a14de0b134a1f29867a9ced1917bacb51f27439aaaf23a2f79223c09f7f1cb66

Analysis

max time kernel
135s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2023 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15dfe.msi
Size

32.3MB
MD5

2d070b46cbf01bfb217b2157ee97cbea
SHA1

effa91a0bfa1f813fa44720a8a596488ddba77bb
SHA256

ba27249fbd5fbdbb4c0418d1e03f4d06c09756caa15d1094c7c90b43c1505015
SHA512

77371374182e44e7decd20e43f12d870a6807b7c7d9283b13f0826305e9aed81045dcd030140ca74a845eef293881011bc9b6a4bce12bdde94c27b235f7ddbb7
SSDEEP

786432:5RNL9jDmGwzEgvexNAoLi9fJOUlo4Gd/JOIIUzbTsG:F9vewgLo2D00Ix3

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	3216	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
2576	CptInstall.exe
3680	CptService.exe

Loads dropped DLL 7 IoCs

pid	Process
4804	MsiExec.exe
4804	MsiExec.exe
4804	MsiExec.exe
4804	MsiExec.exe
4804	MsiExec.exe
4804	MsiExec.exe
4804	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair = "\"C:\\Program Files (x86)\\Zoom\\bin\\installer.exe\" /repair"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f36a.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f433.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f5a5.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f62b.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f6b4-1f3fc-2642.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f1e7-1f1ef.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f468-1f468-1f466-1f466.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f9d9-1f3ff-2640.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f9dd-1f3fc-2642.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f1e7-1f1f7.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f482-1f3ff-2640.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3fe-1f3a8.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\2708.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\2b06.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3a4.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f44b-1f3ff.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f1e6-1f1f6.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f6b4-1f3ff.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f1f0-1f1fc.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f45e.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f482-2642.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f93e-1f3ff.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\bin\api-ms-win-core-handle-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f1f7-1f1f4.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f450.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f646-1f3fb.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f6b6-1f3fb-2640.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f917.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\2b1b.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\bin\aomhost\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f468-1f3fc-1f3ed.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f1f8-1f1fb.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f478-1f3fc.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f194.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f49d.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f939-1f3fb.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f44c-1f3fb.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f3c3-1f3ff.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f469-1f3fd-1f393.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f4a3.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f4b1.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f4b4.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f6eb.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f942.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f1e7.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f1ef-1f1f2.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f1e8-1f1f5.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f487-1f3fe.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f491.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f926-1f3fe.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f1ec-1f1f1.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f3ca-1f3fc.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f3cb-1f3fe-2640.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f400.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f482-1f3fc-2640.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f58d.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f1e6-1f1f2.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f645-1f3fc-2642.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f93e-2640.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f9d6-1f3fe.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\2196.png	MsiExec.exe
File created	C:\Program Files (x86)\Zoom\resources\Emojis\1f3cc-1f3fb-2640.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f468-1f469-1f467.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Zoom\resources\Emojis\1f470-1f3fe.png	MsiExec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57180c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B58.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{3E5F39FC-17FC-42EE-B026-4ECC93C16447}\_6FEFF9B68218417F98F549.exe	msiexec.exe
File created	C:\Windows\Installer\e57180f.msi	msiexec.exe
File created	C:\Windows\Installer\{3E5F39FC-17FC-42EE-B026-4ECC93C16447}\_6FEFF9B68218417F98F549.exe	msiexec.exe
File created	C:\Windows\Installer\e57180c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3E5F39FC-17FC-42EE-B026-4ECC93C16447}	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a577c74c521b2f150000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a577c74c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a577c74c000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}\AppName = "Zoom.exe"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}\AppPath = "C:\\Program Files (x86)\\Zoom\\bin"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}\Policy = "3"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Zoom.exe = "11000"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\zoommtg	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\zoommtg\WarnOnOpen = "0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	CptInstall.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	CptInstall.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	CptInstall.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	CptInstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	CptInstall.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674\SourceList\PackageName = "15dfe.msi"	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\ZoomPbx.im	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\IM	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\URL Protocol	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CF93F5E3CF71EE240B62E4CC391C4674	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\497B918CC54A72F48906C06894A225CC\CF93F5E3CF71EE240B62E4CC391C4674	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\ZoomPbx.callto	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\shell\open\command	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording\shell\open\command	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording\shell\open\command\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\zTscoder.exe\" \"%1\""	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\497B918CC54A72F48906C06894A225CC	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\shell	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\ZoomPhoneCall	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording\DefaultIcon	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\ = "Zoom Launcher - 3.0.1"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zoommtg\ = "ZoomLauncher"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-zoommtg-launcher	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\shell\open\command\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\" \"--url=%1\""	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording\shell	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\ZoomPbx.zoomphonecall	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\callto	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\shell	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\shell\open	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zoom\ = "ZoomRecording"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher\shell\open\command\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\" \"--url=%1\""	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-zoommtg-launcher\Extension = ".zoommtg"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\ZoomPbx.tel	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\tel	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\ZoomPbx.im	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zoommtg\Content Type = "application/x-zoommtg-launcher"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoomLauncher	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\DefaultIcon	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\DefaultIcon\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\",1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\shell\open\command	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zoom	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674\ProductIcon = "C:\\Windows\\Installer\\{3E5F39FC-17FC-42EE-B026-4ECC93C16447}\\_6FEFF9B68218417F98F549.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording\shell\open	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674\PackageCode = "A8EC61D8CCB88054E9B3C667C572744C"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674\Version = "83979446"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording\ = "Zoom Recording File"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording\DefaultIcon\ = "\"C:\\Program Files (x86)\\Zoom\\bin\\Zoom.exe\",0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674\ProductName = "Zoom"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\ZoomPbx.callto	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\ = "URL:Zoom Launcher"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\UseOriginalUrlEncoding = "1"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\ZoomPbx.zoomphonecall	MsiExec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\ZoomPbx.tel	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zoommtg	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zoommtg\shell\open	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoomRecording	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CF93F5E3CF71EE240B62E4CC391C4674\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CF93F5E3CF71EE240B62E4CC391C4674	msiexec.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
100	msiexec.exe
100	msiexec.exe
4804	MsiExec.exe
4804	MsiExec.exe
4804	MsiExec.exe
4804	MsiExec.exe
2576	CptInstall.exe
2576	CptInstall.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3216	msiexec.exe
Token: SeSecurityPrivilege	100	msiexec.exe
Token: SeCreateTokenPrivilege	3216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3216	msiexec.exe
Token: SeLockMemoryPrivilege	3216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3216	msiexec.exe
Token: SeMachineAccountPrivilege	3216	msiexec.exe
Token: SeTcbPrivilege	3216	msiexec.exe
Token: SeSecurityPrivilege	3216	msiexec.exe
Token: SeTakeOwnershipPrivilege	3216	msiexec.exe
Token: SeLoadDriverPrivilege	3216	msiexec.exe
Token: SeSystemProfilePrivilege	3216	msiexec.exe
Token: SeSystemtimePrivilege	3216	msiexec.exe
Token: SeProfSingleProcessPrivilege	3216	msiexec.exe
Token: SeIncBasePriorityPrivilege	3216	msiexec.exe
Token: SeCreatePagefilePrivilege	3216	msiexec.exe
Token: SeCreatePermanentPrivilege	3216	msiexec.exe
Token: SeBackupPrivilege	3216	msiexec.exe
Token: SeRestorePrivilege	3216	msiexec.exe
Token: SeShutdownPrivilege	3216	msiexec.exe
Token: SeDebugPrivilege	3216	msiexec.exe
Token: SeAuditPrivilege	3216	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3216	msiexec.exe
Token: SeChangeNotifyPrivilege	3216	msiexec.exe
Token: SeRemoteShutdownPrivilege	3216	msiexec.exe
Token: SeUndockPrivilege	3216	msiexec.exe
Token: SeSyncAgentPrivilege	3216	msiexec.exe
Token: SeEnableDelegationPrivilege	3216	msiexec.exe
Token: SeManageVolumePrivilege	3216	msiexec.exe
Token: SeImpersonatePrivilege	3216	msiexec.exe
Token: SeCreateGlobalPrivilege	3216	msiexec.exe
Token: SeBackupPrivilege	832	vssvc.exe
Token: SeRestorePrivilege	832	vssvc.exe
Token: SeAuditPrivilege	832	vssvc.exe
Token: SeBackupPrivilege	100	msiexec.exe
Token: SeRestorePrivilege	100	msiexec.exe
Token: SeRestorePrivilege	100	msiexec.exe
Token: SeTakeOwnershipPrivilege	100	msiexec.exe
Token: SeRestorePrivilege	100	msiexec.exe
Token: SeTakeOwnershipPrivilege	100	msiexec.exe
Token: SeBackupPrivilege	2848	srtasks.exe
Token: SeRestorePrivilege	2848	srtasks.exe
Token: SeSecurityPrivilege	2848	srtasks.exe
Token: SeTakeOwnershipPrivilege	2848	srtasks.exe
Token: SeBackupPrivilege	2848	srtasks.exe
Token: SeRestorePrivilege	2848	srtasks.exe
Token: SeSecurityPrivilege	2848	srtasks.exe
Token: SeTakeOwnershipPrivilege	2848	srtasks.exe
Token: SeDebugPrivilege	4804	MsiExec.exe
Token: SeRestorePrivilege	4804	MsiExec.exe
Token: SeBackupPrivilege	4804	MsiExec.exe
Token: SeRestorePrivilege	100	msiexec.exe
Token: SeTakeOwnershipPrivilege	100	msiexec.exe
Token: SeRestorePrivilege	100	msiexec.exe
Token: SeTakeOwnershipPrivilege	100	msiexec.exe
Token: SeRestorePrivilege	100	msiexec.exe
Token: SeTakeOwnershipPrivilege	100	msiexec.exe
Token: SeRestorePrivilege	100	msiexec.exe
Token: SeTakeOwnershipPrivilege	100	msiexec.exe
Token: SeRestorePrivilege	100	msiexec.exe
Token: SeTakeOwnershipPrivilege	100	msiexec.exe
Token: SeRestorePrivilege	100	msiexec.exe
Token: SeTakeOwnershipPrivilege	100	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3216	msiexec.exe
3216	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 100 wrote to memory of 2848	100	msiexec.exe	93
PID 100 wrote to memory of 2848	100	msiexec.exe	93
PID 100 wrote to memory of 4804	100	msiexec.exe	97
PID 100 wrote to memory of 4804	100	msiexec.exe	97
PID 100 wrote to memory of 4804	100	msiexec.exe	97
PID 4804 wrote to memory of 2576	4804	MsiExec.exe	101
PID 4804 wrote to memory of 2576	4804	MsiExec.exe	101
PID 4804 wrote to memory of 2576	4804	MsiExec.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\15dfe.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3216

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:100
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 205AA80A572F2F3CFECA3ADFDBFA467E E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Program Files (x86)\Zoom\bin\CptInstall.exe
    "C:\Program Files (x86)\Zoom\bin\CptInstall.exe" -install -unelevate -product Zoom
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe
"C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe" -user_path "C:\Users\Admin\AppData\Roaming\Zoom"
1⤵
- Executes dropped EXE
PID:3680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57180e.rbs

Filesize
45KB

MD5
9cc2cee70a267db0db7d2129dbf61cbe

SHA1
1f8fd7fd2a32eec319f603e5ff24e6359a03538d

SHA256
acf2e4c686622b5ace5199cf7aea7bde57b653009d60b5f0514bfb452c6ec60c

SHA512
98a9108e261cef21e2cec1e80b99aecaf937dec6fa8153456eadc1bfea20474cb53ca63edd7e60047022e7a896ac0464aae0dba1094c17a7679f01aff10cc4c0

Download Submit
C:\Program Files (x86)\Common Files\Zoom\Support\CptControl.exe.tmp

Filesize
74KB

MD5
ae4a45b206c56a545623437eabdded21

SHA1
50f4c5184835582ee6fdbad16c39f96a9b74ed87

SHA256
05027b31b574333ef0f87384bbf5302dcd61dd4b3304dcbfd6cae10705909fa0

SHA512
ffbeac9f367428708386a6c3f2c4d414db5718a2800a30101266cb51a7e035be7b34cd151fdd884c92d59663b385973ff17f93556f75f4807bf6e873d1790638

Download Submit
C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe

Filesize
83KB

MD5
48e2ff9e58bb68d4ddfb9d316e633c5d

SHA1
e64b6f567ea4cce4fe8489a0870596debbbcec96

SHA256
477e4f0626a3f3674a05f013ce2de7ee94658e194654e30adeba8a46efb410fe

SHA512
c153b51c6488b4b14a70448711f11544b3819f57e020588d9a907e038e674048d4d99a05471ab85b8aa790fee18b6ed4b35ea68f950811ef1d9e223e0aa883cb

Download Submit
C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe

Filesize
83KB

MD5
48e2ff9e58bb68d4ddfb9d316e633c5d

SHA1
e64b6f567ea4cce4fe8489a0870596debbbcec96

SHA256
477e4f0626a3f3674a05f013ce2de7ee94658e194654e30adeba8a46efb410fe

SHA512
c153b51c6488b4b14a70448711f11544b3819f57e020588d9a907e038e674048d4d99a05471ab85b8aa790fee18b6ed4b35ea68f950811ef1d9e223e0aa883cb

Download Submit
C:\Program Files (x86)\Common Files\Zoom\Support\CptService.exe.tmp

Filesize
83KB

MD5
48e2ff9e58bb68d4ddfb9d316e633c5d

SHA1
e64b6f567ea4cce4fe8489a0870596debbbcec96

SHA256
477e4f0626a3f3674a05f013ce2de7ee94658e194654e30adeba8a46efb410fe

SHA512
c153b51c6488b4b14a70448711f11544b3819f57e020588d9a907e038e674048d4d99a05471ab85b8aa790fee18b6ed4b35ea68f950811ef1d9e223e0aa883cb

Download Submit
C:\Program Files (x86)\Zoom\Zoom\CustomAction.dll

Filesize
415KB

MD5
4c7a3b4c08f623c7685bc0da9e2d547c

SHA1
89144e62a728d8e24f9d75f1a0ec2cfa3143e548

SHA256
512b4ef9280b32a4646da742f9ad87d059128425dafe6cd43869457965bd456b

SHA512
9891e8b9cb8f9a2a48306975a5d02a346ab5434d1047de603e188cd6f60de8dfd4e7541265d68881ac7efc20891d3e76da42ab4239eac52f2e0995a1983cbaa5

Download Submit
C:\Program Files (x86)\Zoom\Zoom\CustomAction.dll

Filesize
415KB

MD5
4c7a3b4c08f623c7685bc0da9e2d547c

SHA1
89144e62a728d8e24f9d75f1a0ec2cfa3143e548

SHA256
512b4ef9280b32a4646da742f9ad87d059128425dafe6cd43869457965bd456b

SHA512
9891e8b9cb8f9a2a48306975a5d02a346ab5434d1047de603e188cd6f60de8dfd4e7541265d68881ac7efc20891d3e76da42ab4239eac52f2e0995a1983cbaa5

Download Submit
C:\Program Files (x86)\Zoom\Zoom\CustomAction.dll

Filesize
415KB

MD5
4c7a3b4c08f623c7685bc0da9e2d547c

SHA1
89144e62a728d8e24f9d75f1a0ec2cfa3143e548

SHA256
512b4ef9280b32a4646da742f9ad87d059128425dafe6cd43869457965bd456b

SHA512
9891e8b9cb8f9a2a48306975a5d02a346ab5434d1047de603e188cd6f60de8dfd4e7541265d68881ac7efc20891d3e76da42ab4239eac52f2e0995a1983cbaa5

Download Submit
C:\Program Files (x86)\Zoom\bin\CptControl.exe

Filesize
74KB

MD5
ae4a45b206c56a545623437eabdded21

SHA1
50f4c5184835582ee6fdbad16c39f96a9b74ed87

SHA256
05027b31b574333ef0f87384bbf5302dcd61dd4b3304dcbfd6cae10705909fa0

SHA512
ffbeac9f367428708386a6c3f2c4d414db5718a2800a30101266cb51a7e035be7b34cd151fdd884c92d59663b385973ff17f93556f75f4807bf6e873d1790638

Download Submit
C:\Program Files (x86)\Zoom\bin\CptInstall.exe

Filesize
203KB

MD5
cd3aa224b04831f961760dd6eae3f67f

SHA1
f04e936917653254751e284ac817c320f0d84e4e

SHA256
c5c8dcc2d400f427b34b570f2493679e0d98426c4e86530e0e33373f1f896fe3

SHA512
df3fdde8bd63a87012f0ebf711db71539a061e3eeb79701ca3900aace94f22592af6c70ca6fe65edc0a9d88c4c9ff280b4ed78bc2db3f7be7002b974d2f17472

Download Submit
C:\Program Files (x86)\Zoom\bin\CptInstall.exe

Filesize
203KB

MD5
cd3aa224b04831f961760dd6eae3f67f

SHA1
f04e936917653254751e284ac817c320f0d84e4e

SHA256
c5c8dcc2d400f427b34b570f2493679e0d98426c4e86530e0e33373f1f896fe3

SHA512
df3fdde8bd63a87012f0ebf711db71539a061e3eeb79701ca3900aace94f22592af6c70ca6fe65edc0a9d88c4c9ff280b4ed78bc2db3f7be7002b974d2f17472

Download Submit
C:\Program Files (x86)\Zoom\bin\CptService.exe

Filesize
83KB

MD5
48e2ff9e58bb68d4ddfb9d316e633c5d

SHA1
e64b6f567ea4cce4fe8489a0870596debbbcec96

SHA256
477e4f0626a3f3674a05f013ce2de7ee94658e194654e30adeba8a46efb410fe

SHA512
c153b51c6488b4b14a70448711f11544b3819f57e020588d9a907e038e674048d4d99a05471ab85b8aa790fee18b6ed4b35ea68f950811ef1d9e223e0aa883cb

Download Submit
C:\Program Files (x86)\Zoom\bin\CptShare.dll

Filesize
227KB

MD5
7f08112c0070f2afe5c583f1577fa5be

SHA1
c715731b25996c5242858338b188e3856d52c001

SHA256
52605768155ab8f0e994e90bb63d9b1ed7d9d64d0913c6c926f50f42f211381f

SHA512
5b5304823436534f68790a082131577e99597feb12d6126a940dbbeeda29d77bea2d52e08cbbb737afdb6775bc40d148ab41bc7f60c3b2efe7001a3e04a8f9c3

Download Submit
C:\Program Files (x86)\Zoom\bin\CptShare.dll

Filesize
227KB

MD5
7f08112c0070f2afe5c583f1577fa5be

SHA1
c715731b25996c5242858338b188e3856d52c001

SHA256
52605768155ab8f0e994e90bb63d9b1ed7d9d64d0913c6c926f50f42f211381f

SHA512
5b5304823436534f68790a082131577e99597feb12d6126a940dbbeeda29d77bea2d52e08cbbb737afdb6775bc40d148ab41bc7f60c3b2efe7001a3e04a8f9c3

Download Submit
C:\Program Files (x86)\Zoom\bin\MSVCP140.dll

Filesize
443KB

MD5
eceff9c92e14b580ea84365f3d60f7de

SHA1
00699126456379fa48cb122e21b7f4731a72c57c

SHA256
265591a709a5db413d73c95b538da321edeacb40059bdceb142f997a3d458b49

SHA512
fd325d77eb2c30e1cd1b2d871986e057318c1be911793521c7bf79fb2c5dc359cb7db90c6d6c5711fedd734b6b03117b8baf241dfbd78585cf55a25983ec8727

Download Submit
C:\Program Files (x86)\Zoom\bin\VCRUNTIME140.dll

Filesize
81KB

MD5
cfc08fca16c3647a42e78ef7556e4090

SHA1
83c0d044850ce034632e4ea8deabdb6a44fb2652

SHA256
0b08756920415c5f087e65c85da1fbc7a1fafc0d91038e0425cd339c0d903910

SHA512
623028520da82aeb5be1133af4432d4fa2dcc5007c3ffcf99ba25fa82532769a78802e78b65ad62a4cd69af4dc1661730f03cc0cceb78fc3798050b9aafbafda

Download Submit
C:\Program Files (x86)\Zoom\bin\Zoom.exe

Filesize
253KB

MD5
e19d4381bc3d0dc42306a91e41fd2c4d

SHA1
bee6baf5b59de6978ae90b5e762acca68661bfa7

SHA256
892c86b8841ae94741a3b49339095618db90664e67de1c2e231e85ebc30565aa

SHA512
79a11d2ff9999dc0fa1099b3f531a56c9fe09e1fcb8a42cf29b8962dc85f146912b39c56e5f5ec0ab44e7ffac3e95136fb7e4897878be424d761f79ded35c8b3

Download Submit
C:\Program Files (x86)\Zoom\bin\msvcp140.dll

Filesize
443KB

MD5
eceff9c92e14b580ea84365f3d60f7de

SHA1
00699126456379fa48cb122e21b7f4731a72c57c

SHA256
265591a709a5db413d73c95b538da321edeacb40059bdceb142f997a3d458b49

SHA512
fd325d77eb2c30e1cd1b2d871986e057318c1be911793521c7bf79fb2c5dc359cb7db90c6d6c5711fedd734b6b03117b8baf241dfbd78585cf55a25983ec8727

Download Submit
C:\Program Files (x86)\Zoom\bin\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Program Files (x86)\Zoom\bin\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Program Files (x86)\Zoom\bin\vcruntime140.dll

Filesize
81KB

MD5
cfc08fca16c3647a42e78ef7556e4090

SHA1
83c0d044850ce034632e4ea8deabdb6a44fb2652

SHA256
0b08756920415c5f087e65c85da1fbc7a1fafc0d91038e0425cd339c0d903910

SHA512
623028520da82aeb5be1133af4432d4fa2dcc5007c3ffcf99ba25fa82532769a78802e78b65ad62a4cd69af4dc1661730f03cc0cceb78fc3798050b9aafbafda

Download Submit
C:\Program Files (x86)\Zoom\bin\zCrashReport.dll

Filesize
84KB

MD5
f254333fa073311e39d78d645b2f3f28

SHA1
2e97c1caf9d0b4cc787c41c51d49ede3b37728f9

SHA256
fddccfa75528d1dec1ccbb28db3c9fbccb57c6d3d90799cb200e7b6677980fe9

SHA512
abab2ccae8f8e4a3b17c6f3b4a31ac55eef28440b91fa4e7e5829d990c4c31c7609626cbcffd5b161073e3154e50b46a223747f5b8b840c7af45c65085173813

Download Submit
C:\Program Files (x86)\Zoom\bin\zCrashReport.dll

Filesize
84KB

MD5
f254333fa073311e39d78d645b2f3f28

SHA1
2e97c1caf9d0b4cc787c41c51d49ede3b37728f9

SHA256
fddccfa75528d1dec1ccbb28db3c9fbccb57c6d3d90799cb200e7b6677980fe9

SHA512
abab2ccae8f8e4a3b17c6f3b4a31ac55eef28440b91fa4e7e5829d990c4c31c7609626cbcffd5b161073e3154e50b46a223747f5b8b840c7af45c65085173813

Download Submit
C:\Program Files (x86)\Zoom\resources\Emojis\1f1f2-1f1eb.png

Filesize
607B

MD5
08657f68ea25e055134e0adaf29c3ab5

SHA1
c44ee2c0d453b2ad9945babf56851ad0e9df5b77

SHA256
e0d89510c60552be586dff72a75b9351ab749b90747b2d5eb77a926025e5a8dc

SHA512
74a947f286d2581c4fbb1e9f2ab66b9c93391baa75910c34e0d20b992ccdeff95773a9dfc96ebfe8e8f7b23ad93e1f3ed6ab86e74e9a262944b6c9801d966409

Download Submit
C:\Program Files (x86)\Zoom\resources\Emojis\1f1f8-1f1ef.png

Filesize
720B

MD5
130ac0e0df06e00525a7ab0dd8ad65aa

SHA1
abe3d53eb5071f295154fb6172465fea03514a5c

SHA256
dc162a4f540858fef4df3cd77fbedd291208e849a641501eb4d4ca27f56cdb36

SHA512
1a11d4eedbc43efe510a9399b51c1053a619c31442dfd61aee2ef8c20311a0388ec70df8c2375645f236b374d130092e50bb79e3b7f56c634e3fc3a67d372d75

Download Submit
C:\Program Files (x86)\Zoom\resources\emojione_low.7z

Filesize
1.9MB

MD5
8af30721fe9ea995e2171f057cc17899

SHA1
10d1bbb65df080421633ca001939e9ed99b659cd

SHA256
4d52720acb7a9eb1d257afc72a015ae110a4cd099e5256494dab79e20874e908

SHA512
f941fcdeb88d295923ecdcd523d0e7cd366dacd0938db843c6db5d1f202e03b312d33a2bdcd30ae1cca3cc7b90080a4ce9d3f3d684ce19105491c294d196e3a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
471B

MD5
9a2c3258726f88b8322dbdbdb788ccac

SHA1
74ab45357de1e60e792b8e302f51b420f905ad2a

SHA256
f535b2a5b869c60780fb7b69f729676a8ddc42acfc157648b858f14676e18667

SHA512
37a81806beb00c6409a9ef47b99f85837a12a0de88443c7b316e23e1b9461f69096995f6443fef9a2dc98503e30c596b7afb11310c4e3d0d762cc6c0ef13e53f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_56EAD74E005D4A37E3163FC32CA8D113

Filesize
471B

MD5
1e140e711fa3c001535e1b0855f50d43

SHA1
c6f528ada37f8c70e26543ead97c06d39e20938d

SHA256
386d44076f103ebe903c6c698a26bd76a0e74b962845b72909ee45e855beb12d

SHA512
65e9d40e7bcf6141fa2d9fdb75683a2c5fdbc6cff2148292a860e8d98386311eff73b7026c0dd3f1976af5ee07ca60a40b7ad49c0afa02be81e7bc7243f6db39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
396B

MD5
5aaca915b4abd520901f43cefe9608fd

SHA1
67dc06522f75b7c34ee59195e22a5e5752443b09

SHA256
7d2e8384b24d6507e077fac9741c09f070c3108d19694237037c4f35cf89d989

SHA512
6a3cd7b6773d440d098d5e58ff708d86b616bfc1b413ebf635208b97e6bf49d27595fe35d2a22ad164ef66a4378ab3da8986d27ea6369eb90387cfa3a48f4a31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_56EAD74E005D4A37E3163FC32CA8D113

Filesize
412B

MD5
56104a0bfca068c4c75e9bd5b7dc9a12

SHA1
cc8f39a1ad06fdea8f21bdad221753017b5ac9bf

SHA256
82702b7969293599f7b41c2fc21a194a31c456043d9ef25b755174c555e7087d

SHA512
9c9827a61f2065e8435a30a476d559b00af49bee3323c1d213aababfa1874812092a4c3ed343e7c59eb54c6e835f67baaeaa99d125e4c98504d97732b4c14784

Download Submit
C:\Windows\Installer\e57180c.msi

Filesize
32.3MB

MD5
2d070b46cbf01bfb217b2157ee97cbea

SHA1
effa91a0bfa1f813fa44720a8a596488ddba77bb

SHA256
ba27249fbd5fbdbb4c0418d1e03f4d06c09756caa15d1094c7c90b43c1505015

SHA512
77371374182e44e7decd20e43f12d870a6807b7c7d9283b13f0826305e9aed81045dcd030140ca74a845eef293881011bc9b6a4bce12bdde94c27b235f7ddbb7

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
db9d2ef232f3570826a2d4bb574e8889

SHA1
97e97eb80f06ac5ed6ad8dcb7b68c63bd0ed1aa7

SHA256
5511c900a5283a279f9bc0cd88b834e986ab291745be98a8dbff78365d01f9b6

SHA512
4e25589be802504213cbf2d0aa67bea4ae07736a3fa7d29b602fecbae03f640ce76da1368e0779337d17c0ec6be7a60b1882d95cdc4e6949f86dc8ba11d5dbcc

Download Submit
\??\Volume{4cc777a5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a23e4b7b-548e-4906-8471-70811f90d0ee}_OnDiskSnapshotProp

Filesize
5KB

MD5
e7d17fd1ad048a611fe8a311a02e0080

SHA1
b40017353c9d263ddf381c2d2e4f8eaa792854f8

SHA256
25c6aee19399e6f37f5cc3c31bcf0a188de91321dcadd512f31c7aa359b17f78

SHA512
6c7875ec622a23f6c6ca0673beea146087498b1788df20a111da1bafac3f258337ee2cae716224b5ff7dd2d6b74ed7734a65fcb8fea1a3d28c05c559a42ea6a5

Download Submit