URL: | https://us04web.zoom.us/j/825676553 |
Full analysis: | https://app.any.run/tasks/9bf098db-6f6a-4be8-8274-37c3aa9e295a |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 08:45:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 77672C80F5BE3AA0D44F6721B50FC5FC |
SHA1: | 0B810051294F2BEC8C412BF89EF9A3FDCD7B92DB |
SHA256: | 3F6CB59CF5EC92E03E41703320FC281ED35EF53031964D0CD49D27947F306055 |
SSDEEP: | 3:N8VeKILQN4G6Wn:2j94G9 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1720 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://us04web.zoom.us/j/825676553" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3616 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1720 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2492 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Zoom_o42l8sofizku_59e256195ef91dfb.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Zoom_o42l8sofizku_59e256195ef91dfb.exe | iexplore.exe | ||||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Opener Exit code: 0 Version: 4,6,19178,0323 Modules
| |||||||||||||||
680 | "C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe" ZInstaller --conf.mode=silent --ipc_wnd=262536 | C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe | Zoom_o42l8sofizku_59e256195ef91dfb.exe | ||||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Installer Exit code: 0 Version: 4,6,19178,0323 Modules
| |||||||||||||||
1684 | "C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe" /addfwexception --bin_home="C:\Users\admin\AppData\Roaming\Zoom\bin" | C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe | Installer.exe | ||||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: HIGH Description: Zoom Installer Exit code: 0 Version: 4,6,19178,0323 Modules
| |||||||||||||||
2608 | "C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe" "--url=zoommtg://win.launch?action=join&browser=msie&confid=dXNzPTU2NWNlNWI3LnhXUUdIRjV6NnlzaGFPdmdLVGlPRTZsZkdjcWNsWkJPcXlnOGNCUHRiRmYwbnVMd3RJTjBKb2REWDlmNDdBazZSdkwxWkpzRHZYUmxFczEyUUg1S0ZBJTNEJTNEJnRpZD03NmVmNDFhNDM2YzI0MDgwOGRjZmJiODhjZWJmYjExZg%3D%3D&confno=825676553&mcv=0.92.11227.0929&zc=0" | C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe | Zoom_o42l8sofizku_59e256195ef91dfb.exe | ||||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Exit code: 0 Version: 4,6,19178,0323 Modules
| |||||||||||||||
1684 | "C:\Users\admin\AppData\Local\Temp\zm5BD1.tmp" -DAF8C715436E44649F1312698287E6A5=C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Zoom_o42l8sofizku_59e256195ef91dfb.exe | C:\Users\admin\AppData\Local\Temp\zm5BD1.tmp | — | Zoom_o42l8sofizku_59e256195ef91dfb.exe | |||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Opener Exit code: 0 Version: 4,6,19178,0323 Modules
| |||||||||||||||
3548 | C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe --action=join --runaszvideo=TRUE | C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe | Zoom.exe | ||||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Exit code: 0 Version: 4,6,19178,0323 Modules
| |||||||||||||||
2816 | Zoom.exe --action=uploadFeedback | C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe | — | Zoom.exe | |||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Exit code: 0 Version: 4,6,19178,0323 Modules
| |||||||||||||||
572 | Zoom.exe --action=uploadFeedback | C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe | — | Zoom.exe | |||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Exit code: 0 Version: 4,6,19178,0323 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
1720 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3616 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab965C.tmp | — | |
MD5:— | SHA256:— | |||
3616 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar965D.tmp | — | |
MD5:— | SHA256:— | |||
3616 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\I62BBKP0.txt | — | |
MD5:— | SHA256:— | |||
3616 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\4IT734EV.txt | — | |
MD5:— | SHA256:— | |||
3616 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\137XNXRM.txt | — | |
MD5:— | SHA256:— | |||
3616 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\PEY6WIWY.txt | — | |
MD5:— | SHA256:— | |||
3616 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5FD5BF0CE6372B1CAFE381FD0BC969C | binary | |
MD5:8BB78ADEB4493D4FA9839CF7F4F1BFD3 | SHA256:D34A3AA1D7414A06C49ACAD55BBD576E9A683B56FA2FAA6EA22B0DF0473F2288 | |||
3616 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 | binary | |
MD5:8CBE18BF78B0B557F6297168DD355EC3 | SHA256:DE38E82F56134942EE4CBF523283A332A28DA66EC299B932822571C8D62D1332 | |||
3616 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\launch.min[1].css | text | |
MD5:105594F2452FE32A3B15D9D6AFF6F21F | SHA256:5475EB29505EBB24CFBB837CE642F063923EB8572075A8A09E7E2558CBD7A2DD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3616 | iexplore.exe | GET | 200 | 172.217.23.131:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
3616 | iexplore.exe | GET | 200 | 52.222.149.213:80 | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D | US | der | 1.51 Kb | whitelisted |
3616 | iexplore.exe | GET | 200 | 52.222.149.213:80 | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D | US | der | 1.51 Kb | whitelisted |
3616 | iexplore.exe | GET | 200 | 192.124.249.41:80 | http://crl.godaddy.com/gdroot.crl | US | der | 429 b | whitelisted |
3616 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQC5UUQDFilM79r2jgo50n2A | US | der | 472 b | whitelisted |
3616 | iexplore.exe | GET | 200 | 52.222.149.182:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | US | der | 1.70 Kb | whitelisted |
3616 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | US | der | 727 b | whitelisted |
3616 | iexplore.exe | GET | 200 | 192.124.249.41:80 | http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D | US | der | 1.69 Kb | whitelisted |
3616 | iexplore.exe | GET | 200 | 52.222.149.213:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D | US | der | 1.39 Kb | shared |
1720 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1720 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3616 | iexplore.exe | 192.124.249.41:80 | ocsp.godaddy.com | Sucuri | US | suspicious |
3616 | iexplore.exe | 3.235.82.211:443 | us04web.zoom.us | — | US | unknown |
3616 | iexplore.exe | 52.222.158.54:443 | us04st1.zoom.us | Amazon.com, Inc. | US | malicious |
3616 | iexplore.exe | 104.18.72.113:443 | static.zdassets.com | Cloudflare Inc | US | shared |
3616 | iexplore.exe | 52.222.158.107:443 | us04st1.zoom.us | Amazon.com, Inc. | US | whitelisted |
3616 | iexplore.exe | 52.222.158.77:443 | us04st1.zoom.us | Amazon.com, Inc. | US | whitelisted |
3616 | iexplore.exe | 151.139.128.14:80 | ocsp.usertrust.com | Highwinds Network Group, Inc. | US | suspicious |
3616 | iexplore.exe | 172.217.23.131:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3616 | iexplore.exe | 216.58.210.14:443 | www.google-analytics.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
us04web.zoom.us |
| whitelisted |
ocsp.godaddy.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
crl.godaddy.com |
| whitelisted |
us04st1.zoom.us |
| whitelisted |
us04st2.zoom.us |
| whitelisted |
us04st3.zoom.us |
| whitelisted |
static.ada.support |
| whitelisted |
static.zdassets.com |
| whitelisted |
Process | Message |
---|---|
Installer.exe | C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src |
Installer.exe | C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src |
Installer.exe | |
Installer.exe | [ProductPathHelper::RecursiveRemoveDirA] Path is: |
Installer.exe | C:\Users\admin\AppData\Roaming\Zoom\uninstall |
Installer.exe | |
Installer.exe | [ProductPathHelper::RecursiveRemoveDirA] Path is: |
Installer.exe | C:\Users\admin\AppData\Roaming\Zoom\bin |
Installer.exe | |
Installer.exe | [CZoomProductPathHelper::RecursiveRemoveDirA] Path is: |