Analysis
-
max time kernel
123s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2022, 09:28
Static task
static1
Behavioral task
behavioral1
Sample
ZoomInstallerFull.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ZoomInstallerFull.exe
Resource
win10v2004-20221111-en
General
-
Target
ZoomInstallerFull.exe
-
Size
76.4MB
-
MD5
aeb04e767a408e5ac643cd467751afff
-
SHA1
cc2b84718bcec1fe34b3e9189762149f4a91fc23
-
SHA256
9108e1d22d74bc5397b8886edc4f0a84b8906436a648ef8a86f30cf7e08978dd
-
SHA512
d7e4e4c523290ac5afec1382c275dacc8a1657d7a75c2298c3bbf1fe7881253a3b5005895b72954f5062f6cd25a52df6f72c4d0022335f2349c6ede2d0e66114
-
SSDEEP
1572864:jpDrQefrQSB+gTC4GB3RA9MLhWG7VYlSGTbANByfGajuTgIrPJGsF:9DLfrQQ/FA3RAicfUjByfFIDJ
Malware Config
Extracted
icedid
3280585787
trbiriumpa.com
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 5 4764 rundll32.exe 11 4664 msiexec.exe 43 4764 rundll32.exe 46 4764 rundll32.exe -
Executes dropped EXE 3 IoCs
pid Process 4420 ZoomOutlookIMPlugin.exe 1360 CptInstall.exe 3780 CptService.exe -
Loads dropped DLL 15 IoCs
pid Process 4764 rundll32.exe 640 MsiExec.exe 4420 ZoomOutlookIMPlugin.exe 4420 ZoomOutlookIMPlugin.exe 4420 ZoomOutlookIMPlugin.exe 4420 ZoomOutlookIMPlugin.exe 4420 ZoomOutlookIMPlugin.exe 4420 ZoomOutlookIMPlugin.exe 4420 ZoomOutlookIMPlugin.exe 640 MsiExec.exe 640 MsiExec.exe 640 MsiExec.exe 640 MsiExec.exe 640 MsiExec.exe 640 MsiExec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair = "\"C:\\Program Files (x86)\\Zoom\\bin\\installer.exe\" /repair" MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f646-1f3ff-2640.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f52b.png MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f1fe.svg MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f468-1f3ff-1f52c.png MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\270a-1f3ff.svg MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f004.png MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f38a.png MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3ff-1f33e.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f58c.png MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\269c.png MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f1fb-1f1ee.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\274c.png MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f1f2-1f1fa.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f6ab.png MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\2665.png MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f595.svg MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\27bf.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f1fa-1f1f8.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f468-1f3ff-1f9bc.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f9d1-1f3fe-1f384.png MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f44a.svg MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3fb-2764-1f48b-1f468-1f3fd.png MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f482.png MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f64d-1f3fd-2640.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f93e.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\267e.png MsiExec.exe File created C:\Program Files (x86)\Zoom\bin\api-ms-win-core-interlocked-l1-1-0.dll msiexec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f9da-1f3ff-2640.png MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f321.png MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f573.png MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f401.svg MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f627.png MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f9d1-1f3fe-1f9bc.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\bin\api-ms-win-crt-process-l1-1-0.dll msiexec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f64f.svg MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f3cc-1f3fe-2642.png MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f3cc-1f3ff.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\25c0.svg MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f1e8-1f1fa.svg MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f64e-1f3fc-2642.png MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1fa72.svg MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f387.svg MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3ff-1f527.png MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f9d1-1f3fc-1f9bd.svg MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f9dc-1f3fb-2642.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\267f.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f1e8-1f1f3.svg MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f351.png MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f999.png MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f595-1f3fb.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f9d1-1f3fd-1f91d-1f9d1-1f3fd.png MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f1ea.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f468-1f3ff-1f4bc.svg MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3fb.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3fd-1f692.png MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3ff-2764-1f48b-1f468-1f3fd.png MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f939-1f3fe-2640.png MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f35d.svg MsiExec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\1f393.svg MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3fe-1f91d-1f468-1f3ff.svg MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f9e0.png MsiExec.exe File created C:\Program Files (x86)\Zoom\bin\zAppUI.dll msiexec.exe File created C:\Program Files (x86)\Zoom\resources\Emojis\2623.png MsiExec.exe File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f477-1f3fe.svg MsiExec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{D2D52E89-6EC4-456C-ACDB-874925BDE05A} msiexec.exe File created C:\Windows\Installer\e56ed81.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIF542.tmp msiexec.exe File created C:\Windows\Installer\{D2D52E89-6EC4-456C-ACDB-874925BDE05A}\_6FEFF9B68218417F98F549.exe msiexec.exe File opened for modification C:\Windows\Installer\{D2D52E89-6EC4-456C-ACDB-874925BDE05A}\_6FEFF9B68218417F98F549.exe msiexec.exe File created C:\Windows\Installer\e56ed84.msi msiexec.exe File opened for modification C:\Windows\Installer\e56ed81.msi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}\AppName = "Zoom.exe" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}\AppPath = "C:\\Program Files (x86)\\Zoom\\bin" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}\Policy = "3" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Zoom.exe = "11000" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\zoommtg MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\zoommtg\WarnOnOpen = "0" MsiExec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A} MsiExec.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs ZoomOutlookIMPlugin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs ZoomOutlookIMPlugin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates ZoomOutlookIMPlugin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople ZoomOutlookIMPlugin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates ZoomOutlookIMPlugin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed ZoomOutlookIMPlugin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust ZoomOutlookIMPlugin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates ZoomOutlookIMPlugin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA CptInstall.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs ZoomOutlookIMPlugin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root ZoomOutlookIMPlugin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs CptInstall.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates ZoomOutlookIMPlugin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs ZoomOutlookIMPlugin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs ZoomOutlookIMPlugin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates ZoomOutlookIMPlugin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs ZoomOutlookIMPlugin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs ZoomOutlookIMPlugin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates ZoomOutlookIMPlugin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs ZoomOutlookIMPlugin.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed ZoomOutlookIMPlugin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates CptInstall.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MsiExec.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\AuthorizedLUAApp = "0" msiexec.exe Key deleted \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.callto MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\shell MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\URL Protocol MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\shell\open\command MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\Version = "84683162" msiexec.exe Key deleted \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\shell\open\command\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\" --url=\"%l\"" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall\DefaultIcon MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\ProductName = "Zoom(32bit)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\ProductIcon = "C:\\Windows\\Installer\\{D2D52E89-6EC4-456C-ACDB-874925BDE05A}\\_6FEFF9B68218417F98F549.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-zoommtg-launcher\Extension = ".zoommtg" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\DefaultIcon MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\DefaultIcon MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\shell\open MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\shell\open\command\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\" --url=\"%l\"" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\IM MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\shell\open\command MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\ = "URL:ZoomPhoneCall Protocol" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\URL Protocol MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-zoommtg-launcher MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall\DefaultIcon\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\",1" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\497B918CC54A72F48906C06894A225CC msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\SourceList\PackageName = "ikm.msi" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\shell MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\shell\open MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.tel MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\ = "Zoom Launcher - 3.0.1" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\shell\open MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\shell MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\shell\open MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\shell\open\command MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\DefaultIcon MsiExec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\UseOriginalUrlEncoding = "1" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\shell\open\command\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\" --url=\"%l\"" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall\ = "URL:ZoomPhoneCall Protocol" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\DefaultIcon\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\",1" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\shell\open\command MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording\shell\open\command MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zoom\ = "ZoomRecording" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall\shell\open MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall\shell\open\command\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\" --url=\"%l\"" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zoommtg\Content Type = "application/x-zoommtg-launcher" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\shell\open\command MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zoom MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\URL Protocol MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\DefaultIcon\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\",1" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\ = "URL:ZoomPhoneCall Protocol" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\shell MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zoommtg MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording\shell\open MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\shell\open MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\shell MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\Assignment = "1" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4764 rundll32.exe 4764 rundll32.exe 4820 msiexec.exe 4820 msiexec.exe 640 MsiExec.exe 640 MsiExec.exe 640 MsiExec.exe 640 MsiExec.exe 640 MsiExec.exe 640 MsiExec.exe 4420 ZoomOutlookIMPlugin.exe 4420 ZoomOutlookIMPlugin.exe 1360 CptInstall.exe 1360 CptInstall.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4664 msiexec.exe Token: SeIncreaseQuotaPrivilege 4664 msiexec.exe Token: SeSecurityPrivilege 4820 msiexec.exe Token: SeCreateTokenPrivilege 4664 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4664 msiexec.exe Token: SeLockMemoryPrivilege 4664 msiexec.exe Token: SeIncreaseQuotaPrivilege 4664 msiexec.exe Token: SeMachineAccountPrivilege 4664 msiexec.exe Token: SeTcbPrivilege 4664 msiexec.exe Token: SeSecurityPrivilege 4664 msiexec.exe Token: SeTakeOwnershipPrivilege 4664 msiexec.exe Token: SeLoadDriverPrivilege 4664 msiexec.exe Token: SeSystemProfilePrivilege 4664 msiexec.exe Token: SeSystemtimePrivilege 4664 msiexec.exe Token: SeProfSingleProcessPrivilege 4664 msiexec.exe Token: SeIncBasePriorityPrivilege 4664 msiexec.exe Token: SeCreatePagefilePrivilege 4664 msiexec.exe Token: SeCreatePermanentPrivilege 4664 msiexec.exe Token: SeBackupPrivilege 4664 msiexec.exe Token: SeRestorePrivilege 4664 msiexec.exe Token: SeShutdownPrivilege 4664 msiexec.exe Token: SeDebugPrivilege 4664 msiexec.exe Token: SeAuditPrivilege 4664 msiexec.exe Token: SeSystemEnvironmentPrivilege 4664 msiexec.exe Token: SeChangeNotifyPrivilege 4664 msiexec.exe Token: SeRemoteShutdownPrivilege 4664 msiexec.exe Token: SeUndockPrivilege 4664 msiexec.exe Token: SeSyncAgentPrivilege 4664 msiexec.exe Token: SeEnableDelegationPrivilege 4664 msiexec.exe Token: SeManageVolumePrivilege 4664 msiexec.exe Token: SeImpersonatePrivilege 4664 msiexec.exe Token: SeCreateGlobalPrivilege 4664 msiexec.exe Token: SeBackupPrivilege 4224 vssvc.exe Token: SeRestorePrivilege 4224 vssvc.exe Token: SeAuditPrivilege 4224 vssvc.exe Token: SeBackupPrivilege 4820 msiexec.exe Token: SeRestorePrivilege 4820 msiexec.exe Token: SeRestorePrivilege 4820 msiexec.exe Token: SeTakeOwnershipPrivilege 4820 msiexec.exe Token: SeRestorePrivilege 4820 msiexec.exe Token: SeTakeOwnershipPrivilege 4820 msiexec.exe Token: SeDebugPrivilege 640 MsiExec.exe Token: SeRestorePrivilege 640 MsiExec.exe Token: SeBackupPrivilege 640 MsiExec.exe Token: SeRestorePrivilege 4820 msiexec.exe Token: SeTakeOwnershipPrivilege 4820 msiexec.exe Token: SeRestorePrivilege 4820 msiexec.exe Token: SeTakeOwnershipPrivilege 4820 msiexec.exe Token: SeRestorePrivilege 4820 msiexec.exe Token: SeTakeOwnershipPrivilege 4820 msiexec.exe Token: SeRestorePrivilege 4820 msiexec.exe Token: SeTakeOwnershipPrivilege 4820 msiexec.exe Token: SeRestorePrivilege 4820 msiexec.exe Token: SeTakeOwnershipPrivilege 4820 msiexec.exe Token: SeRestorePrivilege 4820 msiexec.exe Token: SeTakeOwnershipPrivilege 4820 msiexec.exe Token: SeRestorePrivilege 4820 msiexec.exe Token: SeTakeOwnershipPrivilege 4820 msiexec.exe Token: SeRestorePrivilege 4820 msiexec.exe Token: SeTakeOwnershipPrivilege 4820 msiexec.exe Token: SeRestorePrivilege 4820 msiexec.exe Token: SeTakeOwnershipPrivilege 4820 msiexec.exe Token: SeRestorePrivilege 4820 msiexec.exe Token: SeTakeOwnershipPrivilege 4820 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4664 msiexec.exe 4664 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4876 wrote to memory of 4764 4876 ZoomInstallerFull.exe 81 PID 4876 wrote to memory of 4764 4876 ZoomInstallerFull.exe 81 PID 4876 wrote to memory of 4664 4876 ZoomInstallerFull.exe 82 PID 4876 wrote to memory of 4664 4876 ZoomInstallerFull.exe 82 PID 4820 wrote to memory of 4724 4820 msiexec.exe 95 PID 4820 wrote to memory of 4724 4820 msiexec.exe 95 PID 4820 wrote to memory of 640 4820 msiexec.exe 97 PID 4820 wrote to memory of 640 4820 msiexec.exe 97 PID 4820 wrote to memory of 640 4820 msiexec.exe 97 PID 640 wrote to memory of 4420 640 MsiExec.exe 98 PID 640 wrote to memory of 4420 640 MsiExec.exe 98 PID 640 wrote to memory of 4420 640 MsiExec.exe 98 PID 640 wrote to memory of 1360 640 MsiExec.exe 99 PID 640 wrote to memory of 1360 640 MsiExec.exe 99 PID 640 wrote to memory of 1360 640 MsiExec.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe"C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\WINDOWS\SYSTEM32\rundll32.exeC:\WINDOWS\SYSTEM32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\maker.dll, init2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4764
-
-
C:\Windows\SYSTEM32\msiexec.exemsiexec.exe /i C:\Users\Admin\AppData\Local\Temp\ikm.msi2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4664
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4724
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 35F9301F4E3CAD19BD75B9C2F9EC19BF E Global\MSI00002⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe"C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe" /Check3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4420
-
-
C:\Program Files (x86)\Zoom\bin\CptInstall.exe"C:\Program Files (x86)\Zoom\bin\CptInstall.exe" -install -unelevate -product Zoom3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1360
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe"C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe" -user_path "C:\Users\Admin\AppData\Roaming\Zoom"1⤵
- Executes dropped EXE
PID:3780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
225KB
MD59e5451ac860085c00d10e6e02ace93cd
SHA1df62392329cd02d9a8b1b6b7fa694aee6ad8d7a7
SHA2560580a8af804708ed9a86d9958eecdb84845455d285fc25e5a8f618ae46f7ffab
SHA512e84589fdb855cee28000e51d5be922f9cfc8901dd3099838c1d92796fdf917c24e26afc01122b9379be2f753062ccdfdc395c012d6b91d319c8b0cbc82cc5686
-
Filesize
225KB
MD59e5451ac860085c00d10e6e02ace93cd
SHA1df62392329cd02d9a8b1b6b7fa694aee6ad8d7a7
SHA2560580a8af804708ed9a86d9958eecdb84845455d285fc25e5a8f618ae46f7ffab
SHA512e84589fdb855cee28000e51d5be922f9cfc8901dd3099838c1d92796fdf917c24e26afc01122b9379be2f753062ccdfdc395c012d6b91d319c8b0cbc82cc5686
-
Filesize
463KB
MD5cd93acb0b47d809d49de75b5e62098b9
SHA16cf726521daff980823667e6cb659c7ccf67085b
SHA256b4786fcaa00af8739df2b73922ad750d5799538448712e5933470211c230068c
SHA512832cf816d2e2713d9f1b4a805cb25b608eb02bb2fa3c001f980c70c4281c4b6456c7a5c4e492a0c3d1df106a70efe15250a8993e6c1af1c53359860082cce174
-
Filesize
463KB
MD5cd93acb0b47d809d49de75b5e62098b9
SHA16cf726521daff980823667e6cb659c7ccf67085b
SHA256b4786fcaa00af8739df2b73922ad750d5799538448712e5933470211c230068c
SHA512832cf816d2e2713d9f1b4a805cb25b608eb02bb2fa3c001f980c70c4281c4b6456c7a5c4e492a0c3d1df106a70efe15250a8993e6c1af1c53359860082cce174
-
Filesize
463KB
MD5cd93acb0b47d809d49de75b5e62098b9
SHA16cf726521daff980823667e6cb659c7ccf67085b
SHA256b4786fcaa00af8739df2b73922ad750d5799538448712e5933470211c230068c
SHA512832cf816d2e2713d9f1b4a805cb25b608eb02bb2fa3c001f980c70c4281c4b6456c7a5c4e492a0c3d1df106a70efe15250a8993e6c1af1c53359860082cce174
-
Filesize
1.6MB
MD54fda1fc1054dab4cd2a8c61a9b98b7dc
SHA1f52dae000279e4b30a28f3aca23b5f04654ac7c5
SHA256894905b29f5ca31dd0c696333fcc7e23bd3c7ba8fb758b2293df7a7f2268acf8
SHA51209531c83673fb6a458978158016ec4daadbd6606780be7f47daa4f4b48c5a68affb63dd35797d825647c237bd218ddd50131bc4961ca59fe26318123fdd52dee
-
Filesize
1.6MB
MD54fda1fc1054dab4cd2a8c61a9b98b7dc
SHA1f52dae000279e4b30a28f3aca23b5f04654ac7c5
SHA256894905b29f5ca31dd0c696333fcc7e23bd3c7ba8fb758b2293df7a7f2268acf8
SHA51209531c83673fb6a458978158016ec4daadbd6606780be7f47daa4f4b48c5a68affb63dd35797d825647c237bd218ddd50131bc4961ca59fe26318123fdd52dee
-
Filesize
96KB
MD5d7e39303a4d41e8f27310c2601cdb34c
SHA1595b000756f2f6483ccaaf751f5ae3309f10e4f6
SHA2568f9db23d84f8c3cfe3365a64d4aa4c87d4fa02fffa64dcc00d17c66307fc0c82
SHA512a0088fd79630780dea041abf89e78af48ed5bd8a3976e72e89043c8a604c4d1146eb4cb35ff8206829fd2da66675652ca4bc7953301a8865a4066572f9ce2552
-
Filesize
226KB
MD5c380b703ef0cb2e5bca13004a242ae65
SHA1b52a1a3ad31688244124769f02351effc3952248
SHA2561159dfd3f1a2a87efa7ed0d6fa16001695c3a0f7b21473bbf94d133ca1c41e25
SHA512de096b58b55f69294d68497686a76a5fca10b1fb27f087dc3216036d2a829605d6ee738eb7e346fc98e327f1398954851a4db33b71357443e657ae61e87ecc91
-
Filesize
226KB
MD5c380b703ef0cb2e5bca13004a242ae65
SHA1b52a1a3ad31688244124769f02351effc3952248
SHA2561159dfd3f1a2a87efa7ed0d6fa16001695c3a0f7b21473bbf94d133ca1c41e25
SHA512de096b58b55f69294d68497686a76a5fca10b1fb27f087dc3216036d2a829605d6ee738eb7e346fc98e327f1398954851a4db33b71357443e657ae61e87ecc91
-
Filesize
225KB
MD59e5451ac860085c00d10e6e02ace93cd
SHA1df62392329cd02d9a8b1b6b7fa694aee6ad8d7a7
SHA2560580a8af804708ed9a86d9958eecdb84845455d285fc25e5a8f618ae46f7ffab
SHA512e84589fdb855cee28000e51d5be922f9cfc8901dd3099838c1d92796fdf917c24e26afc01122b9379be2f753062ccdfdc395c012d6b91d319c8b0cbc82cc5686
-
Filesize
280KB
MD503c0ad10f2e76ac88586a8093111a545
SHA12bd73faa30fc09d1b1d036c43075da5a18f712a9
SHA256817d66e6ce83acf907ebf7952e72ab17e384c698998dc93d836ee7f1bd94d6e3
SHA512a77d36ef13e5910d7b1e8b2a0abff97371cd1d16b7cb8818d3da1ebd5d1aa6d4b4d63b4919c2f721d42e16d8b25dab25da3b72639bae3f59a457892167ca2b5e
-
Filesize
280KB
MD503c0ad10f2e76ac88586a8093111a545
SHA12bd73faa30fc09d1b1d036c43075da5a18f712a9
SHA256817d66e6ce83acf907ebf7952e72ab17e384c698998dc93d836ee7f1bd94d6e3
SHA512a77d36ef13e5910d7b1e8b2a0abff97371cd1d16b7cb8818d3da1ebd5d1aa6d4b4d63b4919c2f721d42e16d8b25dab25da3b72639bae3f59a457892167ca2b5e
-
Filesize
440KB
MD5e0dd94aada0b034b212de071c33054da
SHA16c4f1b3f66d07bbcdcf41eb39b1480bb335efcc8
SHA25608442853f19ce4ff3acae37d87eab33ef81c4c6da62a3432d43253ba79842b64
SHA51276c877056f448e5dab820e990cc186ba886b2d331d689a99295aaff31a63aadb941c2693b0be98d53bd06cd8041a270eb82ddedfbde305cd9a85bcbe42fcf5a2
-
Filesize
74KB
MD587dd91c56be82866bf96ef1666f30a99
SHA13b78cb150110166ded8ea51fbde8ea506f72aeaf
SHA25649b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f
SHA51258c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6
-
Filesize
336KB
MD5260c0125fe9cae11da4cef073b077f68
SHA1869b78d539340ba055e6810b24217021debf0fae
SHA256306aa18dcb46b14c1d76f9c7cf78a49c88ef564b54cd4a523a1a4b5076a3ef36
SHA512d3a78b209e0cef40d35d552e32540a3a2b4d0e4683c5443a74cb1528ae5997d6c17c5413a65fd2d3b1b13c4e1c27d81c5e2bce5ce4ccc3cdb2725330607767ec
-
Filesize
581KB
MD58ec8a4e243853dea877d12266a88cfbf
SHA14f6129129c0cdda57d8232a2a10d7124d06d6762
SHA256cf8638536dd901843119c0b56cd4a61a46c3461b2d374658a713763e18389474
SHA51254e50dded7c661c854a86a2b65899accc923c51e4fa44d463abdfc94e7e7412e6765b7feda81dc82fbf0eee49a08288defc56723da4ce3768f2187b887232eb1
-
Filesize
581KB
MD58ec8a4e243853dea877d12266a88cfbf
SHA14f6129129c0cdda57d8232a2a10d7124d06d6762
SHA256cf8638536dd901843119c0b56cd4a61a46c3461b2d374658a713763e18389474
SHA51254e50dded7c661c854a86a2b65899accc923c51e4fa44d463abdfc94e7e7412e6765b7feda81dc82fbf0eee49a08288defc56723da4ce3768f2187b887232eb1
-
Filesize
7KB
MD5fcf61aed8f093bfcf571cdd8f8162a05
SHA18de8177798aae82d5bcc0870c1ca5365f5d9966d
SHA2561f5b45a5411f7fc71b9da789d6d1ead8ad30551fbea7bbb40fc7ea576d581abb
SHA5128a5d252d115f868a4e20fce10f9f9ec5f3948f0ad5680d656e0eba1fd167d36889e54c6e59bcde756945f93685401b825ba9dd7243d907d74b58a1d826609d72
-
Filesize
2.5MB
MD5a97d2029f96df8bb27b22c00d84f7900
SHA1cdbb1c2fa62f8c9ee9027335cb64a527a79b46ca
SHA256606bea4c0de0ad49486774990e3590de06d8bc6da366d6d0cb74aebf8573ffca
SHA512b5353b73cb9279e62aaafa4a5912a9fe127e039bd2f07a5e23100462445e74112f40f7aa157aa6593e970dab2e85000eff386cf25f4ee84449517ca8eaa2305e
-
Filesize
2.5MB
MD5a97d2029f96df8bb27b22c00d84f7900
SHA1cdbb1c2fa62f8c9ee9027335cb64a527a79b46ca
SHA256606bea4c0de0ad49486774990e3590de06d8bc6da366d6d0cb74aebf8573ffca
SHA512b5353b73cb9279e62aaafa4a5912a9fe127e039bd2f07a5e23100462445e74112f40f7aa157aa6593e970dab2e85000eff386cf25f4ee84449517ca8eaa2305e
-
Filesize
440KB
MD5e0dd94aada0b034b212de071c33054da
SHA16c4f1b3f66d07bbcdcf41eb39b1480bb335efcc8
SHA25608442853f19ce4ff3acae37d87eab33ef81c4c6da62a3432d43253ba79842b64
SHA51276c877056f448e5dab820e990cc186ba886b2d331d689a99295aaff31a63aadb941c2693b0be98d53bd06cd8041a270eb82ddedfbde305cd9a85bcbe42fcf5a2
-
Filesize
440KB
MD5e0dd94aada0b034b212de071c33054da
SHA16c4f1b3f66d07bbcdcf41eb39b1480bb335efcc8
SHA25608442853f19ce4ff3acae37d87eab33ef81c4c6da62a3432d43253ba79842b64
SHA51276c877056f448e5dab820e990cc186ba886b2d331d689a99295aaff31a63aadb941c2693b0be98d53bd06cd8041a270eb82ddedfbde305cd9a85bcbe42fcf5a2
-
Filesize
1.1MB
MD52040cdcd779bbebad36d36035c675d99
SHA1918bc19f55e656f6d6b1e4713604483eb997ea15
SHA2562ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA51283dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f
-
Filesize
1.1MB
MD52040cdcd779bbebad36d36035c675d99
SHA1918bc19f55e656f6d6b1e4713604483eb997ea15
SHA2562ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA51283dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f
-
Filesize
74KB
MD587dd91c56be82866bf96ef1666f30a99
SHA13b78cb150110166ded8ea51fbde8ea506f72aeaf
SHA25649b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f
SHA51258c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6
-
Filesize
74KB
MD587dd91c56be82866bf96ef1666f30a99
SHA13b78cb150110166ded8ea51fbde8ea506f72aeaf
SHA25649b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f
SHA51258c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6
-
Filesize
74KB
MD587dd91c56be82866bf96ef1666f30a99
SHA13b78cb150110166ded8ea51fbde8ea506f72aeaf
SHA25649b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f
SHA51258c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6
-
Filesize
74KB
MD587dd91c56be82866bf96ef1666f30a99
SHA13b78cb150110166ded8ea51fbde8ea506f72aeaf
SHA25649b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f
SHA51258c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6
-
Filesize
97KB
MD5f82f0a3932e73d4f6973632d42c0f296
SHA19a59389cc938121a5941a589fc4b66a7d65af7e3
SHA256aab43f8a9ab37b205e651ac629404ee8dbbc9bf0b4fee85b422275406a1c2572
SHA51297a098112f448362bd677f2991243b8b024d37f03adf7facdb0601639bc0fb9ca99945bc08d8eca580903120c0a6de7a35106984500207a3c5562a34dbc37ea9
-
Filesize
97KB
MD5f82f0a3932e73d4f6973632d42c0f296
SHA19a59389cc938121a5941a589fc4b66a7d65af7e3
SHA256aab43f8a9ab37b205e651ac629404ee8dbbc9bf0b4fee85b422275406a1c2572
SHA51297a098112f448362bd677f2991243b8b024d37f03adf7facdb0601639bc0fb9ca99945bc08d8eca580903120c0a6de7a35106984500207a3c5562a34dbc37ea9
-
Filesize
97KB
MD5f82f0a3932e73d4f6973632d42c0f296
SHA19a59389cc938121a5941a589fc4b66a7d65af7e3
SHA256aab43f8a9ab37b205e651ac629404ee8dbbc9bf0b4fee85b422275406a1c2572
SHA51297a098112f448362bd677f2991243b8b024d37f03adf7facdb0601639bc0fb9ca99945bc08d8eca580903120c0a6de7a35106984500207a3c5562a34dbc37ea9
-
Filesize
219KB
MD597042fb62a7ef502dcd1bc96bc490e28
SHA11d1f822fe6095660c9bcae225d110298ab3be32e
SHA25652089b799c309f023b8d58b703302c3165bc4c680ea8135cb18d7fabc0d42c1c
SHA512916a1f34871aec9433605bb8a3b208018df30d0e5fdbb935566793523b5b9281d7ac4c1a94932541267a0b4bdb3b71a1f389ce48f7e5a90838d58fd351921bd1
-
Filesize
474KB
MD56934de614ca4dd452966e086bea3ead0
SHA17c5ca8e69cd685dffa4537285ec601bc760e11c9
SHA256a81057faa8bd295d0708a34c1879ad5abd4a46ac82a322b7027c027de0439451
SHA5122ddee6238212d190ccfe4cd06c5a77c9c5c956e6a8f733a1781ace2f4db3457a2e38295aba6469a2e8e12957fb435fcb514de5f4516fb2dcbd005f58bd4d9d60
-
Filesize
7.4MB
MD54d4920bf542c67be8e85249faf9bb89e
SHA13ae7e5ae51179056c61487902534336c1996a807
SHA256ed3419d21d69fd71d2133bfcf83732215f4c65eb547ef73107cb98d03e86cd2f
SHA512402e878f8976cc4c59264ad5ece9bd8a6c6d371103626d6d0f65b55a0d6139eaa1f0a74c1f63149d158de267467b3cd124038d9447808646a8350736a5e9bc9d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_5DFDB51029B86E246C6BBA4B4F208E9A
Filesize471B
MD5a4f2b9da40d62bbdc3525729d136f9e7
SHA16827de091041073a0a78296c8a3c84584b86c8b7
SHA256974de3108a032fd1fc38da284e272fc07c9c1be2be52068fb85e82ccf197d058
SHA512b961ca46ef9143723e759062005e69d3e421e64d6cd0df390ace94919e270df10d4bc96142f2bda4b3cb86133e71de93af21c7679ab1bce31a75af282eb27110
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD5da5a9f149955d936a31dc5e456666aac
SHA1195238d41c1e13448f349f43bb295ef2d55cb47a
SHA25679ac574c7c45144bb35b59ff79c78dc59b66592715dea01b389e3620db663224
SHA51260d7d1f5405470ba1e6b80066af2e78240acbea8db58b5a03660874605178aebaa9ce342ca97f17798109e7411e82466db5af064e39eaddc05410f2abe672f77
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_8DBAD5A433D1F9275321E076E8B744D4
Filesize727B
MD5c53cff3967c2757fe1dbc2e5e519a92f
SHA1ab11c34580f7d39b6772a903a6569741110c3df5
SHA256df90940e9dd59d629b73ed5fdfc42a6bac699d0f8f07f03d2fba6acb47487fd9
SHA5128d82ca6ee9610327b6aa69ff4b15036bb245e15eb1168a8f7318ab66772f214e5f443182199fdbbffc66afa46fa66405f2fc7a5020902e9298d40b8af6739d83
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D9CB7DFFEEA63BAB482BD2705E7E24AB_C5076ACD41E9D9741BBEE5F165E53636
Filesize727B
MD52bad10f0b55e2d3eed827d1dda515d58
SHA1371d3af38f766317fe5711fe2bdf34fb97b2f4b4
SHA256e093931681ea2aa64c5f8e692d97ab102839555f78292f70fbb7882ca44e3f92
SHA512d37461748e38762707c72c56c143f4be5ad8d6d4faa559b9edde70a49c59fd2cfd7d2b2fc63a2ace2f571786b4b8f08d8bfe120f7eae91948be08d5e33529371
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_5DFDB51029B86E246C6BBA4B4F208E9A
Filesize430B
MD5c95097044bba829a317af58fb2fa182a
SHA1277f1cfffe70a196d8be955fe1babc3a4881e53e
SHA2561bc586f49a2cdfdd88c25837a0cf12fbe591037ee9e266019f0facb9859f36e2
SHA512a85596794176826b7cd629dc9339ebe877e9e74ad553cbff2d21461f0a2822f7a566d2242d3d6965a37f820afa291b50f5a9547a880a530834bc9fdcb92514e8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD5b4085b8d0949cdf4f797ccfd06a8e98a
SHA197c60716a2e1afb61d64effe2234e6ca24fb71f2
SHA2563eeb9755cd49f9d24be6d13b1c148f969fac4b1085144dcebb977aa672d789be
SHA51225daae21f58713283ac53b0ce59d7edb9651f047de8b6b3e82e4cb1a16b324bea542fc1621bf9ac33b758a50b257484ee0884854c6da6393253b9f51f6aee63c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_8DBAD5A433D1F9275321E076E8B744D4
Filesize446B
MD5f02e7f62740b8b2414ef55b2e2900786
SHA18d326bb4593325f08b02e18c505731a1e8c59d8d
SHA256145248876d3f0cd5bcd5dce9336902f2f7b5aba87dd90cba615b5dee50782ac7
SHA5123262b4e9688a91ecf3b85803e334c4e2c3679c52de08f03ca35eb0fe3b43675a528eae2d002550a6202ea6ce3169a7795c2d09dca1036bacaec4e0797b4cf19f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D9CB7DFFEEA63BAB482BD2705E7E24AB_C5076ACD41E9D9741BBEE5F165E53636
Filesize438B
MD57eed3cc6baa9e9a2649e96a7baaff3bf
SHA1247c50973ec30a2d5e79e2bee4c992b56e8c7e64
SHA256bcfd553c8c7dd1ae84ad67fdb65313756d5ff0f0953faa61a4d7ab516d7be2af
SHA51209035bf8d7e73a6ff0548bb1ac97ef3b6c39e073bcd9c0bb345aaae8caecb74cbca76a9e739d8c7df26b2df742efd6b6128d79fc4c553224853459232db141d9
-
Filesize
75.1MB
MD5f7f764ed7be9356b85c73462542b36c3
SHA1e0a67fa1d899d464ec6a268dcfb1b14de172c582
SHA256839c1a8a906bd0bce47262a904708ed58eb832a1acae917ecd758ab5a01f3234
SHA512fafa807291c19bac4da510edc5ccea607b77b0220c5c9090d1eb5a7c3a022f67c113bdf51ef13bc6af830ae3843ca4ea53d96a033fc5aae9714a8708e068b45c
-
Filesize
1.3MB
MD5c97d41e563c07d771cd661533ad4ede7
SHA1739ec4cca4ca4204848798c39092d507f0902895
SHA2563c9cd4cf008ed70df41cc270c77055f6edac139ec7ec2a9c3de1b21c1a294ca7
SHA512f3f764be1e1080de02f443c17ddfa1c90750b77e2852dee9dc0dac35bf8a53dd13576a02dc8d0abb0eed04c0fd4702b8e62be4dc214ba2e58dbc55b25f72351d
-
Filesize
1.3MB
MD5c97d41e563c07d771cd661533ad4ede7
SHA1739ec4cca4ca4204848798c39092d507f0902895
SHA2563c9cd4cf008ed70df41cc270c77055f6edac139ec7ec2a9c3de1b21c1a294ca7
SHA512f3f764be1e1080de02f443c17ddfa1c90750b77e2852dee9dc0dac35bf8a53dd13576a02dc8d0abb0eed04c0fd4702b8e62be4dc214ba2e58dbc55b25f72351d
-
Filesize
23.0MB
MD52e430281d81b2c77fe6bed34b901bb68
SHA129dc8a1aabad6ba36ea5afa2eb656aecdb215fb1
SHA256d243f20d195d4fc356bab2f43eca42c580c0ae0e32ff7293030ba3d4407425a0
SHA51260a3d2c30c11fbd98bc1b6fe0ea77a327f8523e9c004612c5b29308fef7adf2dfaddde6cfc914ba88aa185136f96bb0714b207954fbfa955b5a0f7f34ed1130d
-
\??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{df07a438-b913-4d04-9357-05ba81346e4f}_OnDiskSnapshotProp
Filesize5KB
MD50be6c5ad52490907923c9332e6bd3560
SHA16e953191b315d56ed78e7e83a534ac4d510c2ac9
SHA2562c8a82e25d62c96bf7491c118c8fb9d4efabd4bd7852291133a07343439791d1
SHA51246ea6c9b4c269c816e400263ac3b082728b9ef58a766e730a8fdf401152cda27bbd27bad27bf75d1315dd16aae9235c1888e91c5a6320ca0bb2bdbffa1dd26b8