Malware Analysis Report

2025-06-16 04:03

Sample ID 221224-lfcs5sda6z
Target ZoomInstallerFull.exe
SHA256 9108e1d22d74bc5397b8886edc4f0a84b8906436a648ef8a86f30cf7e08978dd
Tags
icedid 3280585787 banker loader persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9108e1d22d74bc5397b8886edc4f0a84b8906436a648ef8a86f30cf7e08978dd

Threat Level: Known bad

The file ZoomInstallerFull.exe was found to be: Known bad.

Malicious Activity Summary

icedid 3280585787 banker loader persistence trojan

IcedID, BokBot

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-24 09:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-24 09:28

Reported

2022-12-24 09:31

Platform

win7-20220901-en

Max time kernel

111s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe

"C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1900 -s 40

Network

N/A

Files

memory/2016-54-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-24 09:28

Reported

2022-12-24 09:31

Platform

win10v2004-20221111-en

Max time kernel

123s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe"

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\WINDOWS\SYSTEM32\rundll32.exe N/A
N/A N/A C:\Windows\SYSTEM32\msiexec.exe N/A
N/A N/A C:\WINDOWS\SYSTEM32\rundll32.exe N/A
N/A N/A C:\WINDOWS\SYSTEM32\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair = "\"C:\\Program Files (x86)\\Zoom\\bin\\installer.exe\" /repair" C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SYSTEM32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SYSTEM32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f646-1f3ff-2640.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f52b.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f1fe.svg C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f468-1f3ff-1f52c.png C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\270a-1f3ff.svg C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f004.png C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f38a.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3ff-1f33e.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f58c.png C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\269c.png C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f1fb-1f1ee.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\274c.png C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f1f2-1f1fa.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f6ab.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\2665.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f595.svg C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\27bf.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f1fa-1f1f8.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f468-1f3ff-1f9bc.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f9d1-1f3fe-1f384.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f44a.svg C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3fb-2764-1f48b-1f468-1f3fd.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f482.png C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f64d-1f3fd-2640.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f93e.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\267e.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\bin\api-ms-win-core-interlocked-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f9da-1f3ff-2640.png C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f321.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f573.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f401.svg C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f627.png C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f9d1-1f3fe-1f9bc.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\bin\api-ms-win-crt-process-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f64f.svg C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f3cc-1f3fe-2642.png C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f3cc-1f3ff.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\25c0.svg C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f1e8-1f1fa.svg C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f64e-1f3fc-2642.png C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1fa72.svg C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f387.svg C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3ff-1f527.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f9d1-1f3fc-1f9bd.svg C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f9dc-1f3fb-2642.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\267f.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f1e8-1f1f3.svg C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f351.png C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f999.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f595-1f3fb.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f9d1-1f3fd-1f91d-1f9d1-1f3fd.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f1ea.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f468-1f3ff-1f4bc.svg C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3fb.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3fd-1f692.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3ff-2764-1f48b-1f468-1f3fd.png C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f939-1f3fe-2640.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f35d.svg C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\1f393.svg C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3fe-1f91d-1f468-1f3ff.svg C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f9e0.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Zoom\bin\zAppUI.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zoom\resources\Emojis\2623.png C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Zoom\resources\Emojis\1f477-1f3fe.svg C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{D2D52E89-6EC4-456C-ACDB-874925BDE05A} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e56ed81.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF542.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{D2D52E89-6EC4-456C-ACDB-874925BDE05A}\_6FEFF9B68218417F98F549.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{D2D52E89-6EC4-456C-ACDB-874925BDE05A}\_6FEFF9B68218417F98F549.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e56ed84.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e56ed81.msi C:\Windows\system32\msiexec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}\AppName = "Zoom.exe" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}\AppPath = "C:\\Program Files (x86)\\Zoom\\bin" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}\Policy = "3" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Zoom.exe = "11000" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\zoommtg C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\zoommtg\WarnOnOpen = "0" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A} C:\Windows\syswow64\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\Zoom\bin\CptInstall.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\syswow64\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.callto C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\shell C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\URL Protocol C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\shell\open\command C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\Version = "84683162" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\shell\open\command\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\" --url=\"%l\"" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall\DefaultIcon C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\ProductName = "Zoom(32bit)" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\ProductIcon = "C:\\Windows\\Installer\\{D2D52E89-6EC4-456C-ACDB-874925BDE05A}\\_6FEFF9B68218417F98F549.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-zoommtg-launcher\Extension = ".zoommtg" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\DefaultIcon C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\DefaultIcon C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\shell\open C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\shell\open\command\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\" --url=\"%l\"" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\IM C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\shell\open\command C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\ = "URL:ZoomPhoneCall Protocol" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\URL Protocol C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-zoommtg-launcher C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall\DefaultIcon\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\",1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\497B918CC54A72F48906C06894A225CC C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\SourceList\PackageName = "ikm.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\shell C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\shell\open C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.tel C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\ = "Zoom Launcher - 3.0.1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\shell\open C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\shell C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\shell\open C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\shell\open\command C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\DefaultIcon C:\Windows\syswow64\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\UseOriginalUrlEncoding = "1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\shell\open\command\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\" --url=\"%l\"" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall\ = "URL:ZoomPhoneCall Protocol" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\DefaultIcon\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\",1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\shell\open\command C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording\shell\open\command C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zoom\ = "ZoomRecording" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall\shell\open C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPhoneCall\shell\open\command\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\" --url=\"%l\"" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zoommtg\Content Type = "application/x-zoommtg-launcher" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\shell\open\command C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zoom C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\URL Protocol C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\DefaultIcon\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\",1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\ = "URL:ZoomPhoneCall Protocol" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomPbx.zoomphonecall\shell C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zoommtg C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording\shell\open C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPhoneCall\shell\open C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\ZoomPbx.zoomphonecall\shell C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98E25D2D4CE6C654CABD789452DB0EA5\Assignment = "1" C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SYSTEM32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\MsiExec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\syswow64\MsiExec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\syswow64\MsiExec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\msiexec.exe N/A
N/A N/A C:\Windows\SYSTEM32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4876 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe C:\WINDOWS\SYSTEM32\rundll32.exe
PID 4876 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe C:\WINDOWS\SYSTEM32\rundll32.exe
PID 4876 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe C:\Windows\SYSTEM32\msiexec.exe
PID 4876 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe C:\Windows\SYSTEM32\msiexec.exe
PID 4820 wrote to memory of 4724 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4820 wrote to memory of 4724 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4820 wrote to memory of 640 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4820 wrote to memory of 640 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4820 wrote to memory of 640 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 640 wrote to memory of 4420 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe
PID 640 wrote to memory of 4420 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe
PID 640 wrote to memory of 4420 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe
PID 640 wrote to memory of 1360 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Zoom\bin\CptInstall.exe
PID 640 wrote to memory of 1360 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Zoom\bin\CptInstall.exe
PID 640 wrote to memory of 1360 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Zoom\bin\CptInstall.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe

"C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe"

C:\WINDOWS\SYSTEM32\rundll32.exe

C:\WINDOWS\SYSTEM32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\maker.dll, init

C:\Windows\SYSTEM32\msiexec.exe

msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\ikm.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 35F9301F4E3CAD19BD75B9C2F9EC19BF E Global\MSI0000

C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe

"C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe" /Check

C:\Program Files (x86)\Zoom\bin\CptInstall.exe

"C:\Program Files (x86)\Zoom\bin\CptInstall.exe" -install -unelevate -product Zoom

C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe

"C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe" -user_path "C:\Users\Admin\AppData\Roaming\Zoom"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 trbiriumpa.com udp
N/A 143.198.92.88:80 trbiriumpa.com tcp
N/A 88.221.25.154:80 tcp
N/A 88.221.25.154:80 tcp
N/A 104.80.225.205:443 tcp
N/A 20.50.73.9:443 tcp
N/A 8.248.7.254:80 tcp
N/A 8.248.7.254:80 tcp
N/A 8.248.7.254:80 tcp
N/A 13.107.21.200:443 tcp
N/A 8.8.8.8:53 trbiriumpa.com udp
N/A 143.198.92.88:80 trbiriumpa.com tcp
N/A 143.198.92.88:80 trbiriumpa.com tcp

Files

memory/4764-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\maker.dll

MD5 c97d41e563c07d771cd661533ad4ede7
SHA1 739ec4cca4ca4204848798c39092d507f0902895
SHA256 3c9cd4cf008ed70df41cc270c77055f6edac139ec7ec2a9c3de1b21c1a294ca7
SHA512 f3f764be1e1080de02f443c17ddfa1c90750b77e2852dee9dc0dac35bf8a53dd13576a02dc8d0abb0eed04c0fd4702b8e62be4dc214ba2e58dbc55b25f72351d

C:\Users\Admin\AppData\Local\Temp\maker.dll

MD5 c97d41e563c07d771cd661533ad4ede7
SHA1 739ec4cca4ca4204848798c39092d507f0902895
SHA256 3c9cd4cf008ed70df41cc270c77055f6edac139ec7ec2a9c3de1b21c1a294ca7
SHA512 f3f764be1e1080de02f443c17ddfa1c90750b77e2852dee9dc0dac35bf8a53dd13576a02dc8d0abb0eed04c0fd4702b8e62be4dc214ba2e58dbc55b25f72351d

memory/4764-135-0x0000000180000000-0x0000000180009000-memory.dmp

memory/4664-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ikm.msi

MD5 f7f764ed7be9356b85c73462542b36c3
SHA1 e0a67fa1d899d464ec6a268dcfb1b14de172c582
SHA256 839c1a8a906bd0bce47262a904708ed58eb832a1acae917ecd758ab5a01f3234
SHA512 fafa807291c19bac4da510edc5ccea607b77b0220c5c9090d1eb5a7c3a022f67c113bdf51ef13bc6af830ae3843ca4ea53d96a033fc5aae9714a8708e068b45c

memory/4724-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_5DFDB51029B86E246C6BBA4B4F208E9A

MD5 a4f2b9da40d62bbdc3525729d136f9e7
SHA1 6827de091041073a0a78296c8a3c84584b86c8b7
SHA256 974de3108a032fd1fc38da284e272fc07c9c1be2be52068fb85e82ccf197d058
SHA512 b961ca46ef9143723e759062005e69d3e421e64d6cd0df390ace94919e270df10d4bc96142f2bda4b3cb86133e71de93af21c7679ab1bce31a75af282eb27110

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_5DFDB51029B86E246C6BBA4B4F208E9A

MD5 c95097044bba829a317af58fb2fa182a
SHA1 277f1cfffe70a196d8be955fe1babc3a4881e53e
SHA256 1bc586f49a2cdfdd88c25837a0cf12fbe591037ee9e266019f0facb9859f36e2
SHA512 a85596794176826b7cd629dc9339ebe877e9e74ad553cbff2d21461f0a2822f7a566d2242d3d6965a37f820afa291b50f5a9547a880a530834bc9fdcb92514e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D9CB7DFFEEA63BAB482BD2705E7E24AB_C5076ACD41E9D9741BBEE5F165E53636

MD5 2bad10f0b55e2d3eed827d1dda515d58
SHA1 371d3af38f766317fe5711fe2bdf34fb97b2f4b4
SHA256 e093931681ea2aa64c5f8e692d97ab102839555f78292f70fbb7882ca44e3f92
SHA512 d37461748e38762707c72c56c143f4be5ad8d6d4faa559b9edde70a49c59fd2cfd7d2b2fc63a2ace2f571786b4b8f08d8bfe120f7eae91948be08d5e33529371

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D9CB7DFFEEA63BAB482BD2705E7E24AB_C5076ACD41E9D9741BBEE5F165E53636

MD5 7eed3cc6baa9e9a2649e96a7baaff3bf
SHA1 247c50973ec30a2d5e79e2bee4c992b56e8c7e64
SHA256 bcfd553c8c7dd1ae84ad67fdb65313756d5ff0f0953faa61a4d7ab516d7be2af
SHA512 09035bf8d7e73a6ff0548bb1ac97ef3b6c39e073bcd9c0bb345aaae8caecb74cbca76a9e739d8c7df26b2df742efd6b6128d79fc4c553224853459232db141d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_8DBAD5A433D1F9275321E076E8B744D4

MD5 c53cff3967c2757fe1dbc2e5e519a92f
SHA1 ab11c34580f7d39b6772a903a6569741110c3df5
SHA256 df90940e9dd59d629b73ed5fdfc42a6bac699d0f8f07f03d2fba6acb47487fd9
SHA512 8d82ca6ee9610327b6aa69ff4b15036bb245e15eb1168a8f7318ab66772f214e5f443182199fdbbffc66afa46fa66405f2fc7a5020902e9298d40b8af6739d83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_8DBAD5A433D1F9275321E076E8B744D4

MD5 f02e7f62740b8b2414ef55b2e2900786
SHA1 8d326bb4593325f08b02e18c505731a1e8c59d8d
SHA256 145248876d3f0cd5bcd5dce9336902f2f7b5aba87dd90cba615b5dee50782ac7
SHA512 3262b4e9688a91ecf3b85803e334c4e2c3679c52de08f03ca35eb0fe3b43675a528eae2d002550a6202ea6ce3169a7795c2d09dca1036bacaec4e0797b4cf19f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 da5a9f149955d936a31dc5e456666aac
SHA1 195238d41c1e13448f349f43bb295ef2d55cb47a
SHA256 79ac574c7c45144bb35b59ff79c78dc59b66592715dea01b389e3620db663224
SHA512 60d7d1f5405470ba1e6b80066af2e78240acbea8db58b5a03660874605178aebaa9ce342ca97f17798109e7411e82466db5af064e39eaddc05410f2abe672f77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 b4085b8d0949cdf4f797ccfd06a8e98a
SHA1 97c60716a2e1afb61d64effe2234e6ca24fb71f2
SHA256 3eeb9755cd49f9d24be6d13b1c148f969fac4b1085144dcebb977aa672d789be
SHA512 25daae21f58713283ac53b0ce59d7edb9651f047de8b6b3e82e4cb1a16b324bea542fc1621bf9ac33b758a50b257484ee0884854c6da6393253b9f51f6aee63c

memory/640-152-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Zoom\Zoom(32bit)\CustomAction.dll

MD5 cd93acb0b47d809d49de75b5e62098b9
SHA1 6cf726521daff980823667e6cb659c7ccf67085b
SHA256 b4786fcaa00af8739df2b73922ad750d5799538448712e5933470211c230068c
SHA512 832cf816d2e2713d9f1b4a805cb25b608eb02bb2fa3c001f980c70c4281c4b6456c7a5c4e492a0c3d1df106a70efe15250a8993e6c1af1c53359860082cce174

C:\Program Files (x86)\Zoom\Zoom(32bit)\CustomAction.dll

MD5 cd93acb0b47d809d49de75b5e62098b9
SHA1 6cf726521daff980823667e6cb659c7ccf67085b
SHA256 b4786fcaa00af8739df2b73922ad750d5799538448712e5933470211c230068c
SHA512 832cf816d2e2713d9f1b4a805cb25b608eb02bb2fa3c001f980c70c4281c4b6456c7a5c4e492a0c3d1df106a70efe15250a8993e6c1af1c53359860082cce174

C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe

MD5 8ec8a4e243853dea877d12266a88cfbf
SHA1 4f6129129c0cdda57d8232a2a10d7124d06d6762
SHA256 cf8638536dd901843119c0b56cd4a61a46c3461b2d374658a713763e18389474
SHA512 54e50dded7c661c854a86a2b65899accc923c51e4fa44d463abdfc94e7e7412e6765b7feda81dc82fbf0eee49a08288defc56723da4ce3768f2187b887232eb1

memory/4420-156-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Zoom\bin\ZoomOutlookIMPlugin.exe

MD5 8ec8a4e243853dea877d12266a88cfbf
SHA1 4f6129129c0cdda57d8232a2a10d7124d06d6762
SHA256 cf8638536dd901843119c0b56cd4a61a46c3461b2d374658a713763e18389474
SHA512 54e50dded7c661c854a86a2b65899accc923c51e4fa44d463abdfc94e7e7412e6765b7feda81dc82fbf0eee49a08288defc56723da4ce3768f2187b887232eb1

C:\Program Files (x86)\Zoom\bin\Cmmlib.dll

MD5 4fda1fc1054dab4cd2a8c61a9b98b7dc
SHA1 f52dae000279e4b30a28f3aca23b5f04654ac7c5
SHA256 894905b29f5ca31dd0c696333fcc7e23bd3c7ba8fb758b2293df7a7f2268acf8
SHA512 09531c83673fb6a458978158016ec4daadbd6606780be7f47daa4f4b48c5a68affb63dd35797d825647c237bd218ddd50131bc4961ca59fe26318123fdd52dee

C:\Program Files (x86)\Zoom\bin\zCrashReport.dll

MD5 f82f0a3932e73d4f6973632d42c0f296
SHA1 9a59389cc938121a5941a589fc4b66a7d65af7e3
SHA256 aab43f8a9ab37b205e651ac629404ee8dbbc9bf0b4fee85b422275406a1c2572
SHA512 97a098112f448362bd677f2991243b8b024d37f03adf7facdb0601639bc0fb9ca99945bc08d8eca580903120c0a6de7a35106984500207a3c5562a34dbc37ea9

C:\Program Files (x86)\Zoom\bin\VCRUNTIME140.dll

MD5 87dd91c56be82866bf96ef1666f30a99
SHA1 3b78cb150110166ded8ea51fbde8ea506f72aeaf
SHA256 49b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f
SHA512 58c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6

C:\Program Files (x86)\Zoom\bin\vcruntime140.dll

MD5 87dd91c56be82866bf96ef1666f30a99
SHA1 3b78cb150110166ded8ea51fbde8ea506f72aeaf
SHA256 49b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f
SHA512 58c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6

C:\Program Files (x86)\Zoom\bin\vcruntime140.dll

MD5 87dd91c56be82866bf96ef1666f30a99
SHA1 3b78cb150110166ded8ea51fbde8ea506f72aeaf
SHA256 49b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f
SHA512 58c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6

C:\Program Files (x86)\Zoom\bin\vcruntime140.dll

MD5 87dd91c56be82866bf96ef1666f30a99
SHA1 3b78cb150110166ded8ea51fbde8ea506f72aeaf
SHA256 49b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f
SHA512 58c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6

C:\Program Files (x86)\Zoom\bin\msvcp140.dll

MD5 e0dd94aada0b034b212de071c33054da
SHA1 6c4f1b3f66d07bbcdcf41eb39b1480bb335efcc8
SHA256 08442853f19ce4ff3acae37d87eab33ef81c4c6da62a3432d43253ba79842b64
SHA512 76c877056f448e5dab820e990cc186ba886b2d331d689a99295aaff31a63aadb941c2693b0be98d53bd06cd8041a270eb82ddedfbde305cd9a85bcbe42fcf5a2

C:\Program Files (x86)\Zoom\bin\MSVCP140.dll

MD5 e0dd94aada0b034b212de071c33054da
SHA1 6c4f1b3f66d07bbcdcf41eb39b1480bb335efcc8
SHA256 08442853f19ce4ff3acae37d87eab33ef81c4c6da62a3432d43253ba79842b64
SHA512 76c877056f448e5dab820e990cc186ba886b2d331d689a99295aaff31a63aadb941c2693b0be98d53bd06cd8041a270eb82ddedfbde305cd9a85bcbe42fcf5a2

C:\Program Files (x86)\Zoom\bin\zCrashReport.dll

MD5 f82f0a3932e73d4f6973632d42c0f296
SHA1 9a59389cc938121a5941a589fc4b66a7d65af7e3
SHA256 aab43f8a9ab37b205e651ac629404ee8dbbc9bf0b4fee85b422275406a1c2572
SHA512 97a098112f448362bd677f2991243b8b024d37f03adf7facdb0601639bc0fb9ca99945bc08d8eca580903120c0a6de7a35106984500207a3c5562a34dbc37ea9

C:\Program Files (x86)\Zoom\bin\libcrypto-1_1.dll

MD5 a97d2029f96df8bb27b22c00d84f7900
SHA1 cdbb1c2fa62f8c9ee9027335cb64a527a79b46ca
SHA256 606bea4c0de0ad49486774990e3590de06d8bc6da366d6d0cb74aebf8573ffca
SHA512 b5353b73cb9279e62aaafa4a5912a9fe127e039bd2f07a5e23100462445e74112f40f7aa157aa6593e970dab2e85000eff386cf25f4ee84449517ca8eaa2305e

C:\Program Files (x86)\Zoom\bin\libcrypto-1_1.dll

MD5 a97d2029f96df8bb27b22c00d84f7900
SHA1 cdbb1c2fa62f8c9ee9027335cb64a527a79b46ca
SHA256 606bea4c0de0ad49486774990e3590de06d8bc6da366d6d0cb74aebf8573ffca
SHA512 b5353b73cb9279e62aaafa4a5912a9fe127e039bd2f07a5e23100462445e74112f40f7aa157aa6593e970dab2e85000eff386cf25f4ee84449517ca8eaa2305e

C:\Program Files (x86)\Zoom\bin\Cmmlib.dll

MD5 4fda1fc1054dab4cd2a8c61a9b98b7dc
SHA1 f52dae000279e4b30a28f3aca23b5f04654ac7c5
SHA256 894905b29f5ca31dd0c696333fcc7e23bd3c7ba8fb758b2293df7a7f2268acf8
SHA512 09531c83673fb6a458978158016ec4daadbd6606780be7f47daa4f4b48c5a68affb63dd35797d825647c237bd218ddd50131bc4961ca59fe26318123fdd52dee

C:\Program Files (x86)\Zoom\bin\crashrpt_lang.ini

MD5 fcf61aed8f093bfcf571cdd8f8162a05
SHA1 8de8177798aae82d5bcc0870c1ca5365f5d9966d
SHA256 1f5b45a5411f7fc71b9da789d6d1ead8ad30551fbea7bbb40fc7ea576d581abb
SHA512 8a5d252d115f868a4e20fce10f9f9ec5f3948f0ad5680d656e0eba1fd167d36889e54c6e59bcde756945f93685401b825ba9dd7243d907d74b58a1d826609d72

C:\Program Files (x86)\Zoom\bin\zCrashReport.exe

MD5 97042fb62a7ef502dcd1bc96bc490e28
SHA1 1d1f822fe6095660c9bcae225d110298ab3be32e
SHA256 52089b799c309f023b8d58b703302c3165bc4c680ea8135cb18d7fabc0d42c1c
SHA512 916a1f34871aec9433605bb8a3b208018df30d0e5fdbb935566793523b5b9281d7ac4c1a94932541267a0b4bdb3b71a1f389ce48f7e5a90838d58fd351921bd1

C:\Program Files (x86)\Zoom\bin\zOutlookIMUtil.dll

MD5 6934de614ca4dd452966e086bea3ead0
SHA1 7c5ca8e69cd685dffa4537285ec601bc760e11c9
SHA256 a81057faa8bd295d0708a34c1879ad5abd4a46ac82a322b7027c027de0439451
SHA512 2ddee6238212d190ccfe4cd06c5a77c9c5c956e6a8f733a1781ace2f4db3457a2e38295aba6469a2e8e12957fb435fcb514de5f4516fb2dcbd005f58bd4d9d60

C:\Program Files (x86)\Zoom\bin\Zoom.exe

MD5 260c0125fe9cae11da4cef073b077f68
SHA1 869b78d539340ba055e6810b24217021debf0fae
SHA256 306aa18dcb46b14c1d76f9c7cf78a49c88ef564b54cd4a523a1a4b5076a3ef36
SHA512 d3a78b209e0cef40d35d552e32540a3a2b4d0e4683c5443a74cb1528ae5997d6c17c5413a65fd2d3b1b13c4e1c27d81c5e2bce5ce4ccc3cdb2725330607767ec

C:\Program Files (x86)\Zoom\Zoom(32bit)\CustomAction.dll

MD5 cd93acb0b47d809d49de75b5e62098b9
SHA1 6cf726521daff980823667e6cb659c7ccf67085b
SHA256 b4786fcaa00af8739df2b73922ad750d5799538448712e5933470211c230068c
SHA512 832cf816d2e2713d9f1b4a805cb25b608eb02bb2fa3c001f980c70c4281c4b6456c7a5c4e492a0c3d1df106a70efe15250a8993e6c1af1c53359860082cce174

C:\Program Files (x86)\Zoom\bin\ucrtbase.dll

MD5 2040cdcd779bbebad36d36035c675d99
SHA1 918bc19f55e656f6d6b1e4713604483eb997ea15
SHA256 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA512 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

C:\Program Files (x86)\Zoom\bin\CptShare.dll

MD5 03c0ad10f2e76ac88586a8093111a545
SHA1 2bd73faa30fc09d1b1d036c43075da5a18f712a9
SHA256 817d66e6ce83acf907ebf7952e72ab17e384c698998dc93d836ee7f1bd94d6e3
SHA512 a77d36ef13e5910d7b1e8b2a0abff97371cd1d16b7cb8818d3da1ebd5d1aa6d4b4d63b4919c2f721d42e16d8b25dab25da3b72639bae3f59a457892167ca2b5e

C:\Program Files (x86)\Zoom\bin\CptShare.dll

MD5 03c0ad10f2e76ac88586a8093111a545
SHA1 2bd73faa30fc09d1b1d036c43075da5a18f712a9
SHA256 817d66e6ce83acf907ebf7952e72ab17e384c698998dc93d836ee7f1bd94d6e3
SHA512 a77d36ef13e5910d7b1e8b2a0abff97371cd1d16b7cb8818d3da1ebd5d1aa6d4b4d63b4919c2f721d42e16d8b25dab25da3b72639bae3f59a457892167ca2b5e

C:\Program Files (x86)\Zoom\bin\zCrashReport.dll

MD5 f82f0a3932e73d4f6973632d42c0f296
SHA1 9a59389cc938121a5941a589fc4b66a7d65af7e3
SHA256 aab43f8a9ab37b205e651ac629404ee8dbbc9bf0b4fee85b422275406a1c2572
SHA512 97a098112f448362bd677f2991243b8b024d37f03adf7facdb0601639bc0fb9ca99945bc08d8eca580903120c0a6de7a35106984500207a3c5562a34dbc37ea9

C:\Program Files (x86)\Zoom\bin\vcruntime140.dll

MD5 87dd91c56be82866bf96ef1666f30a99
SHA1 3b78cb150110166ded8ea51fbde8ea506f72aeaf
SHA256 49b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f
SHA512 58c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6

C:\Program Files (x86)\Zoom\bin\CptInstall.exe

MD5 c380b703ef0cb2e5bca13004a242ae65
SHA1 b52a1a3ad31688244124769f02351effc3952248
SHA256 1159dfd3f1a2a87efa7ed0d6fa16001695c3a0f7b21473bbf94d133ca1c41e25
SHA512 de096b58b55f69294d68497686a76a5fca10b1fb27f087dc3216036d2a829605d6ee738eb7e346fc98e327f1398954851a4db33b71357443e657ae61e87ecc91

C:\Program Files (x86)\Zoom\bin\CptControl.exe

MD5 d7e39303a4d41e8f27310c2601cdb34c
SHA1 595b000756f2f6483ccaaf751f5ae3309f10e4f6
SHA256 8f9db23d84f8c3cfe3365a64d4aa4c87d4fa02fffa64dcc00d17c66307fc0c82
SHA512 a0088fd79630780dea041abf89e78af48ed5bd8a3976e72e89043c8a604c4d1146eb4cb35ff8206829fd2da66675652ca4bc7953301a8865a4066572f9ce2552

C:\Program Files (x86)\Zoom\bin\CptService.exe

MD5 9e5451ac860085c00d10e6e02ace93cd
SHA1 df62392329cd02d9a8b1b6b7fa694aee6ad8d7a7
SHA256 0580a8af804708ed9a86d9958eecdb84845455d285fc25e5a8f618ae46f7ffab
SHA512 e84589fdb855cee28000e51d5be922f9cfc8901dd3099838c1d92796fdf917c24e26afc01122b9379be2f753062ccdfdc395c012d6b91d319c8b0cbc82cc5686

C:\Program Files (x86)\Zoom\bin\ucrtbase.dll

MD5 2040cdcd779bbebad36d36035c675d99
SHA1 918bc19f55e656f6d6b1e4713604483eb997ea15
SHA256 2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA512 83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

C:\Program Files (x86)\Zoom\bin\msvcp140.dll

MD5 e0dd94aada0b034b212de071c33054da
SHA1 6c4f1b3f66d07bbcdcf41eb39b1480bb335efcc8
SHA256 08442853f19ce4ff3acae37d87eab33ef81c4c6da62a3432d43253ba79842b64
SHA512 76c877056f448e5dab820e990cc186ba886b2d331d689a99295aaff31a63aadb941c2693b0be98d53bd06cd8041a270eb82ddedfbde305cd9a85bcbe42fcf5a2

memory/1360-185-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Zoom\bin\CptInstall.exe

MD5 c380b703ef0cb2e5bca13004a242ae65
SHA1 b52a1a3ad31688244124769f02351effc3952248
SHA256 1159dfd3f1a2a87efa7ed0d6fa16001695c3a0f7b21473bbf94d133ca1c41e25
SHA512 de096b58b55f69294d68497686a76a5fca10b1fb27f087dc3216036d2a829605d6ee738eb7e346fc98e327f1398954851a4db33b71357443e657ae61e87ecc91

C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe

MD5 9e5451ac860085c00d10e6e02ace93cd
SHA1 df62392329cd02d9a8b1b6b7fa694aee6ad8d7a7
SHA256 0580a8af804708ed9a86d9958eecdb84845455d285fc25e5a8f618ae46f7ffab
SHA512 e84589fdb855cee28000e51d5be922f9cfc8901dd3099838c1d92796fdf917c24e26afc01122b9379be2f753062ccdfdc395c012d6b91d319c8b0cbc82cc5686

C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe

MD5 9e5451ac860085c00d10e6e02ace93cd
SHA1 df62392329cd02d9a8b1b6b7fa694aee6ad8d7a7
SHA256 0580a8af804708ed9a86d9958eecdb84845455d285fc25e5a8f618ae46f7ffab
SHA512 e84589fdb855cee28000e51d5be922f9cfc8901dd3099838c1d92796fdf917c24e26afc01122b9379be2f753062ccdfdc395c012d6b91d319c8b0cbc82cc5686

\??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{df07a438-b913-4d04-9357-05ba81346e4f}_OnDiskSnapshotProp

MD5 0be6c5ad52490907923c9332e6bd3560
SHA1 6e953191b315d56ed78e7e83a534ac4d510c2ac9
SHA256 2c8a82e25d62c96bf7491c118c8fb9d4efabd4bd7852291133a07343439791d1
SHA512 46ea6c9b4c269c816e400263ac3b082728b9ef58a766e730a8fdf401152cda27bbd27bad27bf75d1315dd16aae9235c1888e91c5a6320ca0bb2bdbffa1dd26b8

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 2e430281d81b2c77fe6bed34b901bb68
SHA1 29dc8a1aabad6ba36ea5afa2eb656aecdb215fb1
SHA256 d243f20d195d4fc356bab2f43eca42c580c0ae0e32ff7293030ba3d4407425a0
SHA512 60a3d2c30c11fbd98bc1b6fe0ea77a327f8523e9c004612c5b29308fef7adf2dfaddde6cfc914ba88aa185136f96bb0714b207954fbfa955b5a0f7f34ed1130d

C:\Program Files (x86)\Zoom\resources\emojione_low.7z

MD5 4d4920bf542c67be8e85249faf9bb89e
SHA1 3ae7e5ae51179056c61487902534336c1996a807
SHA256 ed3419d21d69fd71d2133bfcf83732215f4c65eb547ef73107cb98d03e86cd2f
SHA512 402e878f8976cc4c59264ad5ece9bd8a6c6d371103626d6d0f65b55a0d6139eaa1f0a74c1f63149d158de267467b3cd124038d9447808646a8350736a5e9bc9d