Command Zero
Narration by Agent Zero
Mediumrun-0eec85a9-3c05-43aa-b843-4465bb8a375f
Malicious
High confidence
  • malware
  • social-engineering
  • adsunwan
  • microsoft-defender
  • endpoint-security

Adsunwan Malware Detected in Corporate Downloads Folder

Microsoft Defender detected Adsunwan malware disguised as ZoomInfo software in a corporate user's Downloads folder. The file was classified as malicious with an IsIoc flag set to true, indicating a confirmed indicator of compromise.

By Agent Zero
AUTONOMOUS INVESTIGATIONCommand Zero · Agent Zero
1m 44s
INVESTIGATION TIME
Autonomous
1
QUESTIONS ASKED
MICROSOFT 365 DEFENDER
6
RECORDS ANALYZED
Across all data sources
~1 hrs
HUMAN ANALYSIS
Tier-2 equivalent *
~$65
ANALYST COST SAVED
At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

Initial Signal

Microsoft Defender for Endpoint detected a malicious executable file named "ZoomInfoContactContributor (1).exe" in the Downloads folder of user user_1 on a domain-joined Windows 10 system (ws-001.[INTERNAL_DOMAIN_1].local) on 2026-03-11 at 16:35:14 UTC. The file was classified as Adsunwan malware with an IsIoc (Indicator of Compromise) flag set to true and received a "Suspicious" verdict from the security platform. The filename pattern is the signal within the signal: "ZoomInfoContactContributor (1).exe" mimics legitimate ZoomInfo business software, a common social engineering tactic to trick users into executing malware. The duplicate numbering in parentheses suggests the user may have downloaded the file multiple times, increasing the likelihood of user interaction. Microsoft Defender's "Active" remediation state indicates ongoing security response. While the file was successfully detected and blocked, the available telemetry does not confirm whether execution occurred before detection or if the system sustained any compromise. The investigation correlated data from Microsoft 365 Defender advanced hunting across 6 records in 1 minute 44 seconds.

How We Reached the Verdict

The agent considered each plausible alternative verdict and ruled them out one at a time. Each card below lists the hypothesis tested, the evidence weighed, and the dismissal rationale.

H1

Could this be an account compromise?

Ruled out
Supporting Evidence
File detected in user's Downloads folder
Moderate
Supporting Evidence
Domain-joined Windows 10 system
Moderate
Supporting Evidence
Adsunwan malware classification
Moderate
Dismissed:While the file was detected on a domain-joined corporate device, there is no evidence that any account credentials were compromised or that unauthorized access occurred. The detection appears to be limited to the presence of a malicious file in the user's Downloads folder, with no indication of successful execution or credential theft.·High confidence
H2

Could this be normal activity?

Ruled out
Supporting Evidence
File classified as Adsunwan malware
Moderate
Supporting Evidence
IsIoc flag set to true
Moderate
Supporting Evidence
'Suspicious' verdict from Microsoft Defender
Moderate
Dismissed:The presence of a file classified as Adsunwan malware with an IsIoc flag set to true and a 'Suspicious' verdict from Microsoft Defender clearly indicates this is not normal activity. The file is explicitly identified as malicious by the security tool, ruling out any possibility of this being normal business operations.·High confidence
H3

Could this be a false positive?

Ruled out
Supporting Evidence
Explicit Adsunwan threat family classification
Moderate
Supporting Evidence
IsIoc flag set to true
Moderate
Supporting Evidence
'Suspicious' verdict from Microsoft Defender
Moderate
Dismissed:The detection is unlikely to be a false positive as Microsoft Defender has explicitly classified the file as Adsunwan malware with an IsIoc flag set to true. The file naming pattern suggests a potential social engineering attempt to impersonate legitimate ZoomInfo software. There is no evidence suggesting this is a benign file incorrectly flagged.·High confidence
H4

Could this be a fully compromised system?

Ruled out
Supporting Evidence
Malicious file detected in Downloads folder
Moderate
Supporting Evidence
No process execution logs available
Moderate
Supporting Evidence
No network connection data showing C2 communication
Moderate
Dismissed:While a malicious file was detected, there is insufficient evidence to conclude that the system has been fully compromised. The report does not include process execution logs, network connection data, or other telemetry that would confirm the malware was executed and established persistence or control over the system. The detection may represent a pre-execution identification by antivirus.·Medium confidence

Evidence Gathered

The agent queried these data sources during the investigation. Each entry shows what was checked, what came back, and the methodology behind the query.

file detection
File 'ZoomInfoContactContributor (1).exe' detected in user user_1's Downloads folder on host ws-001.[INTERNAL_DOMAIN_1].local
Microsoft Defender for Endpoint
threat classification
File classified as Adsunwan threat family with IsIoc flag set to true and 'Suspicious' verdict
Microsoft Defender for Endpoint
file metadata
File hash values identified: MD5 1c0674970e55ff28e3d6d4b9fc435f39, SHA1 e33df0cd1ead927fb3ad769ff311e5598c533da2, SHA256 be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db
Microsoft Defender for Endpoint
file metadata
File size 265,600 bytes, confirmed as Windows Portable Executable (IsPe: true)
Microsoft Defender for Endpoint
detection timestamp
Detection occurred at 2026-03-11T16:35:14.926648Z on a domain-joined Windows 10 system
Microsoft Defender for Endpoint
host status
Host marked as 'Impacted' with 'Suspicious' verdict and 'Active' remediation state
Microsoft Defender for Endpoint
filename analysis
Filename pattern 'ZoomInfoContactContributor (1).exe' suggests duplicate download, potentially impersonating legitimate ZoomInfo software
Microsoft Defender for Endpoint

False Positive Analysis

The agent ran these validation checks to confirm the verdict isn't a false positive.

  1. fp1
    Verified the file classification by Microsoft Defender
    Pass
  2. fp2
    Analyzed filename pattern for legitimacy
    Pass
  3. fp3
    Evaluated file characteristics
    Pass

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

Malware DetectionSuspicious File Execution
TechniqueTacticContext
T1566.002
Phishing: Spearphishing Attachment
Initial AccessFlag executable files in user Downloads folders with names impersonating legitimate business software (ZoomInfo, Slack, Teams, etc.). Alert on files with IsIoc flags set to true or classified as known malware families. Monitor for bulk downloads of similarly-named executables from the same user within short time windows, which may indicate repeated social engineering attempts or user confusion.
T1204.002
User Execution: Malicious File
ExecutionMonitor for execution of files from user Downloads folders that match known malware hashes or threat families. Correlate file detection alerts with process creation events to determine if the malware was executed before antivirus intervention. Alert on parent processes (explorer.exe, cmd.exe) launching executables from Downloads with suspicious naming patterns or known malicious classifications.

Verdict Reasoning

The verdict of Malicious at high confidence rests on the following mutually corroborating signals:

1. Microsoft Defender explicitly classified the file as Adsunwan malware with an IsIoc flag set to true, a definitive indicator of compromise

2. Specific hash values were identified (MD5 1c0674970e55ff28e3d6d4b9fc435f39, SHA1 e33df0cd1ead927fb3ad769ff311e5598c533da2, SHA256 be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db) that match known malicious patterns

3. The filename pattern "ZoomInfoContactContributor

4. exe" matches known social engineering tactics impersonating legitimate business software

5. The file was confirmed as a Windows Portable Executable (IsPe: true) with a size of 265,600 bytes consistent with malicious executables. Confidence remains High rather than Confirmed because the available data does not include process execution logs, network connection data, or persistence indicators that would confirm the malware was executed and established control over the system—the detection may represent pre-execution identification by antivirus

Lessons

  1. 01
    Filename impersonation is a reliable social engineering signal. The 'ZoomInfoContactContributor (1).exe' filename mimics legitimate business software to lower user suspicion. In this investigation, the duplicate numbering in parentheses suggested the user had downloaded the file multiple times, indicating the social engineering tactic was effective at the user level. Always flag executables in Downloads folders with names matching legitimate SaaS platforms (ZoomInfo, Slack, Teams, Salesforce, etc.), especially when the IsIoc flag is set. The filename alone is not proof, but combined with threat classification, it's a strong indicator of deliberate impersonation.
  2. 02
    Pre-execution detection is not the same as containment. Microsoft Defender detected this file before execution, which is a win for the security stack. However, the investigation did not confirm whether the user had already executed the file before the detection occurred. Always correlate file detection alerts with process creation logs and network telemetry to determine the true execution timeline. A file sitting in Downloads with an 'Active' remediation state may mean the user is still interacting with it, not that it was safely contained.
  3. 03
    Absence of evidence is not evidence of absence in malware investigations. This investigation dismissed the 'Compromised' verdict as 'Medium confidence' because process execution logs, network connections, and persistence indicators were not available. The lack of these logs does not prove the malware was not executed—it means the investigation lacked the telemetry to confirm execution. When investigating malware detections, always request endpoint detection and response (EDR) logs, process creation events, and network connection data. If these are unavailable, escalate the confidence level downward and recommend immediate EDR deployment or forensic analysis.
  4. 04
    IsIoc flag is a high-confidence malware indicator. Microsoft Defender's IsIoc flag set to true means the file hash is a confirmed indicator of compromise in threat intelligence databases. In this investigation, the IsIoc flag combined with the Adsunwan threat family classification and the suspicious filename pattern created a convergence of signals that ruled out false positive and normal activity verdicts with high confidence. When you see IsIoc set to true, treat it as a strong signal for escalation and immediate remediation, not as a candidate for further analysis.
  5. 05
    Social engineering attacks target the user, not just the system. The 'ZoomInfoContactContributor (1).exe' file was found in user user_1's Downloads folder, indicating user interaction. The duplicate numbering suggests the user may have been confused or re-downloaded the file. When investigating malware detections in user-writable directories like Downloads, always include user awareness and training in the remediation plan. A single blocked file is a technical win, but if the user is still vulnerable to the social engineering tactic, the risk persists.