Malware analysis https://meetmarigold.zoom.us/j/91402417282 Malicious activity

Add for printing

URL:	https://meetmarigold.zoom.us/j/91402417282
Full analysis:	https://app.any.run/tasks/6bba3c59-a15b-4e9b-836f-f686c7408444
Verdict:	Malicious activity
Analysis date:	March 31, 2023, 20:37:12
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MD5:	D6EEC338FEFE3774C086E39A2CD3F0E0
SHA1:	65249406F0790F3BADFD7D8E8E18EE086A151381
SHA256:	DDCD8859A051354B48B3729A3F535F8E82CCF3F01EE4C95C89FB62E52592993F
SSDEEP:	3:N8YYp3NiLXdX:2YgijdX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
Mozilla Maintenance Service (67.0.4)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - Zoom_cm_frkkwrsu5xv8bZ9vvrZo4_mDvtsMMyCn+wuGIRxXuGQOlgJpp+niYWx9mPW@DuhKnhdTL6GaXfuj_kd46be2e3a15876bd_.exe (PID: 2768)
SUSPICIOUS
- Reads the Internet Settings
  - Zoom_cm_frkkwrsu5xv8bZ9vvrZo4_mDvtsMMyCn+wuGIRxXuGQOlgJpp+niYWx9mPW@DuhKnhdTL6GaXfuj_kd46be2e3a15876bd_.exe (PID: 2768)
INFO
- Reads the machine GUID from the registry
  - Zoom_cm_frkkwrsu5xv8bZ9vvrZo4_mDvtsMMyCn+wuGIRxXuGQOlgJpp+niYWx9mPW@DuhKnhdTL6GaXfuj_kd46be2e3a15876bd_.exe (PID: 2768)
- The process checks LSA protection
  - Zoom_cm_frkkwrsu5xv8bZ9vvrZo4_mDvtsMMyCn+wuGIRxXuGQOlgJpp+niYWx9mPW@DuhKnhdTL6GaXfuj_kd46be2e3a15876bd_.exe (PID: 2768)
- Checks proxy server information
  - Zoom_cm_frkkwrsu5xv8bZ9vvrZo4_mDvtsMMyCn+wuGIRxXuGQOlgJpp+niYWx9mPW@DuhKnhdTL6GaXfuj_kd46be2e3a15876bd_.exe (PID: 2768)
- Reads the computer name
  - Zoom_cm_frkkwrsu5xv8bZ9vvrZo4_mDvtsMMyCn+wuGIRxXuGQOlgJpp+niYWx9mPW@DuhKnhdTL6GaXfuj_kd46be2e3a15876bd_.exe (PID: 2768)
- Checks supported languages
  - Zoom_cm_frkkwrsu5xv8bZ9vvrZo4_mDvtsMMyCn+wuGIRxXuGQOlgJpp+niYWx9mPW@DuhKnhdTL6GaXfuj_kd46be2e3a15876bd_.exe (PID: 2768)
- The process uses the downloaded file
  - iexplore.exe (PID: 1732)
- Creates files or folders in the user directory
  - Zoom_cm_frkkwrsu5xv8bZ9vvrZo4_mDvtsMMyCn+wuGIRxXuGQOlgJpp+niYWx9mPW@DuhKnhdTL6GaXfuj_kd46be2e3a15876bd_.exe (PID: 2768)
- Executable content was dropped or overwritten
  - iexplore.exe (PID: 1732)
  - iexplore.exe (PID: 1752)
- Create files in a temporary directory
  - iexplore.exe (PID: 1732)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1732

"C:\Program Files\Internet Explorer\iexplore.exe" "https://meetmarigold.zoom.us/j/91402417282"

C:\Program Files\Internet Explorer\iexplore.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Internet Explorer

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll

1752

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:267521 /prefetch:2

C:\Program Files (x86)\Internet Explorer\iexplore.exe

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Internet Explorer

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll

2768

"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\Zoom_cm_frkkwrsu5xv8bZ9vvrZo4_mDvtsMMyCn+wuGIRxXuGQOlgJpp+niYWx9mPW@DuhKnhdTL6GaXfuj_kd46be2e3a15876bd_.exe"

C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\Zoom_cm_frkkwrsu5xv8bZ9vvrZo4_mDvtsMMyCn+wuGIRxXuGQOlgJpp+niYWx9mPW@DuhKnhdTL6GaXfuj_kd46be2e3a15876bd_.exe

iexplore.exe

User:

admin

Company:

Zoom Video Communications, Inc.

Integrity Level:

MEDIUM

Description:

Zoom Opener

Version:

5,10,3,4851

Modules

Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\d2u1wpac\zoom_cm_frkkwrsu5xv8bz9vvrzo4_mdvtsmmycn+wugirxxugqolgjpp+niywx9mpw@duhknhdtl6gaxfuj_kd46be2e3a15876bd_.exe
c:\windows\system32\wow64.dll
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Add for printing

Total events

9 668

Read events

9 450

Write events

218

Delete events

Modification events


(PID) Process:	(1732) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPDaysSinceLastAutoMigration
Value: 3
(PID) Process:	(1732) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchLowDateTime
Value: 659226608
(PID) Process:	(1732) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchHighDateTime
Value: 30902802
(PID) Process:	(1732) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:	write	Name:	NextCheckForUpdateLowDateTime
Value: 959230748
(PID) Process:	(1732) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:	write	Name:	NextCheckForUpdateHighDateTime
Value: 30902802
(PID) Process:	(1732) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1732) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1732) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0
(PID) Process:	(1732) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(1732) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 460000008B000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1752	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\ADNKYPOE.txt		text
		MD5:332015FB7E8BFA2F85FF554229EE98EA	SHA256:DC6119C556DCB164E3EE06FC3741C4D1C02E90F6A5D402D94B3DCA6596D09CE4
1752	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\91402417282[1].htm		html
		MD5:461B52DAE874C0E8FA49F6B3EDDA08EF	SHA256:F98BA57011999261327168B43F0BD926DFDF8E7C768071A2ADF9A5D8316D67DE
1752	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\A80DPWVW.txt		text
		MD5:75FA83A55A0F39B9DD39E63EFF8AB277	SHA256:8DACBE62E34AF03E5D5945B9944BAC78B1B4C3272E26F4C0087955EBAB5D330C
1752	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\7GF3MDB8.txt		text
		MD5:0DF54E8C878DE333EF79168FE2F2CCBA	SHA256:98D94C0323EFAE61C160AFFC18A82D087CFB77F9290FEFEA03247E4EC05846EF
1752	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\SLRNP3YJ.txt		text
		MD5:3E2F1AD7FCCD7F2FB90A94E6A0AE7ED1	SHA256:1012AECE3FE699662C2456B939427AEF2885025B02615750E3FBBD4026541DC2
1752	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\38B5GPAW.txt		text
		MD5:B278935528473C6BA8241643BC5A3627	SHA256:5AF43D8F1D346B3A6CB6963F5664C372332494D1645DA0A33AE99B415F39F6CF
1752	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\5Z1826EE.txt		text
		MD5:545EA85CB77C2F5445F9EAF814FCFC24	SHA256:4B6430080535B4D2C3F8F613088225831608F19520F4CECA067FF16461207705
1752	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\meeting.63c5f21c827d535767da[1].js		text
		MD5:E37C4B788EE938CC63A3E61A3FB0F2B4	SHA256:75365276F06FE70EC3750D91D986BBE0699560844F1A106C3C8EC5B5568D2436
1732	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[1].ico		image
		MD5:DA597791BE3B6E732F0BC8B20E38EE62	SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
1732	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[2].ico		image
		MD5:DA597791BE3B6E732F0BC8B20E38EE62	SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1752	iexplore.exe	170.114.52.2:443	meetmarigold.zoom.us	—	US	suspicious
1752	iexplore.exe	18.66.130.242:443	st3.zoom.us	AMAZON-02	US	unknown
—	—	18.66.147.60:443	static.ada.support	AMAZON-02	US	suspicious
—	—	209.197.3.8:80	ctldl.windowsupdate.com	STACKPATH-CDN	US	whitelisted
—	—	18.66.130.242:443	st3.zoom.us	AMAZON-02	US	unknown
—	—	34.98.108.207:443	cdn.solvvy.com	GOOGLE	US	unknown
2768	Zoom_cm_frkkwrsu5xv8bZ9vvrZo4_mDvtsMMyCn+wuGIRxXuGQOlgJpp+niYWx9mPW@DuhKnhdTL6GaXfuj_kd46be2e3a15876bd_.exe	170.114.52.2:443	meetmarigold.zoom.us	—	US	suspicious
—	—	54.227.249.145:443	log-gateway.zoom.us	AMAZON-AES	US	unknown
1732	iexplore.exe	204.79.197.200:443	www.bing.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1752	iexplore.exe	18.66.147.95:443	static.ada.support	AMAZON-02	US	suspicious

DNS requests

Domain	IP	Reputation
meetmarigold.zoom.us	170.114.52.2	suspicious
static.ada.support	18.66.147.60 18.66.147.95 18.66.147.121 18.66.147.113	whitelisted
cdn.solvvy.com	34.98.108.207	shared
st3.zoom.us	18.66.130.242	whitelisted
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
api.bing.com	13.107.5.80	whitelisted
st1.zoom.us	18.66.130.242	whitelisted
ctldl.windowsupdate.com	209.197.3.8	whitelisted
log-gateway.zoom.us	54.227.249.145 54.235.192.240	unknown
cdn.cookielaw.org	104.19.187.97 104.19.188.97	whitelisted

Threats

PID	Process	Class	Message
1752	iexplore.exe	Unknown Traffic	ET JA3 Hash - [Abuse.ch] Possible Tofsee
1752	iexplore.exe	Unknown Traffic	ET JA3 Hash - [Abuse.ch] Possible Tofsee
1752	iexplore.exe	Unknown Traffic	ET JA3 Hash - [Abuse.ch] Possible Tofsee
1752	iexplore.exe	Unknown Traffic	ET JA3 Hash - [Abuse.ch] Possible Tofsee
1752	iexplore.exe	Unknown Traffic	ET JA3 Hash - [Abuse.ch] Possible Tofsee
1752	iexplore.exe	Unknown Traffic	ET JA3 Hash - [Abuse.ch] Possible Tofsee
1752	iexplore.exe	Unknown Traffic	ET JA3 Hash - [Abuse.ch] Possible Tofsee
1752	iexplore.exe	Unknown Traffic	ET JA3 Hash - [Abuse.ch] Possible Tofsee
1732	iexplore.exe	Unknown Traffic	ET JA3 Hash - [Abuse.ch] Possible Tofsee
1732	iexplore.exe	Unknown Traffic	ET JA3 Hash - [Abuse.ch] Possible Tofsee

Add for printing

No debug info

General Info

https://meetmarigold.zoom.us/j/91402417282

D6EEC338FEFE3774C086E39A2CD3F0E0

65249406F0790F3BADFD7D8E8E18EE086A151381

DDCD8859A051354B48B3729A3F535F8E82CCF3F01EE4C95C89FB62E52592993F

3:N8YYp3NiLXdX:2YgijdX

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

SUSPICIOUS

Reads the Internet Settings

INFO

Reads the machine GUID from the registry

The process checks LSA protection

Checks proxy server information

Reads the computer name

Checks supported languages

The process uses the downloaded file

Creates files or folders in the user directory

Executable content was dropped or overwritten

Create files in a temporary directory

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings