bd93c5c5f3aca0ad5daed2e30cb44083fe2fa90b87df95699b5d6bdffb66a078bbac17639c16c9b76b66be4f2bce886580ffd7d8b6

memory/1304-1965-0x0000000003640000-0x000000000365D000-memory.dmp

\Users\Admin\AppData\Local\ZoomInfoCEUtility\2258\numpy.core._multiarray_tests.pyd

MD5 3fb00b2c62d7eeee4d321abbc99b58cb
SHA1 38e2ae85ed035fcaec14d224e76d952e13989709
SHA256 4c2de721c3a539367280321d9192dec280c60845f37623d352c7c26f57414dcc
SHA512 9abe03e8afed41f50387a9ca77d0106ee4e6101033ff405fe2ac05dfd7d104541db0f8a61ba4f704dd7c3ceada7574f0e836cb57a0918207790976b72d4edf16

C:\Users\Admin\AppData\Local\Temp\Cab82D8.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 249b9b462c293dc2e6ae74e0034bdc51
SHA1 b3a1193b332215d05f9e4cbd8ae65e4184143aa6
SHA256 780a22bb92e73982edd6e9953f1ee190533b0b412f90dc3c7f62d8a85ecfbc86
SHA512 5468ae320585992395403e94c4a6d385e9788b0f5031b4a397e54d975c7b0e788a445d939045c80d2b7eaa35beb66865ce9766362b0a0f50c7c40a3989f8360f

C:\Users\Admin\AppData\Local\Temp\Tar836C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 430f1edac3c73fb517a6fd019ec71dcb
SHA1 64880cbd403fe0d2fc5f95cfa21b4dd2d6055e6e
SHA256 64afa0eb6aeb4ee60491d6c2db4ba9f321312119fdcfe34872964815c22cb446
SHA512 d27d0a2d4dddc7e536eebc67140529091888fa397d2dea3806b478162dae316ef767d9939e7060cae9dfe16bb5ecd6151505ae13d0819ec844bcaa0df6fcc3e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f2b757a10be800fb4c469d8c664972c
SHA1 22e5ce720e7334c9b013be5a105ee780546e18e0
SHA256 9e1630f8edc34f5ed360920147b505a43cd2d13d3a61d8bb9e32f3e5dc1e0594
SHA512 6f919b51523a03ac7b30f5ac7d19499b7491e21b6fa23c82861e1fbbb34302730958464f5eeac1fc56da863b9f62759b22aa4181614bf6a531850ced4b827a51

memory/1304-2164-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1304-2165-0x0000000062340000-0x00000000639E9000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e84ca0b61067f004b3f786451b11500
SHA1 8691b5032c615da197f75fc0d123bb6983f62448
SHA256 8c806dc6fc0ee3ff26217c0e4df7d2bf599182f9857cce5727548ffa27811375
SHA512 9f088dd052880f010640ebc6fccce99322f583c1e515cbf326889be241946f2291735b14b06b12d9f225b0261efcc4ec5e400350a5339e809d1f5c1d6f3f6e38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5908d834b51ce737795ee98aeb9388ff
SHA1 670354a586c6be44a1e9352d4971b108fa309b70
SHA256 3366823eb0e7e67804d96cc098499457c19e4c5a1d9d4f5aac36eca656d2c333
SHA512 eb71868d491f2514eef74f660958099e3124cf593cde0770239f81aae4597929ebf3f0f921f7bac36fdd2a0bd8d870f7f3bdc6bc55051006f353d9134e9bc763

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0255aa812207ad38fb3db6a7e6d7556
SHA1 19c4f6edb49e78f2db04cb71ce1378bf1b09bea2
SHA256 efb27b3d4c46493523bde48d8e0bd8be23166457257b2f609917ff5e48f7891d
SHA512 1a8e2fae49c1b7f545d037dd19ce7d1ca7f211eccdb9d6018090ddca6937dd5201b44f866a81eb8bc56c8eb26355e56f5bbd8a202fd07172464e056cdd1d566c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d0423aa068999ed56f45894dba27f76
SHA1 9153b8f55c8f24e8d8b6e3daadc5812b76174e39
SHA256 f82ce38024a466d58a9b4e141831848d6956c9f254fbdf977b6bfb76ba64af1a
SHA512 87957a85f27756f9d529301047418869b4772eeeac6a0a2a8300a075024593b5d00670d9294e20d9377ceaba51b3e0ca104f6720b707401099d92d235ba7d3a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6eda1d0844e7e54c02c6640bed9719d
SHA1 972b07e51a993be3ecc665db7f1dc217378cc7c9
SHA256 3fd3c5ece5926faafb298cd9eeea4b02b5cc8ad18fd548754e09cf2278b492d4
SHA512 41781005d94988afa1274c465ccf7997239e8e40913a9c86e119283cd7a07b798881e830acd5a787f0f7a3e811f2f21a6fcbfdd23cc6120e880be6e81e72a2cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 21abc610ffc3a33e0e747fe6c9c670d5
SHA1 c3ca6fb0c293a842a2a5d83f8beda9b992cdab3f
SHA256 53f0507edacfaa7e442a53f1471be12eb14a256b19e1cde9b6c7c6a9f3ea1130
SHA512 89c9a389bff065020d3083a55654e9cac1e79cf80cb4728d19dea0f0ec548620af12de6e88a07ad4ec24207c9be565573cb4d062e88dfb1baf70f46247530da1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06fdfafb423e0c2fd3428016b3f9db05
SHA1 f45bd733b83b7ae1ce1ed5b234a5b87126cf76e5
SHA256 d67f6f3cda78db69e954a14ec528905f3d58528d42c38b95b6dde604c030fc2c
SHA512 7a3a54ff7da29343d68191ff2ceea4db66629c1fc901718c23c2782b8c1e14a4027c512401881e010aa86d7e0218b970d0f69f7b93c82e8403b5236f5ea8eba2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb77f0b9271eb2f3caab7d0287ab6fd6
SHA1 d7dd09ea739f5ccea9c0c39e60c11a17298d3e62
SHA256 ae22f0676d54be2a05424cc061c44155ddbe027f4ab86010ab821499a831eb09
SHA512 9ecbb32b41af07d01e1afe1ae2fe518e2ee349f835cad01ebc66f6d97f089748cd2dd114e3d07687826287495be803422799152a8e4d6f9b6a1b1e345170643a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae58af5dc4e774bb3484738ce0710b66
SHA1 8f3a9ea26d95db5c9e8694a25ca6c65f0c43c8e9
SHA256 e914a508cb8ea09efada998d8e2bc85c24ab5e6c092e09065991ee13bc4faf53
SHA512 183e7e2257ae4227b89a2c4fc866bfb076ef66f025689a846a8134727c942c58e9458ed29e6e7adbc29ea77bc6dbbb3402bdb49d48cf4b4e7db068cde20a243f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e66c7e8396766bdc96cf0749af09110d
SHA1 3259dbb6fc368d39a62b1d7ab315029d0dd1e9d1
SHA256 eb4cac18fba6a0b1e17e7398eb6ce463276a05ad6f860f364d78d548ea3f7584
SHA512 20981f6ea762d20ca05cec86a1347f41def7a4ab57a919da3cc13d71da04b26239f1b9d531d26994aa06e593d95062edce45ee14847062e24686360febe3b5b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b24d222dc9880df8aabb478250f7dd5b
SHA1 70d3e212616ccc9bbc732bd2a4f78b1b6d9ecefe
SHA256 cefd773247f1497d01f0f360010613ae9ad3f6cc19e91bdded98cf98e6f5fe38
SHA512 499df7c9f91e5bb99d5d4cc8e7c67e8f2beb7524f56de2b620ff103d187b5001e7287556b4227deb338590e758ad1cee32f4a58e3414e4397702fdac114ecc19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 0f770184c7f7b200988b9cef3fc39461
SHA1 c5c6e2b909a49797f41add93be057ebc1170249c
SHA256 c1c5ba3627066ee1cfa17cb7be95984ef39e4e74f75abbfda1c398aa3fe02b5f
SHA512 c1448658c09ebddcb2cde5e52ebaab5abf7e496d4fc0eed67f0aaf201a7361ee6ba2c80fb1bc8253d490ffa1cc596183ed0a1c1838056d644ad77497e68f505c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dfdc2efa71112553e26bb8c1e5ebd74b
SHA1 358ba51d4bc88c373b5d3d0cc25f65238306d061
SHA256 f5bfaae5ae9e8d80ba96c71d693863f4383d08fed3628ee3055f661c595be6f8
SHA512 4335ed99fb7b8d6bcf82535d87428e8c26dac67a81d990cf9cf128ed5ae097e1f927bfb8c77dc7a5f1c526b70d6732fd8ea9cad1813d7c96b04257f9632768e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a499e398048b979922ee86531bfa5f26
SHA1 1da6540745b01f0eb9d01c923fb009f81f240c5c
SHA256 7a184fb620043cf5a406dc55cde5d748a779c88e47d01e1096d491fdf3200a95
SHA512 5ea44ee25034b4e96e0466367b0816cbfc8c78ea897f936bdb2b567cf344807d6dd7fc130552a5691f2a5ce6206fe04cb855d8229f5098f665e71dafe172f5da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29d69f323615c4d2607ef9c7b9c64dae
SHA1 4b0071e0ac93add9e71ab20aff7db5b1968a9be0
SHA256 b3611e4dc997375d848b652b0d98a32ea10e5eeab4b93b7767afcc9d4a91af84
SHA512 9b42101e6b5589f96848a2815a5e139eed3e60a13764a75b6c4e45eaff76b88f70f0ac7822f2d1346d383915df72bbecdd6ca6960264a8b42a411fc4f2ebc9f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a211401f0940648e8fe9e9d610016b49
SHA1 3f2acdef17c73dc5790a1fb7ade879efdd45f28e
SHA256 d471e4c1ed9d6c9813472a1497a9ec32fc37a6ed287c77e937614ef2d99c9407
SHA512 95c283fe7513868710ce4ee1c9e2269a85e590d7aea79517da3ecddc27c71ffdaeedfc73e862b007f1ff205aafbdacbad3fd92479a39518919744d9d9336ed04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51ff04699720a8f61b5d0dd3c2fd1b45
SHA1 b11e966121b6935f8365bfdbc5f5b0d374495a6c
SHA256 a386ee48c49cdb48f3b26de5be39080d1e4ed074ff3b281bdbe51b88c9d173c1
SHA512 a7b039088414a396a146e62809d4d2642ccdec51117cebd03e52b99fb9138957860c6fca925e2726a3b95a12084613ba62adbe78eaf462de2209853f1b25684a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 7744749a1006e6ee8a6154c75c6c956d
SHA1 6015be3ddedd3069e95f81f47f96b6645b699b40
SHA256 06ea393c676816999d354e5ea9f787850663880ca0f7ef34b64231d06af79c8a
SHA512 11f52597dcc8763f9de4754b7f8eb5ef28148a2213e135cefc76d2853b352b01f46d0c6a733f9bea62320ad34754ba52a884e221cd196bd18e22233906b6550e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3811061a3bff3543178be6cbfb5e612c
SHA1 78e6286940143fa15476c2a3b20afd07f74e91bb
SHA256 d72606810df104f8ec37654610310153b353f0d7b9e829bbeb01176bef0fff60
SHA512 6585ede862aa10a834277d89a2a9aa147623aaad4ade5d3712b23b6bc9ce5beb8172f52225f9d90f2489649aee2afe0179dd8d8849367d03ebab7688dc2268d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23f3d397d319fd2f67da154055ef79c5
SHA1 f2d35451993ce89b583255f327ecd96d90b9fed2
SHA256 9335df7ede073550f70aa4aed15b030590e2a67e3f334c5eeb0b0d26c2eff627
SHA512 1ef5ceb169976d7e8489af0c81ce45603afd6cc90b02f45819173a0687c3d2b06fda15e2a79d76e115a0c1f0b9334cd9b260868b4ef470bf59d5630ce542e9ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 779d197ddaabe773abeb91f8a95bfd90
SHA1 7316e8b3bedff80be1b16e3d577101903dbb4401
SHA256 2c4342b578686e7a21ca61d0443d0c0bb5fcd0be2773400e2718678939bb88ee
SHA512 dea6d0f8da99e4e93fc8946ff9f9bebfa5cc4f8e2fa08ae93676eae919d1fe5eb5836c9cab3a510a60430063dd4aaadd14a74e7977a353b8849e8dde1612a09b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\captcha[1].js

MD5 4fb361ccdd12b838f26055bd1be4c6a8
SHA1 32636e88529c98ff6f6bc95eacaeb21cd3f4cc01
SHA256 ea2f74e7f84b844cd5499cdc52eff2ddff5df0313b67e3f728677a06f36a7fa0
SHA512 e36a81138b076defed18334a33478385e0767a28a2c10ab55bc29f3cc17dbf5d24617e2c445e20c2c8ac7bf05e86b3f30a5bf9b79966ebb40947bf7e04ca4d91

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 08:39

Reported

2024-06-20 08:42

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4732 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 3024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2376 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe

"C:\Users\Admin\AppData\Local\Temp\ZoomInfoContactContributor.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cswapper.freshcontacts.com/client/installfailure?client_version=62&failure_point=DetermineOutlookCompatibility&os_version=Windows 6.2 9200 64 [ ]&outlook_version=none&outlook_bitness=none&client_id={DAD44E93-EF1F-4D2F-BD34-9F0E543156E7}&error_message=&reachout=true&appid=3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffefbe346f8,0x7ffefbe34708,0x7ffefbe34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4340 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14077495056291598030,8423060547155849090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 cswapper.freshcontacts.com udp
US 8.8.8.8:53 cswapper.freshcontacts.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 cswapper.freshcontacts.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 cswapper.freshcontacts.com udp
US 8.8.8.8:53 cswapper.freshcontacts.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nsf471C.tmp\NSISdl.dll

MD5 a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 168f3c158913b0367bf79fa413357fbe97018191
SHA256 dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512 824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

C:\Users\Admin\AppData\Local\Temp\nsf471C.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsf471C.tmp\GetVersion.dll

MD5 2e2412281a205ed8d53aafb3ef770a2d
SHA1 3cae4138e8226866236cf34f8fb00dafb0954d97
SHA256 db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00
SHA512 6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

\??\pipe\LOCAL\crashpad_2376_UWYPOSLXVSGLXSIA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 dcf25b1f663cb1ff058c3d36772c5728
SHA1 19f41a497e4b9de748a3d12d035f70c1319b4398
SHA256 2377d1471d6888fc612dc26d2b1be5ddeb82082dd1574e4fdcd072fc1ae6233b
SHA512 560842bb73300f9e85a434ed5d4a366ea7f3e30693d22fa407e5b3003e0b3aededea93376abc1c2dd3239d20dfd990d3096e0e5c57f4be41860a667c9a6971b5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 81c8a90afbc2c550d710fcdc3add9d25
SHA1 0204270d4d2f198c2d7817ab948aa8071bd7347e
SHA256 41222177828accb3a368db7b095ccb9881a8f6588575b68a6a4ab5da42e99bc5
SHA512 6ea1641c442ae0ce099c37ccb6d00129ec03574d307ca5e89bb12992fd309c8bb6f591252f11f6cc8dfc3f08883f37b5f8dbcb13591bd9c88d14c20a7d1ca6d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 27cbec619c28acd4ca7709422f55d2d4
SHA1 fbcec92f7a4b1b01b9741589877503d3ccdfd1e5
SHA256 ce1ce421fd4d688a90ce6a37e9948ec21097fe2c862987a7cfb57644d0d70985
SHA512 aa462e5072dec73f41a18d57d4bdc7b1af822a417a1eda4f19d66eba6149c2df9015d316d43fa8965bf390548383fefb636544e730d1492a9f7d851902a22974

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-20 08:39

Reported

2024-06-20 08:42

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4860 wrote to memory of 4180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 4180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 4180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4180 -ip 4180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 106.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-20 08:39

Reported

2024-06-20 08:42

Platform

win10v2004-20240508-en

Max time kernel

52s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\uninstall_fc.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\uninstall_fc.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\uninstall_fc.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$TEMP\

Network

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 9b5a8a1e1a13cb6f5d344cf5f92866f9
SHA1 db6e74fa5b1abbd8a412e21b437d03d173617bf9
SHA256 9c3e4cbf323170eaf1d82a59496557f8013b65d0853bb05b7c054f0d5d856889
SHA512 2dfc4dae9f743831e2e67861e5cd5a118a967fdba9b0c2655e9e71614fa76762b3fcc175feb98c7801d3f753cfe1156168f9125c905b14c28caa0babb4566aaa

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-20 08:39

Reported

2024-06-20 08:42

Platform

win7-20240220-en

Max time kernel

118s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 224

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-20 08:39

Reported

2024-06-20 08:42

Platform

win7-20240611-en

Max time kernel

120s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 224

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-20 08:39

Reported

2024-06-20 08:42

Platform

win7-20240611-en

Max time kernel

119s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 248

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-20 08:39

Reported

2024-06-20 08:42

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 3808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 3808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 3808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3808 -ip 3808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-20 08:39

Reported

2024-06-20 08:42

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisunz.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4484 wrote to memory of 4248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4484 wrote to memory of 4248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4484 wrote to memory of 4248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisunz.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisunz.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4248 -ip 4248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 106.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 08:39

Reported

2024-06-20 08:42

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 4896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4656 wrote to memory of 4896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4656 wrote to memory of 4896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4896 -ip 4896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-20 08:39

Reported

2024-06-20 08:42

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4724 wrote to memory of 768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4724 wrote to memory of 768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4724 wrote to memory of 768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 768 -ip 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 616

Network

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-20 08:39

Reported

2024-06-20 08:42

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisunz.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisunz.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisunz.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 224

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 08:39

Reported

2024-06-20 08:42

Platform

win7-20240419-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 224

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-20 08:39

Reported

2024-06-20 08:42

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 224

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-20 08:39

Reported

2024-06-20 08:42

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 2900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 2900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1856 wrote to memory of 2900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2900 -ip 2900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4432,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-20 08:39

Reported

2024-06-20 08:42

Platform

win7-20231129-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\uninstall_fc.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\uninstall_fc.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\uninstall_fc.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\uninstall_fc.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$TEMP\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 9b5a8a1e1a13cb6f5d344cf5f92866f9
SHA1 db6e74fa5b1abbd8a412e21b437d03d173617bf9
SHA256 9c3e4cbf323170eaf1d82a59496557f8013b65d0853bb05b7c054f0d5d856889
SHA512 2dfc4dae9f743831e2e67861e5cd5a118a967fdba9b0c2655e9e71614fa76762b3fcc175feb98c7801d3f753cfe1156168f9125c905b14c28caa0babb4566aaa