Analysis Overview
SHA256
9108e1d22d74bc5397b8886edc4f0a84b8906436a648ef8a86f30cf7e08978dd
Threat Level: Known bad
The file ZoomInstallerFull.exe was found to be: Known bad.
Malicious Activity Summary
IcedID, BokBot
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Enumerates connected drives
Drops file in Windows directory
Drops file in Program Files directory
Program crash
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-12-24 09:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-24 09:28
Reported
2022-12-24 09:31
Platform
win7-20220901-en
Max time kernel
111s
Max time network
49s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1900 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe | C:\Windows\system32\WerFault.exe |
| PID 1900 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe | C:\Windows\system32\WerFault.exe |
| PID 1900 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe
"C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1900 -s 40
Network
Files
memory/2016-54-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-24 09:28
Reported
2022-12-24 09:31
Platform
win10v2004-20221111-en
Max time kernel
123s
Max time network
147s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| N/A | N/A | C:\WINDOWS\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\WINDOWS\SYSTEM32\rundll32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair = "\"C:\\Program Files (x86)\\Zoom\\bin\\installer.exe\" /repair" | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SYSTEM32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f646-1f3ff-2640.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f52b.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f1fe.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f468-1f3ff-1f52c.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\270a-1f3ff.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f004.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f38a.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3ff-1f33e.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f58c.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\269c.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f1fb-1f1ee.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\274c.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f1f2-1f1fa.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f6ab.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\2665.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f595.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\27bf.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f1fa-1f1f8.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f468-1f3ff-1f9bc.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f9d1-1f3fe-1f384.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f44a.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3fb-2764-1f48b-1f468-1f3fd.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f482.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f64d-1f3fd-2640.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f93e.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\267e.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\bin\api-ms-win-core-interlocked-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f9da-1f3ff-2640.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f321.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f573.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f401.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f627.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f9d1-1f3fe-1f9bc.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\bin\api-ms-win-crt-process-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f64f.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f3cc-1f3fe-2642.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f3cc-1f3ff.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\25c0.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f1e8-1f1fa.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f64e-1f3fc-2642.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1fa72.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f387.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3ff-1f527.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f9d1-1f3fc-1f9bd.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f9dc-1f3fb-2642.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\267f.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f1e8-1f1f3.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f351.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f999.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f595-1f3fb.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f9d1-1f3fd-1f91d-1f9d1-1f3fd.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f1ea.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f468-1f3ff-1f4bc.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3fb.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3fd-1f692.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3ff-2764-1f48b-1f468-1f3fd.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f939-1f3fe-2640.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f35d.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\1f393.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3fe-1f91d-1f468-1f3ff.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f9e0.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\bin\zAppUI.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Zoom\resources\Emojis\2623.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zoom\resources\Emojis\1f477-1f3fe.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{D2D52E89-6EC4-456C-ACDB-874925BDE05A} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e56ed81.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF542.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D2D52E89-6EC4-456C-ACDB-874925BDE05A}\_6FEFF9B68218417F98F549.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D2D52E89-6EC4-456C-ACDB-874925BDE05A}\_6FEFF9B68218417F98F549.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e56ed84.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e56ed81.msi | C:\Windows\system32\msiexec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}\AppName = "Zoom.exe" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}\AppPath = "C:\\Program Files (x86)\\Zoom\\bin" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}\Policy = "3" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Zoom.exe = "11000" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\zoommtg | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\zoommtg\WarnOnOpen = "0" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A} | C:\Windows\syswow64\MsiExec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\syswow64\MsiExec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.callto | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\shell | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\URL Protocol | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\shell\open\command | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\Version = "84683162" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\shell\open\command\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\" --url=\"%l\"" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall\DefaultIcon | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\ProductName = "Zoom(32bit)" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\ProductIcon = "C:\\Windows\\Installer\\{D2D52E89-6EC4-456C-ACDB-874925BDE05A}\\_6FEFF9B68218417F98F549.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-zoommtg-launcher\Extension = ".zoommtg" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\DefaultIcon | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\DefaultIcon | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\shell\open | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\shell\open\command\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\" --url=\"%l\"" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\IM | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\shell\open\command | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\ = "URL:ZoomPhoneCall Protocol" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\URL Protocol | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-zoommtg-launcher | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall\DefaultIcon\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\",1" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\497B918CC54A72F48906C06894A225CC | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\SourceList\PackageName = "ikm.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\shell | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\shell\open | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.tel | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\ = "Zoom Launcher - 3.0.1" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\shell\open | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\shell | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\shell\open | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\shell\open\command | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\DefaultIcon | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\UseOriginalUrlEncoding = "1" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\shell\open\command\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\" --url=\"%l\"" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall\ = "URL:ZoomPhoneCall Protocol" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\DefaultIcon\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\",1" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\shell\open\command | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording\shell\open\command | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.zoom\ = "ZoomRecording" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall\shell\open | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall\shell\open\command\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\" --url=\"%l\"" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.zoommtg\Content Type = "application/x-zoommtg-launcher" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\shell\open\command | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.zoom | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\URL Protocol | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\DefaultIcon\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\",1" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\ = "URL:ZoomPhoneCall Protocol" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\shell | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.zoommtg | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording\shell\open | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\shell\open | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\shell | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\WINDOWS\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Zoom\bin\CptInstall.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe
"C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe"
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\maker.dll, init
C:\Windows\SYSTEM32\msiexec.exe
msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\ikm.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 35F9301F4E3CAD19BD75B9C2F9EC19BF E Global\MSI0000
C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe
"C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe" /Check
C:\Program Files (x86)\Zoom\bin\CptInstall.exe
"C:\Program Files (x86)\Zoom\bin\CptInstall.exe" -install -unelevate -product Zoom
C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe
"C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe" -user_path "C:\Users\Admin\AppData\Roaming\Zoom"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | trbiriumpa.com | udp |
| N/A | 143.198.92.88:80 | trbiriumpa.com | tcp |
| N/A | 88.221.25.154:80 | tcp | |
| N/A | 88.221.25.154:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 20.50.73.9:443 | tcp | |
| N/A | 8.248.7.254:80 | tcp | |
| N/A | 8.248.7.254:80 | tcp | |
| N/A | 8.248.7.254:80 | tcp | |
| N/A | 13.107.21.200:443 | tcp | |
| N/A | 8.8.8.8:53 | trbiriumpa.com | udp |
| N/A | 143.198.92.88:80 | trbiriumpa.com | tcp |
| N/A | 143.198.92.88:80 | trbiriumpa.com | tcp |
Files
memory/4764-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\maker.dll
| MD5 | c97d41e563c07d771cd661533ad4ede7 |
| SHA1 | 739ec4cca4ca4204848798c39092d507f0902895 |
| SHA256 | 3c9cd4cf008ed70df41cc270c77055f6edac139ec7ec2a9c3de1b21c1a294ca7 |
| SHA512 | f3f764be1e1080de02f443c17ddfa1c90750b77e2852dee9dc0dac35bf8a53dd13576a02dc8d0abb0eed04c0fd4702b8e62be4dc214ba2e58dbc55b25f72351d |
C:\Users\Admin\AppData\Local\Temp\maker.dll
| MD5 | c97d41e563c07d771cd661533ad4ede7 |
| SHA1 | 739ec4cca4ca4204848798c39092d507f0902895 |
| SHA256 | 3c9cd4cf008ed70df41cc270c77055f6edac139ec7ec2a9c3de1b21c1a294ca7 |
| SHA512 | f3f764be1e1080de02f443c17ddfa1c90750b77e2852dee9dc0dac35bf8a53dd13576a02dc8d0abb0eed04c0fd4702b8e62be4dc214ba2e58dbc55b25f72351d |
memory/4764-135-0x0000000180000000-0x0000000180009000-memory.dmp
memory/4664-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ikm.msi
| MD5 | f7f764ed7be9356b85c73462542b36c3 |
| SHA1 | e0a67fa1d899d464ec6a268dcfb1b14de172c582 |
| SHA256 | 839c1a8a906bd0bce47262a904708ed58eb832a1acae917ecd758ab5a01f3234 |
| SHA512 | fafa807291c19bac4da510edc5ccea607b77b0220c5c9090d1eb5a7c3a022f67c113bdf51ef13bc6af830ae3843ca4ea53d96a033fc5aae9714a8708e068b45c |
memory/4724-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_5DFDB51029B86E246C6BBA4B4F208E9A
| MD5 | a4f2b9da40d62bbdc3525729d136f9e7 |
| SHA1 | 6827de091041073a0a78296c8a3c84584b86c8b7 |
| SHA256 | 974de3108a032fd1fc38da284e272fc07c9c1be2be52068fb85e82ccf197d058 |
| SHA512 | b961ca46ef9143723e759062005e69d3e421e64d6cd0df390ace94919e270df10d4bc96142f2bda4b3cb86133e71de93af21c7679ab1bce31a75af282eb27110 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_5DFDB51029B86E246C6BBA4B4F208E9A
| MD5 | c95097044bba829a317af58fb2fa182a |
| SHA1 | 277f1cfffe70a196d8be955fe1babc3a4881e53e |
| SHA256 | 1bc586f49a2cdfdd88c25837a0cf12fbe591037ee9e266019f0facb9859f36e2 |
| SHA512 | a85596794176826b7cd629dc9339ebe877e9e74ad553cbff2d21461f0a2822f7a566d2242d3d6965a37f820afa291b50f5a9547a880a530834bc9fdcb92514e8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D9CB7DFFEEA63BAB482BD2705E7E24AB_C5076ACD41E9D9741BBEE5F165E53636
| MD5 | 2bad10f0b55e2d3eed827d1dda515d58 |
| SHA1 | 371d3af38f766317fe5711fe2bdf34fb97b2f4b4 |
| SHA256 | e093931681ea2aa64c5f8e692d97ab102839555f78292f70fbb7882ca44e3f92 |
| SHA512 | d37461748e38762707c72c56c143f4be5ad8d6d4faa559b9edde70a49c59fd2cfd7d2b2fc63a2ace2f571786b4b8f08d8bfe120f7eae91948be08d5e33529371 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D9CB7DFFEEA63BAB482BD2705E7E24AB_C5076ACD41E9D9741BBEE5F165E53636
| MD5 | 7eed3cc6baa9e9a2649e96a7baaff3bf |
| SHA1 | 247c50973ec30a2d5e79e2bee4c992b56e8c7e64 |
| SHA256 | bcfd553c8c7dd1ae84ad67fdb65313756d5ff0f0953faa61a4d7ab516d7be2af |
| SHA512 | 09035bf8d7e73a6ff0548bb1ac97ef3b6c39e073bcd9c0bb345aaae8caecb74cbca76a9e739d8c7df26b2df742efd6b6128d79fc4c553224853459232db141d9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_8DBAD5A433D1F9275321E076E8B744D4
| MD5 | c53cff3967c2757fe1dbc2e5e519a92f |
| SHA1 | ab11c34580f7d39b6772a903a6569741110c3df5 |
| SHA256 | df90940e9dd59d629b73ed5fdfc42a6bac699d0f8f07f03d2fba6acb47487fd9 |
| SHA512 | 8d82ca6ee9610327b6aa69ff4b15036bb245e15eb1168a8f7318ab66772f214e5f443182199fdbbffc66afa46fa66405f2fc7a5020902e9298d40b8af6739d83 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_8DBAD5A433D1F9275321E076E8B744D4
| MD5 | f02e7f62740b8b2414ef55b2e2900786 |
| SHA1 | 8d326bb4593325f08b02e18c505731a1e8c59d8d |
| SHA256 | 145248876d3f0cd5bcd5dce9336902f2f7b5aba87dd90cba615b5dee50782ac7 |
| SHA512 | 3262b4e9688a91ecf3b85803e334c4e2c3679c52de08f03ca35eb0fe3b43675a528eae2d002550a6202ea6ce3169a7795c2d09dca1036bacaec4e0797b4cf19f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
| MD5 | da5a9f149955d936a31dc5e456666aac |
| SHA1 | 195238d41c1e13448f349f43bb295ef2d55cb47a |
| SHA256 | 79ac574c7c45144bb35b59ff79c78dc59b66592715dea01b389e3620db663224 |
| SHA512 | 60d7d1f5405470ba1e6b80066af2e78240acbea8db58b5a03660874605178aebaa9ce342ca97f17798109e7411e82466db5af064e39eaddc05410f2abe672f77 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
| MD5 | b4085b8d0949cdf4f797ccfd06a8e98a |
| SHA1 | 97c60716a2e1afb61d64effe2234e6ca24fb71f2 |
| SHA256 | 3eeb9755cd49f9d24be6d13b1c148f969fac4b1085144dcebb977aa672d789be |
| SHA512 | 25daae21f58713283ac53b0ce59d7edb9651f047de8b6b3e82e4cb1a16b324bea542fc1621bf9ac33b758a50b257484ee0884854c6da6393253b9f51f6aee63c |
memory/640-152-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Zoom\Zoom(32bit)\CustomAction.dll
| MD5 | cd93acb0b47d809d49de75b5e62098b9 |
| SHA1 | 6cf726521daff980823667e6cb659c7ccf67085b |
| SHA256 | b4786fcaa00af8739df2b73922ad750d5799538448712e5933470211c230068c |
| SHA512 | 832cf816d2e2713d9f1b4a805cb25b608eb02bb2fa3c001f980c70c4281c4b6456c7a5c4e492a0c3d1df106a70efe15250a8993e6c1af1c53359860082cce174 |
C:\Program Files (x86)\Zoom\Zoom(32bit)\CustomAction.dll
| MD5 | cd93acb0b47d809d49de75b5e62098b9 |
| SHA1 | 6cf726521daff980823667e6cb659c7ccf67085b |
| SHA256 | b4786fcaa00af8739df2b73922ad750d5799538448712e5933470211c230068c |
| SHA512 | 832cf816d2e2713d9f1b4a805cb25b608eb02bb2fa3c001f980c70c4281c4b6456c7a5c4e492a0c3d1df106a70efe15250a8993e6c1af1c53359860082cce174 |
C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe
| MD5 | 8ec8a4e243853dea877d12266a88cfbf |
| SHA1 | 4f6129129c0cdda57d8232a2a10d7124d06d6762 |
| SHA256 | cf8638536dd901843119c0b56cd4a61a46c3461b2d374658a713763e18389474 |
| SHA512 | 54e50dded7c661c854a86a2b65899accc923c51e4fa44d463abdfc94e7e7412e6765b7feda81dc82fbf0eee49a08288defc56723da4ce3768f2187b887232eb1 |
memory/4420-156-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe
| MD5 | 8ec8a4e243853dea877d12266a88cfbf |
| SHA1 | 4f6129129c0cdda57d8232a2a10d7124d06d6762 |
| SHA256 | cf8638536dd901843119c0b56cd4a61a46c3461b2d374658a713763e18389474 |
| SHA512 | 54e50dded7c661c854a86a2b65899accc923c51e4fa44d463abdfc94e7e7412e6765b7feda81dc82fbf0eee49a08288defc56723da4ce3768f2187b887232eb1 |
C:\Program Files (x86)\Zoom\bin\Cmmlib.dll
| MD5 | 4fda1fc1054dab4cd2a8c61a9b98b7dc |
| SHA1 | f52dae000279e4b30a28f3aca23b5f04654ac7c5 |
| SHA256 | 894905b29f5ca31dd0c696333fcc7e23bd3c7ba8fb758b2293df7a7f2268acf8 |
| SHA512 | 09531c83673fb6a458978158016ec4daadbd6606780be7f47daa4f4b48c5a68affb63dd35797d825647c237bd218ddd50131bc4961ca59fe26318123fdd52dee |
C:\Program Files (x86)\Zoom\bin\zCrashReport.dll
| MD5 | f82f0a3932e73d4f6973632d42c0f296 |
| SHA1 | 9a59389cc938121a5941a589fc4b66a7d65af7e3 |
| SHA256 | aab43f8a9ab37b205e651ac629404ee8dbbc9bf0b4fee85b422275406a1c2572 |
| SHA512 | 97a098112f448362bd677f2991243b8b024d37f03adf7facdb0601639bc0fb9ca99945bc08d8eca580903120c0a6de7a35106984500207a3c5562a34dbc37ea9 |
C:\Program Files (x86)\Zoom\bin\VCRUNTIME140.dll
| MD5 | 87dd91c56be82866bf96ef1666f30a99 |
| SHA1 | 3b78cb150110166ded8ea51fbde8ea506f72aeaf |
| SHA256 | 49b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f |
| SHA512 | 58c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6 |
C:\Program Files (x86)\Zoom\bin\vcruntime140.dll
| MD5 | 87dd91c56be82866bf96ef1666f30a99 |
| SHA1 | 3b78cb150110166ded8ea51fbde8ea506f72aeaf |
| SHA256 | 49b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f |
| SHA512 | 58c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6 |
C:\Program Files (x86)\Zoom\bin\vcruntime140.dll
| MD5 | 87dd91c56be82866bf96ef1666f30a99 |
| SHA1 | 3b78cb150110166ded8ea51fbde8ea506f72aeaf |
| SHA256 | 49b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f |
| SHA512 | 58c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6 |
C:\Program Files (x86)\Zoom\bin\vcruntime140.dll
| MD5 | 87dd91c56be82866bf96ef1666f30a99 |
| SHA1 | 3b78cb150110166ded8ea51fbde8ea506f72aeaf |
| SHA256 | 49b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f |
| SHA512 | 58c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6 |
C:\Program Files (x86)\Zoom\bin\msvcp140.dll
| MD5 | e0dd94aada0b034b212de071c33054da |
| SHA1 | 6c4f1b3f66d07bbcdcf41eb39b1480bb335efcc8 |
| SHA256 | 08442853f19ce4ff3acae37d87eab33ef81c4c6da62a3432d43253ba79842b64 |
| SHA512 | 76c877056f448e5dab820e990cc186ba886b2d331d689a99295aaff31a63aadb941c2693b0be98d53bd06cd8041a270eb82ddedfbde305cd9a85bcbe42fcf5a2 |
C:\Program Files (x86)\Zoom\bin\MSVCP140.dll
| MD5 | e0dd94aada0b034b212de071c33054da |
| SHA1 | 6c4f1b3f66d07bbcdcf41eb39b1480bb335efcc8 |
| SHA256 | 08442853f19ce4ff3acae37d87eab33ef81c4c6da62a3432d43253ba79842b64 |
| SHA512 | 76c877056f448e5dab820e990cc186ba886b2d331d689a99295aaff31a63aadb941c2693b0be98d53bd06cd8041a270eb82ddedfbde305cd9a85bcbe42fcf5a2 |
C:\Program Files (x86)\Zoom\bin\zCrashReport.dll
| MD5 | f82f0a3932e73d4f6973632d42c0f296 |
| SHA1 | 9a59389cc938121a5941a589fc4b66a7d65af7e3 |
| SHA256 | aab43f8a9ab37b205e651ac629404ee8dbbc9bf0b4fee85b422275406a1c2572 |
| SHA512 | 97a098112f448362bd677f2991243b8b024d37f03adf7facdb0601639bc0fb9ca99945bc08d8eca580903120c0a6de7a35106984500207a3c5562a34dbc37ea9 |
C:\Program Files (x86)\Zoom\bin\libcrypto-1_1.dll
| MD5 | a97d2029f96df8bb27b22c00d84f7900 |
| SHA1 | cdbb1c2fa62f8c9ee9027335cb64a527a79b46ca |
| SHA256 | 606bea4c0de0ad49486774990e3590de06d8bc6da366d6d0cb74aebf8573ffca |
| SHA512 | b5353b73cb9279e62aaafa4a5912a9fe127e039bd2f07a5e23100462445e74112f40f7aa157aa6593e970dab2e85000eff386cf25f4ee84449517ca8eaa2305e |
C:\Program Files (x86)\Zoom\bin\libcrypto-1_1.dll
| MD5 | a97d2029f96df8bb27b22c00d84f7900 |
| SHA1 | cdbb1c2fa62f8c9ee9027335cb64a527a79b46ca |
| SHA256 | 606bea4c0de0ad49486774990e3590de06d8bc6da366d6d0cb74aebf8573ffca |
| SHA512 | b5353b73cb9279e62aaafa4a5912a9fe127e039bd2f07a5e23100462445e74112f40f7aa157aa6593e970dab2e85000eff386cf25f4ee84449517ca8eaa2305e |
C:\Program Files (x86)\Zoom\bin\Cmmlib.dll
| MD5 | 4fda1fc1054dab4cd2a8c61a9b98b7dc |
| SHA1 | f52dae000279e4b30a28f3aca23b5f04654ac7c5 |
| SHA256 | 894905b29f5ca31dd0c696333fcc7e23bd3c7ba8fb758b2293df7a7f2268acf8 |
| SHA512 | 09531c83673fb6a458978158016ec4daadbd6606780be7f47daa4f4b48c5a68affb63dd35797d825647c237bd218ddd50131bc4961ca59fe26318123fdd52dee |
C:\Program Files (x86)\Zoom\bin\crashrpt_lang.ini
| MD5 | fcf61aed8f093bfcf571cdd8f8162a05 |
| SHA1 | 8de8177798aae82d5bcc0870c1ca5365f5d9966d |
| SHA256 | 1f5b45a5411f7fc71b9da789d6d1ead8ad30551fbea7bbb40fc7ea576d581abb |
| SHA512 | 8a5d252d115f868a4e20fce10f9f9ec5f3948f0ad5680d656e0eba1fd167d36889e54c6e59bcde756945f93685401b825ba9dd7243d907d74b58a1d826609d72 |
C:\Program Files (x86)\Zoom\bin\zCrashReport.exe
| MD5 | 97042fb62a7ef502dcd1bc96bc490e28 |
| SHA1 | 1d1f822fe6095660c9bcae225d110298ab3be32e |
| SHA256 | 52089b799c309f023b8d58b703302c3165bc4c680ea8135cb18d7fabc0d42c1c |
| SHA512 | 916a1f34871aec9433605bb8a3b208018df30d0e5fdbb935566793523b5b9281d7ac4c1a94932541267a0b4bdb3b71a1f389ce48f7e5a90838d58fd351921bd1 |
C:\Program Files (x86)\Zoom\bin\zOutlookIMUtil.dll
| MD5 | 6934de614ca4dd452966e086bea3ead0 |
| SHA1 | 7c5ca8e69cd685dffa4537285ec601bc760e11c9 |
| SHA256 | a81057faa8bd295d0708a34c1879ad5abd4a46ac82a322b7027c027de0439451 |
| SHA512 | 2ddee6238212d190ccfe4cd06c5a77c9c5c956e6a8f733a1781ace2f4db3457a2e38295aba6469a2e8e12957fb435fcb514de5f4516fb2dcbd005f58bd4d9d60 |
C:\Program Files (x86)\Zoom\bin\Zoom.exe
| MD5 | 260c0125fe9cae11da4cef073b077f68 |
| SHA1 | 869b78d539340ba055e6810b24217021debf0fae |
| SHA256 | 306aa18dcb46b14c1d76f9c7cf78a49c88ef564b54cd4a523a1a4b5076a3ef36 |
| SHA512 | d3a78b209e0cef40d35d552e32540a3a2b4d0e4683c5443a74cb1528ae5997d6c17c5413a65fd2d3b1b13c4e1c27d81c5e2bce5ce4ccc3cdb2725330607767ec |
C:\Program Files (x86)\Zoom\Zoom(32bit)\CustomAction.dll
| MD5 | cd93acb0b47d809d49de75b5e62098b9 |
| SHA1 | 6cf726521daff980823667e6cb659c7ccf67085b |
| SHA256 | b4786fcaa00af8739df2b73922ad750d5799538448712e5933470211c230068c |
| SHA512 | 832cf816d2e2713d9f1b4a805cb25b608eb02bb2fa3c001f980c70c4281c4b6456c7a5c4e492a0c3d1df106a70efe15250a8993e6c1af1c53359860082cce174 |
C:\Program Files (x86)\Zoom\bin\ucrtbase.dll
| MD5 | 2040cdcd779bbebad36d36035c675d99 |
| SHA1 | 918bc19f55e656f6d6b1e4713604483eb997ea15 |
| SHA256 | 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359 |
| SHA512 | 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f |
C:\Program Files (x86)\Zoom\bin\CptShare.dll
| MD5 | 03c0ad10f2e76ac88586a8093111a545 |
| SHA1 | 2bd73faa30fc09d1b1d036c43075da5a18f712a9 |
| SHA256 | 817d66e6ce83acf907ebf7952e72ab17e384c698998dc93d836ee7f1bd94d6e3 |
| SHA512 | a77d36ef13e5910d7b1e8b2a0abff97371cd1d16b7cb8818d3da1ebd5d1aa6d4b4d63b4919c2f721d42e16d8b25dab25da3b72639bae3f59a457892167ca2b5e |
C:\Program Files (x86)\Zoom\bin\CptShare.dll
| MD5 | 03c0ad10f2e76ac88586a8093111a545 |
| SHA1 | 2bd73faa30fc09d1b1d036c43075da5a18f712a9 |
| SHA256 | 817d66e6ce83acf907ebf7952e72ab17e384c698998dc93d836ee7f1bd94d6e3 |
| SHA512 | a77d36ef13e5910d7b1e8b2a0abff97371cd1d16b7cb8818d3da1ebd5d1aa6d4b4d63b4919c2f721d42e16d8b25dab25da3b72639bae3f59a457892167ca2b5e |
C:\Program Files (x86)\Zoom\bin\zCrashReport.dll
| MD5 | f82f0a3932e73d4f6973632d42c0f296 |
| SHA1 | 9a59389cc938121a5941a589fc4b66a7d65af7e3 |
| SHA256 | aab43f8a9ab37b205e651ac629404ee8dbbc9bf0b4fee85b422275406a1c2572 |
| SHA512 | 97a098112f448362bd677f2991243b8b024d37f03adf7facdb0601639bc0fb9ca99945bc08d8eca580903120c0a6de7a35106984500207a3c5562a34dbc37ea9 |
C:\Program Files (x86)\Zoom\bin\vcruntime140.dll
| MD5 | 87dd91c56be82866bf96ef1666f30a99 |
| SHA1 | 3b78cb150110166ded8ea51fbde8ea506f72aeaf |
| SHA256 | 49b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f |
| SHA512 | 58c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6 |
C:\Program Files (x86)\Zoom\bin\CptInstall.exe
| MD5 | c380b703ef0cb2e5bca13004a242ae65 |
| SHA1 | b52a1a3ad31688244124769f02351effc3952248 |
| SHA256 | 1159dfd3f1a2a87efa7ed0d6fa16001695c3a0f7b21473bbf94d133ca1c41e25 |
| SHA512 | de096b58b55f69294d68497686a76a5fca10b1fb27f087dc3216036d2a829605d6ee738eb7e346fc98e327f1398954851a4db33b71357443e657ae61e87ecc91 |
C:\Program Files (x86)\Zoom\bin\CptControl.exe
| MD5 | d7e39303a4d41e8f27310c2601cdb34c |
| SHA1 | 595b000756f2f6483ccaaf751f5ae3309f10e4f6 |
| SHA256 | 8f9db23d84f8c3cfe3365a64d4aa4c87d4fa02fffa64dcc00d17c66307fc0c82 |
| SHA512 | a0088fd79630780dea041abf89e78af48ed5bd8a3976e72e89043c8a604c4d1146eb4cb35ff8206829fd2da66675652ca4bc7953301a8865a4066572f9ce2552 |
C:\Program Files (x86)\Zoom\bin\CptService.exe
| MD5 | 9e5451ac860085c00d10e6e02ace93cd |
| SHA1 | df62392329cd02d9a8b1b6b7fa694aee6ad8d7a7 |
| SHA256 | 0580a8af804708ed9a86d9958eecdb84845455d285fc25e5a8f618ae46f7ffab |
| SHA512 | e84589fdb855cee28000e51d5be922f9cfc8901dd3099838c1d92796fdf917c24e26afc01122b9379be2f753062ccdfdc395c012d6b91d319c8b0cbc82cc5686 |
C:\Program Files (x86)\Zoom\bin\ucrtbase.dll
| MD5 | 2040cdcd779bbebad36d36035c675d99 |
| SHA1 | 918bc19f55e656f6d6b1e4713604483eb997ea15 |
| SHA256 | 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359 |
| SHA512 | 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f |
C:\Program Files (x86)\Zoom\bin\msvcp140.dll
| MD5 | e0dd94aada0b034b212de071c33054da |
| SHA1 | 6c4f1b3f66d07bbcdcf41eb39b1480bb335efcc8 |
| SHA256 | 08442853f19ce4ff3acae37d87eab33ef81c4c6da62a3432d43253ba79842b64 |
| SHA512 | 76c877056f448e5dab820e990cc186ba886b2d331d689a99295aaff31a63aadb941c2693b0be98d53bd06cd8041a270eb82ddedfbde305cd9a85bcbe42fcf5a2 |
memory/1360-185-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Zoom\bin\CptInstall.exe
| MD5 | c380b703ef0cb2e5bca13004a242ae65 |
| SHA1 | b52a1a3ad31688244124769f02351effc3952248 |
| SHA256 | 1159dfd3f1a2a87efa7ed0d6fa16001695c3a0f7b21473bbf94d133ca1c41e25 |
| SHA512 | de096b58b55f69294d68497686a76a5fca10b1fb27f087dc3216036d2a829605d6ee738eb7e346fc98e327f1398954851a4db33b71357443e657ae61e87ecc91 |
C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe
| MD5 | 9e5451ac860085c00d10e6e02ace93cd |
| SHA1 | df62392329cd02d9a8b1b6b7fa694aee6ad8d7a7 |
| SHA256 | 0580a8af804708ed9a86d9958eecdb84845455d285fc25e5a8f618ae46f7ffab |
| SHA512 | e84589fdb855cee28000e51d5be922f9cfc8901dd3099838c1d92796fdf917c24e26afc01122b9379be2f753062ccdfdc395c012d6b91d319c8b0cbc82cc5686 |
C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe
| MD5 | 9e5451ac860085c00d10e6e02ace93cd |
| SHA1 | df62392329cd02d9a8b1b6b7fa694aee6ad8d7a7 |
| SHA256 | 0580a8af804708ed9a86d9958eecdb84845455d285fc25e5a8f618ae46f7ffab |
| SHA512 | e84589fdb855cee28000e51d5be922f9cfc8901dd3099838c1d92796fdf917c24e26afc01122b9379be2f753062ccdfdc395c012d6b91d319c8b0cbc82cc5686 |
\??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{df07a438-b913-4d04-9357-05ba81346e4f}_OnDiskSnapshotProp
| MD5 | 0be6c5ad52490907923c9332e6bd3560 |
| SHA1 | 6e953191b315d56ed78e7e83a534ac4d510c2ac9 |
| SHA256 | 2c8a82e25d62c96bf7491c118c8fb9d4efabd4bd7852291133a07343439791d1 |
| SHA512 | 46ea6c9b4c269c816e400263ac3b082728b9ef58a766e730a8fdf401152cda27bbd27bad27bf75d1315dd16aae9235c1888e91c5a6320ca0bb2bdbffa1dd26b8 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 2e430281d81b2c77fe6bed34b901bb68 |
| SHA1 | 29dc8a1aabad6ba36ea5afa2eb656aecdb215fb1 |
| SHA256 | d243f20d195d4fc356bab2f43eca42c580c0ae0e32ff7293030ba3d4407425a0 |
| SHA512 | 60a3d2c30c11fbd98bc1b6fe0ea77a327f8523e9c004612c5b29308fef7adf2dfaddde6cfc914ba88aa185136f96bb0714b207954fbfa955b5a0f7f34ed1130d |
C:\Program Files (x86)\Zoom\resources\emojione_low.7z
| MD5 | 4d4920bf542c67be8e85249faf9bb89e |
| SHA1 | 3ae7e5ae51179056c61487902534336c1996a807 |
| SHA256 | ed3419d21d69fd71d2133bfcf83732215f4c65eb547ef73107cb98d03e86cd2f |
| SHA512 | 402e878f8976cc4c59264ad5ece9bd8a6c6d371103626d6d0f65b55a0d6139eaa1f0a74c1f63149d158de267467b3cd124038d9447808646a8350736a5e9bc9d |