| URL: | https://talentmap.zoom.us/j/85172260589?pwd=I4HpCwzk2tOxMkZSalzxplKijNa2E4.1 |
| Full analysis: | https://app.any.run/tasks/d8e7c779-bbc1-4585-9886-36cfd5c6092b |
| Verdict: | Malicious activity |
| Analysis date: | October 25, 2023, 22:25:45 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| SHA1: | 92441810579CF6628917213C36F7918A1C9123E3 |
| SHA256: | 72C82C9FBD213EB701AFC790C24BF58E79BE79E3202F81D67B5315AE2905CF65 |
| SSDEEP: | 3:N8MQf5N/UUQFOMsOcqONfZutCUn:2MQf3tM6b17uRn |
MALICIOUS
Application was dropped or rewritten from another process
- Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe (PID: 3836)
- Installer.exe (PID: 2388)
- Installer.exe (PID: 1536)
- Zoom.exe (PID: 2888)
- zm7681.tmp (PID: 2392)
- Zoom.exe (PID: 3116)
- CptHost.exe (PID: 2388)
Drops the executable file immediately after the start
- Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe (PID: 3836)
- Installer.exe (PID: 2388)
- Zoom.exe (PID: 2888)
Loads dropped or rewritten executable
- Installer.exe (PID: 2388)
- Zoom.exe (PID: 2888)
- Zoom.exe (PID: 3116)
- CptHost.exe (PID: 2388)
SUSPICIOUS
Reads the Internet Settings
- Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe (PID: 3836)
- Installer.exe (PID: 2388)
- Zoom.exe (PID: 2888)
- Zoom.exe (PID: 3116)
Reads settings of System Certificates
- Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe (PID: 3836)
- Installer.exe (PID: 2388)
- Zoom.exe (PID: 2888)
- Zoom.exe (PID: 3116)
- CptHost.exe (PID: 2388)
Reads security settings of Internet Explorer
- Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe (PID: 3836)
- Installer.exe (PID: 2388)
- Zoom.exe (PID: 3116)
- Zoom.exe (PID: 2888)
- CptHost.exe (PID: 2388)
The process creates files with name similar to system file names
- Installer.exe (PID: 2388)
Checks Windows Trust Settings
- Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe (PID: 3836)
- Installer.exe (PID: 2388)
- Zoom.exe (PID: 3116)
- Zoom.exe (PID: 2888)
- CptHost.exe (PID: 2388)
Process drops legitimate windows executable
- Installer.exe (PID: 2388)
Application launched itself
- Installer.exe (PID: 2388)
- Zoom.exe (PID: 2888)
The process drops C-runtime libraries
- Installer.exe (PID: 2388)
Starts application with an unusual extension
- Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe (PID: 3836)
Starts itself from another location
- Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe (PID: 3836)
INFO
The process uses the downloaded file
- iexplore.exe (PID: 2980)
- Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe (PID: 3836)
Application launched itself
- iexplore.exe (PID: 2980)
Drops the executable file immediately after the start
- iexplore.exe (PID: 2980)
- iexplore.exe (PID: 4068)
Reads the computer name
- Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe (PID: 3836)
- Installer.exe (PID: 2388)
- Installer.exe (PID: 1536)
- Zoom.exe (PID: 2888)
- Zoom.exe (PID: 3116)
- CptHost.exe (PID: 2388)
Creates files or folders in the user directory
- Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe (PID: 3836)
- Installer.exe (PID: 2388)
- Zoom.exe (PID: 2888)
- Zoom.exe (PID: 3116)
Checks supported languages
- Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe (PID: 3836)
- Installer.exe (PID: 2388)
- Installer.exe (PID: 1536)
- zm7681.tmp (PID: 2392)
- Zoom.exe (PID: 2888)
- Zoom.exe (PID: 3116)
- CptHost.exe (PID: 2388)
Checks proxy server information
- Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe (PID: 3836)
Reads the machine GUID from the registry
- Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe (PID: 3836)
- Installer.exe (PID: 2388)
- Zoom.exe (PID: 2888)
- Zoom.exe (PID: 3116)
- CptHost.exe (PID: 2388)
Dropped object may contain TOR URL's
- Installer.exe (PID: 2388)
Create files in a temporary directory
- Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe (PID: 3836)
- Zoom.exe (PID: 2888)
Process checks computer location settings
- Zoom.exe (PID: 2888)
- Zoom.exe (PID: 3116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
50
Monitored processes
9
Malicious processes
6
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1536 | "C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe" /addfwexception --bin_home="C:\Users\admin\AppData\Roaming\Zoom\bin" | C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe | Installer.exe | ||||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: HIGH Description: Zoom Installer Exit code: 0 Version: 5,16,5,24296 Modules
| |||||||||||||||
| 2388 | "C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe" ZInstaller --conf.mode=silent --ipc_wnd=262992 | C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe | Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe | ||||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Installer Exit code: 0 Version: 5,16,5,24296 Modules
| |||||||||||||||
| 2388 | -event 000007F4 -pid 3116 -evtname cpthost.exe3116-41-11DB3FE0 -exitevent 0000080C -exitevtname cpthost.exe3116_rpcexit-41-11DB3FE0 -user_path "C:\Users\admin\AppData\Roaming\Zoom" | C:\Users\admin\AppData\Roaming\Zoom\bin\CptHost.exe | Zoom.exe | ||||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Sharing Host Exit code: 0 Version: 5,16,5,24296 Modules
| |||||||||||||||
| 2392 | "C:\Users\admin\AppData\Local\Temp\zm7681.tmp" -DAF8C715436E44649F1312698287E6A5=C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe | C:\Users\admin\AppData\Local\Temp\zm7681.tmp | — | Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe | |||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Opener Exit code: 0 Version: 5,15,5,23 Modules
| |||||||||||||||
| 2888 | "C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe" "--url=zoommtg://win.launch?h.domain=talentmap.zoom.us&h.path=join&confid=dXNzPVpGYkxQUGxyNGM5REZuM3Q2RmE4MFNNVkF4dlRnMER0SjhwRlN1RlJzQ1ZYeUstWnJZVkFNeENPQUF5WEhOaGRoU05VdnpXbUNpZGQtZVN1M184YWVad09XeFRmd2tKTnJRLlZFdjhTalRGRWhwZS0yd1EmdGlkPTI2MGMxYTMwMDkxMDRjMTFiMTNlODA0NjI5NjQyZDUz&mcv=0.92.11227.0929&stype=0&zc=0&browser=msie&action=join&confno=85172260589&pwd=I4HpCwzk2tOxMkZSalzxplKijNa2E4.1" | C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe | Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe | ||||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Meetings Exit code: 0 Version: 5,16,5,24296 Modules
| |||||||||||||||
| 2980 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://talentmap.zoom.us/j/85172260589?pwd=I4HpCwzk2tOxMkZSalzxplKijNa2E4.1" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 3116 | "C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe" --action=join --runaszvideo=TRUE | C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe | Zoom.exe | ||||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Meetings Exit code: 0 Version: 5,16,5,24296 Modules
| |||||||||||||||
| 3836 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Zoom_cm_fws8kfwrseZ9vvrZo4_mfbGMzRbayJkGtQwlX+ZY0+m1aMXhIofpB7bG@epMZyjTXpn00I3sq_k3591282798a6453f_.exe | iexplore.exe | ||||||||||||
User: admin Company: Zoom Video Communications, Inc. Integrity Level: MEDIUM Description: Zoom Opener Exit code: 0 Version: 5,15,5,23 Modules
| |||||||||||||||
| 4068 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2980 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
Total events
52 336
Read events
52 177
Write events
159
Delete events
0
Modification events
| (PID) Process: | (2980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 0 | |||
| (PID) Process: | (2980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30847387 | |||
| (PID) Process: | (2980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30847437 | |||
| (PID) Process: | (2980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (2980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (2980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (2980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
Executable files
217
Suspicious files
256
Text files
56
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4068 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\XG4GHKOT.txt | text | |
MD5:9B1DB4FA5DF459C17C702B1907628B23 | SHA256:163F35E43B3A366F6835FD89EC820CE9486384BBD0827371C02C033A66F3AF83 | |||
| 4068 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\lres[1].js | text | |
MD5:A824BB853A5E62D2E62EE1ECFE219292 | SHA256:CFCCA75DD367EE46D359CE8DB5584A2179E8FF742E328882DC54CBD67D1AB73E | |||
| 4068 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C11083FD8BAD269CF864618FA59583AC_1891403E774E171AB4237C0ED2A81174 | binary | |
MD5:FB9DAFC8BD4865CF7E4341C1A0DC623D | SHA256:6727A6875F2764506EE0182D03F633A53ECD60B6921E3458A690AFAB62A18F8C | |||
| 4068 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C11083FD8BAD269CF864618FA59583AC_1891403E774E171AB4237C0ED2A81174 | binary | |
MD5:62586E3D87659B2069F626967EB2534B | SHA256:25DF0A94D97001B85F55217B0D9F3FD51B4E9CBE3FB9656639EEBBF7C036D3D6 | |||
| 4068 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\DOTBATAV\talentmap.zoom[1].xml | text | |
MD5:C1DDEA3EF6BBEF3E7060A1A9AD89E4C5 | SHA256:B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB | |||
| 4068 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\R1XF2AC9.txt | text | |
MD5:B40129FC084124FA864D5C96164098BA | SHA256:70CE8AA1ED74B9038FF3FE0E2D67394800730F2C098C9ADE4BDB030F1BCA29A5 | |||
| 4068 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\64PMGXPY.txt | text | |
MD5:2F16D81B2354C0953B9F4B1806328FC3 | SHA256:BC2C5EB84495DF4F943CA0BD980F4A8D75327C33D1D5C6500FDC39D836DA4E9F | |||
| 4068 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\K4X7O3VJ.txt | text | |
MD5:20327025E55A974457D706ECBFA2F347 | SHA256:E5350BF9C357DDAC75F6497A380A2173244E189B55F2924DEE12E40C4C523B25 | |||
| 4068 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | compressed | |
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89 | SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8 | |||
| 4068 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\85172260589[1].htm | html | |
MD5:2E92BC6EC677AD7F0FE1CC03016A12BB | SHA256:146FF3B507BC65FC7207D7D9C0CECE338F5419C3401BD3E333F5CD5CC60C7C1C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
56
DNS requests
31
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4068 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAIcL6umARqJ76Z3iMZH5HA%3D | unknown | binary | 471 b | unknown |
4068 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f96a15a63697bdc6 | unknown | compressed | 4.66 Kb | unknown |
4068 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D | unknown | binary | 471 b | unknown |
4068 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | unknown | binary | 1.47 Kb | unknown |
4068 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAhflMAthXvozBT%2FU%2B2iPio%3D | unknown | binary | 471 b | unknown |
4068 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnxLiz3Fu1WB6n1%2FE6xWn1b0jXiQQUdIWAwGbH3zfez70pN6oDHb7tzRcCEAbCsehAv%2FkAxBfkV5KvfLI%3D | unknown | der | 471 b | unknown |
4068 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?44b7f016ec3320f4 | unknown | compressed | 4.66 Kb | unknown |
2980 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D | unknown | binary | 471 b | unknown |
2980 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | binary | 471 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4068 | iexplore.exe | 170.114.52.6:443 | — | — | US | unknown |
4068 | iexplore.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | whitelisted |
4068 | iexplore.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
4068 | iexplore.exe | 34.98.108.207:443 | cdn.solvvy.com | GOOGLE | US | unknown |
4068 | iexplore.exe | 52.84.151.6:443 | us06st3.zoom.us | AMAZON-02 | US | unknown |
4068 | iexplore.exe | 52.84.151.56:443 | st1.zoom.us | AMAZON-02 | US | unknown |
4068 | iexplore.exe | 54.235.192.240:443 | log-gateway.zoom.us | AMAZON-AES | US | unknown |
4068 | iexplore.exe | 104.18.130.236:443 | cdn.cookielaw.org | CLOUDFLARENET | — | unknown |
4068 | iexplore.exe | 172.64.155.119:443 | geolocation.onetrust.com | CLOUDFLARENET | US | unknown |
2656 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
cdn.solvvy.com |
| shared |
us06st3.zoom.us |
| malicious |
st1.zoom.us |
| whitelisted |
log-gateway.zoom.us |
| unknown |
cdn.cookielaw.org |
| whitelisted |
geolocation.onetrust.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
Threats
Process | Message |
|---|---|
Installer.exe | |
Installer.exe | [ProductPathHelper::RecursiveRemoveDirA] Path is: |
Installer.exe | C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src |
Installer.exe | C:\Users\admin\AppData\Roaming\Zoom\tmp_bin |
Installer.exe | [ProductPathHelper::RecursiveRemoveDirA] Path is: |
Installer.exe | C:\Users\admin\AppData\Roaming\Zoom\tmp_uninstall |
Installer.exe | |
Installer.exe | |
Installer.exe | [ProductPathHelper::RecursiveRemoveDirA] Path is: |
Installer.exe | C:\Program Files\Mozilla Firefox\firefox.exe |