General Info

File name

Zoom_badf4203c40a409c.exe

Full analysis
https://app.any.run/tasks/804e69a6-9e79-492b-8c71-57c11b564e7d
Verdict
Malicious activity
Analysis date
3/14/2019, 23:38:20
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

c42b05c459306678db2f553f881ea72f

SHA1

2e29124efcb7cb19f823b78e5e2c084b5f97bd7f

SHA256

ebed1c6ec1ab1e4f69b6ce5533c5393660ecc3ba922ca7834d7223f6ad7bae01

SSDEEP

1536:MoWYZeUtIqyluTWAp9PDxeG8D3qd8IAAL/V7mkRZ+KQdZAj:zWYZeUSqykWqxA7qFAAJRpQdZAj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • Zoom.exe (PID: 3252)
  • cpthost.exe (PID: 2540)
  • Zoom.exe (PID: 3992)
  • Installer.exe (PID: 3196)
  • Installer.exe (PID: 4036)
Loads dropped or rewritten executable
  • cpthost.exe (PID: 2540)
  • Zoom.exe (PID: 3992)
  • Zoom.exe (PID: 3252)
  • Installer.exe (PID: 4036)
Creates files in the user directory
  • cpthost.exe (PID: 2540)
  • Zoom.exe (PID: 3992)
  • Zoom.exe (PID: 3252)
  • Zoom_badf4203c40a409c.exe (PID: 3132)
  • Installer.exe (PID: 4036)
Application launched itself
  • Zoom.exe (PID: 3252)
  • Installer.exe (PID: 4036)
Starts application with an unusual extension
  • Zoom_badf4203c40a409c.exe (PID: 3132)
Starts itself from another location
  • Zoom_badf4203c40a409c.exe (PID: 3132)
Changes IE settings (feature browser emulation)
  • Installer.exe (PID: 4036)
Modifies the open verb of a shell class
  • Installer.exe (PID: 4036)
Creates a software uninstall entry
  • Installer.exe (PID: 4036)
Executable content was dropped or overwritten
  • Zoom_badf4203c40a409c.exe (PID: 3132)
  • Installer.exe (PID: 4036)
Reads settings of System Certificates
  • Zoom.exe (PID: 3992)
  • Zoom_badf4203c40a409c.exe (PID: 3132)
Dropped object may contain Bitcoin addresses
  • Installer.exe (PID: 4036)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (42.2%)
.exe
|   Win64 Executable (generic) (37.3%)
.dll
|   Win32 Dynamic Link Library (generic) (8.8%)
.exe
|   Win32 Executable (generic) (6%)
.exe
|   Generic Win/DOS Executable (2.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2018:08:06 06:34:13+02:00
PEType:
PE32
LinkerVersion:
9
CodeSize:
36864
InitializedDataSize:
20992
UninitializedDataSize:
null
EntryPoint:
0x1276
OSVersion:
5
ImageVersion:
null
SubsystemVersion:
5
Subsystem:
Windows GUI
FileVersionNumber:
4.1.29637.806
ProductVersionNumber:
4.1.29637.806
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Windows, Latin1
Comments:
Zoom Meetings Opener
CompanyName:
Zoom Video Communications, Inc.
FileDescription:
Zoom Meetings Opener
FileVersion:
4,1,29637,0806
InternalName:
Zoom Meetings Opener
LegalCopyright:
Copyright ©2012-2018 Zoom Video Communications, Inc. All rights reserved.
LegalTrademarks:
Zoom Meetings Opener
OriginalFileName:
Zoom Meetings Opener
ProductName:
Zoom Meetings Opener
ProductVersion:
4,1,29637,0806
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
06-Aug-2018 04:34:13
Detected languages
English - United States
Debug artifacts
d:\ZoomCode\B_41_127695\Bin\Release\NewWebLauncher\ZoomWebLauncher.pdb
Comments:
Zoom Meetings Opener
CompanyName:
Zoom Video Communications, Inc.
FileDescription:
Zoom Meetings Opener
FileVersion:
4,1,29637,0806
InternalName:
Zoom Meetings Opener
LegalCopyright:
Copyright ©2012-2018 Zoom Video Communications, Inc. All rights reserved.
LegalTrademarks:
Zoom Meetings Opener
OriginalFilename:
Zoom Meetings Opener
ProductName:
Zoom Meetings Opener
ProductVersion:
4,1,29637,0806
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000C8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
06-Aug-2018 04:34:13
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00008FE6 0x00009000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.43199
.rdata 0x0000A000 0x0000241B 0x00002600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.47139
.data 0x0000D000 0x0000014C 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0.10191
.rsrc 0x0000E000 0x00001F18 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 3.9183
.reloc 0x00010000 0x0000092C 0x00000A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 5.87218
Resources
1

2

7

32

33

Imports
    CRYPT32.dll

    KERNEL32.dll

    USER32.dll

    GDI32.dll

    ADVAPI32.dll

    SHELL32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
41
Monitored processes
7
Malicious processes
5
Suspicious processes
0

Behavior graph

+
drop and start drop and start start drop and start zoom_badf4203c40a409c.exe installer.exe installer.exe zoom.exe zm1164.tmp no specs zoom.exe cpthost.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3132
CMD
"C:\Users\admin\AppData\Local\Temp\Zoom_badf4203c40a409c.exe"
Path
C:\Users\admin\AppData\Local\Temp\Zoom_badf4203c40a409c.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Zoom Video Communications, Inc.
Description
Zoom Meetings Opener
Version
4,1,29637,0806
Modules
Image
c:\users\admin\appdata\local\temp\zoom_badf4203c40a409c.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\roaming\zoom\zoomdownload\installer.exe
c:\users\admin\appdata\roaming\zoom\bin\zoom.exe
c:\users\admin\appdata\local\temp\zm1164.tmp

PID
4036
CMD
"C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe" ZInstaller --conf.mode=silent --ipc_wnd=65830
Path
C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe
Indicators
Parent process
Zoom_badf4203c40a409c.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Zoom Video Communications, Inc.
Description
Zoom Meetings Installer
Version
4,3,46560,0311
Modules
Image
c:\users\admin\appdata\roaming\zoom\zoomdownload\installer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\version.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\linkinfo.dll
c:\users\admin\appdata\roaming\zoom\bin\zoom.exe
c:\users\admin\appdata\roaming\zoom\uninstall\installer.exe
c:\users\admin\appdata\roaming\zoom\bin\cptshare.dll
c:\windows\system32\winmm.dll
c:\users\admin\appdata\roaming\zoom\bin\zcrashreport.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wintrust.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll

PID
3196
CMD
"C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe" /addfwexception --bin_home="C:\Users\admin\AppData\Roaming\Zoom\bin"
Path
C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe
Indicators
Parent process
Installer.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Zoom Video Communications, Inc.
Description
Zoom Meetings Installer
Version
4,3,46560,0311
Modules
Image
c:\users\admin\appdata\roaming\zoom\zoomdownload\installer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\version.dll

PID
3252
CMD
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe" "--url=zoommtg://win.launch?action=join&browser=chrome&confid=dGlkPTM4ODNhNjhmZmEyYTQyZmI4Yjg4YTZmOWFlMTIzZjE4&confno=353618434&mcv=0.92.11227.0929&zc=0"
Path
C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe
Indicators
Parent process
Zoom_badf4203c40a409c.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Zoom Video Communications, Inc.
Description
Zoom Meetings
Version
4,3,46560,0311
Modules
Image
c:\users\admin\appdata\roaming\zoom\bin\zoom.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\roaming\zoom\bin\zcrashreport.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\users\admin\appdata\roaming\zoom\bin\cmmlib.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\users\admin\appdata\roaming\zoom\bin\duilib.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\oleacc.dll
c:\users\admin\appdata\roaming\zoom\bin\msaalib.dll
c:\users\admin\appdata\roaming\zoom\bin\util.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\users\admin\appdata\roaming\zoom\bin\libeay32.dll
c:\users\admin\appdata\roaming\zoom\bin\tp.dll
c:\users\admin\appdata\roaming\zoom\bin\ssleay32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\traffic.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\users\admin\appdata\roaming\zoom\bin\zchatapp.dll
c:\windows\system32\samcli.dll
c:\users\admin\appdata\roaming\zoom\bin\xmppdll.dll
c:\users\admin\appdata\roaming\zoom\bin\zchatui.dll
c:\users\admin\appdata\roaming\zoom\bin\reslib.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\sensapi.dll
c:\users\admin\appdata\roaming\zoom\bin\zwinres.dll
c:\users\admin\appdata\roaming\zoom\bin\zwebservice.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\jsproxy.dll
c:\windows\system32\mshtml.dll
c:\users\admin\appdata\roaming\zoom\bin\zvideoapp.dll
c:\users\admin\appdata\roaming\zoom\bin\mcm.dll
c:\users\admin\appdata\roaming\zoom\bin\nydus.dll
c:\users\admin\appdata\roaming\zoom\bin\viper.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\vga.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\psapi.dll
c:\users\admin\appdata\roaming\zoom\bin\zautoupdate.dll
c:\users\admin\appdata\roaming\zoom\bin\zdata.dll
c:\windows\system32\gpapi.dll
c:\users\admin\appdata\roaming\zoom\bin\zzhost.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\users\admin\appdata\roaming\zoom\bin\cmmbrowserengine.dll
c:\windows\system32\netbios.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll

PID
2888
CMD
"C:\Users\admin\AppData\Local\Temp\zm1164.tmp" -DAF8C715436E44649F1312698287E6A5=C:\Users\admin\AppData\Local\Temp\Zoom_badf4203c40a409c.exe
Path
C:\Users\admin\AppData\Local\Temp\zm1164.tmp
Indicators
No indicators
Parent process
Zoom_badf4203c40a409c.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Zoom Video Communications, Inc.
Description
Zoom Meetings Opener
Version
4,1,29637,0806
Modules
Image
c:\users\admin\appdata\local\temp\zm1164.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3992
CMD
C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe --action=join --runaszvideo=TRUE
Path
C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe
Indicators
Parent process
Zoom.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Zoom Video Communications, Inc.
Description
Zoom Meetings
Version
4,3,46560,0311
Modules
Image
c:\users\admin\appdata\roaming\zoom\bin\zoom.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\roaming\zoom\bin\zcrashreport.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\users\admin\appdata\roaming\zoom\bin\cmmlib.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\users\admin\appdata\roaming\zoom\bin\duilib.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\oleacc.dll
c:\users\admin\appdata\roaming\zoom\bin\msaalib.dll
c:\users\admin\appdata\roaming\zoom\bin\util.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\users\admin\appdata\roaming\zoom\bin\libeay32.dll
c:\users\admin\appdata\roaming\zoom\bin\tp.dll
c:\users\admin\appdata\roaming\zoom\bin\ssleay32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\traffic.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\users\admin\appdata\roaming\zoom\bin\zvideoui.dll
c:\users\admin\appdata\roaming\zoom\bin\reslib.dll
c:\windows\system32\comdlg32.dll
c:\users\admin\appdata\roaming\zoom\bin\zwinres.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rpcrtremote.dll
c:\users\admin\appdata\roaming\zoom\bin\zvideoapp.dll
c:\users\admin\appdata\roaming\zoom\bin\xmppdll.dll
c:\users\admin\appdata\roaming\zoom\bin\zwebservice.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\jsproxy.dll
c:\windows\system32\mshtml.dll
c:\users\admin\appdata\roaming\zoom\bin\mcm.dll
c:\users\admin\appdata\roaming\zoom\bin\nydus.dll
c:\users\admin\appdata\roaming\zoom\bin\viper.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\vga.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\psapi.dll
c:\users\admin\appdata\roaming\zoom\bin\ssb_sdk.dll
c:\users\admin\appdata\roaming\zoom\bin\zdata.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\uxtheme.dll
c:\users\admin\appdata\roaming\zoom\bin\zzhost.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\devenum.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\d3d11.dll
c:\users\admin\appdata\roaming\zoom\bin\zmb.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cryptnet.dll
c:\users\admin\appdata\roaming\zoom\bin\cptshare.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\zoom\bin\cpthost.exe
c:\users\admin\appdata\roaming\zoom\bin\zlt.dll
c:\windows\system32\cscapi.dll

PID
2540
CMD
-event 1756 -pid 3992 -evtname cpthost.exe3992 -exitevent 1760 -exitevtname cpthost.exe3992_rpcexit -user_path "C:\Users\admin\AppData\Roaming\Zoom"
Path
C:\Users\admin\AppData\Roaming\Zoom\bin\cpthost.exe
Indicators
Parent process
Zoom.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Zoom Video Communications, Inc.
Description
Zoom Sharing
Version
2, 5, 2014, 228
Modules
Image
c:\users\admin\appdata\roaming\zoom\bin\cpthost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\roaming\zoom\bin\zcrashreport.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\psapi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\uxtheme.dll
c:\users\admin\appdata\roaming\zoom\bin\zwinres.dll
c:\users\admin\appdata\roaming\zoom\bin\reslib.dll
c:\users\admin\appdata\roaming\zoom\bin\cmmlib.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll

Registry activity

Total events
1363
Read events
1240
Write events
123
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3132
Zoom_badf4203c40a409c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Zoom_badf4203c40a409c_RASAPI32
EnableFileTracing
0
3132
Zoom_badf4203c40a409c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Zoom_badf4203c40a409c_RASAPI32
EnableConsoleTracing
0
3132
Zoom_badf4203c40a409c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Zoom_badf4203c40a409c_RASAPI32
FileTracingMask
4294901760
3132
Zoom_badf4203c40a409c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Zoom_badf4203c40a409c_RASAPI32
ConsoleTracingMask
4294901760
3132
Zoom_badf4203c40a409c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Zoom_badf4203c40a409c_RASAPI32
MaxFileSize
1048576
3132
Zoom_badf4203c40a409c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Zoom_badf4203c40a409c_RASAPI32
FileDirectory
%windir%\tracing
3132
Zoom_badf4203c40a409c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Zoom_badf4203c40a409c_RASMANCS
EnableFileTracing
0
3132
Zoom_badf4203c40a409c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Zoom_badf4203c40a409c_RASMANCS
EnableConsoleTracing
0
3132
Zoom_badf4203c40a409c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Zoom_badf4203c40a409c_RASMANCS
FileTracingMask
4294901760
3132
Zoom_badf4203c40a409c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Zoom_badf4203c40a409c_RASMANCS
ConsoleTracingMask
4294901760
3132
Zoom_badf4203c40a409c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Zoom_badf4203c40a409c_RASMANCS
MaxFileSize
1048576
3132
Zoom_badf4203c40a409c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Zoom_badf4203c40a409c_RASMANCS
FileDirectory
%windir%\tracing
3132
Zoom_badf4203c40a409c.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3132
Zoom_badf4203c40a409c.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3132
Zoom_badf4203c40a409c.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3132
Zoom_badf4203c40a409c.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3132
Zoom_badf4203c40a409c.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
DisplayIcon
C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
DisplayName
Zoom
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
DisplayVersion
4.3
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
EstimatedSize
10000
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
HelpLink
https://support.zoom.us/home
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
URLInfoAbout
https://zoom.us
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
URLUpdateInfo
https://zoom.us
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
Publisher
Zoom Video Communications, Inc.
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
UninstallString
C:\Users\admin\AppData\Roaming\Zoom\uninstall\Installer.exe /uninstall
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
InstallLocation
C:\Users\admin\AppData\Roaming\Zoom\bin
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
NoModify
1
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoomUMX
NoRepair
1
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Zoom.exe
11000
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\MozillaPlugins\@zoom.us/ZoomVideoPlugin
Version
1
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\MozillaPlugins\@zoom.us/ZoomVideoPlugin
Path
C:\Users\admin\AppData\Roaming\Zoom\bin\npzoomplugin.dll
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\MozillaPlugins\@zoom.us/ZoomVideoPlugin
ProductName
Zoom Video Plugin
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\MozillaPlugins\@zoom.us/ZoomVideoPlugin
Description
Zoom Video Plugin
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\MozillaPlugins\@zoom.us/ZoomVideoPlugin
Vendor
Zoom Video Communications, Inc.
4036
Installer.exe
write
HKEY_CLASSES_ROOT\.zoommtg
ZoomLauncher
4036
Installer.exe
write
HKEY_CLASSES_ROOT\.zoommtg
Content Type
application/x-zoommtg-launcher
4036
Installer.exe
write
HKEY_CLASSES_ROOT\ZoomLauncher
Zoom Launcher - 3.0.1
4036
Installer.exe
write
HKEY_CLASSES_ROOT\ZoomLauncher\shell\open\command
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe" "--url=%1"
4036
Installer.exe
write
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-zoommtg-launcher
Extension
.zoommtg
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
Zoom 3.6.0
4036
Installer.exe
write
HKEY_CLASSES_ROOT\zoommtg
URL:Zoom Launcher
4036
Installer.exe
write
HKEY_CLASSES_ROOT\zoommtg
URL Protocol
4036
Installer.exe
write
HKEY_CLASSES_ROOT\zoommtg
UseOriginalUrlEncoding
1
4036
Installer.exe
write
HKEY_CLASSES_ROOT\zoommtg\DefaultIcon
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe",1
4036
Installer.exe
write
HKEY_CLASSES_ROOT\zoommtg\shell\open\command
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe" "--url=%1"
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ProtocolExecute\zoommtg
WarnOnOpen
0
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}
AppName
Zoom.exe
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}
AppPath
C:\Users\admin\AppData\Roaming\Zoom\bin
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}
Policy
3
4036
Installer.exe
write
HKEY_CLASSES_ROOT\ZoomRecording
Zoom Recording File
4036
Installer.exe
write
HKEY_CLASSES_ROOT\ZoomRecording\DefaultIcon
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe",1
4036
Installer.exe
write
HKEY_CLASSES_ROOT\ZoomRecording\shell\open\command
"C:\Users\admin\AppData\Roaming\Zoom\bin\zTscoder.exe" "%1"
4036
Installer.exe
write
HKEY_CLASSES_ROOT\.zoom
ZoomRecording
4036
Installer.exe
write
HKEY_CLASSES_ROOT\callto
URL:callto Protocol
4036
Installer.exe
write
HKEY_CLASSES_ROOT\callto
URL Protocol
4036
Installer.exe
write
HKEY_CLASSES_ROOT\callto\DefaultIcon
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe",1
4036
Installer.exe
write
HKEY_CLASSES_ROOT\callto\shell\open\command
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe" --url="%l"
4036
Installer.exe
write
HKEY_CLASSES_ROOT\ZoomPbx.callto
URL:callto Protocol
4036
Installer.exe
write
HKEY_CLASSES_ROOT\ZoomPbx.callto
URL Protocol
4036
Installer.exe
write
HKEY_CLASSES_ROOT\ZoomPbx.callto\DefaultIcon
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe",1
4036
Installer.exe
write
HKEY_CLASSES_ROOT\ZoomPbx.callto\shell\open\command
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe" --url="%l"
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Clients\ZoomPBX\ZoomPBX
ZoomPBX
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Clients\ZoomPBX\ZoomPBX\Capabilities
ApplicationDescription
Zoom PBX Protocol
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Clients\ZoomPBX\ZoomPBX\Capabilities
ApplicationIcon
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe",1
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Clients\ZoomPBX\ZoomPBX\Capabilities
ApplicationName
Zoom
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Clients\ZoomPBX\ZoomPBX\Capabilities\UrlAssociations
callto
ZoomPbx.callto
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Clients\ZoomPBX\ZoomPBX\Protocols\callto
URL:callto Protocol
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Clients\ZoomPBX\ZoomPBX\Protocols\callto
URL Protocol
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Clients\ZoomPBX\ZoomPBX\Protocols\callto\DefaultIcon
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe",1
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Clients\ZoomPBX\ZoomPBX\Protocols\callto\shell\open\command
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe" --url="%l"
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Clients\ZoomPBX\ZoomPBX\shell\open\command
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe"
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\RegisteredApplications
ZoomPBX
Software\Clients\ZoomPBX\ZoomPBX\Capabilities
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\callto\UserChoice
Progid
ZoomPbx.callto
4036
Installer.exe
write
HKEY_CLASSES_ROOT\tel
URL:tel Protocol
4036
Installer.exe
write
HKEY_CLASSES_ROOT\tel
URL Protocol
4036
Installer.exe
write
HKEY_CLASSES_ROOT\tel\DefaultIcon
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe",1
4036
Installer.exe
write
HKEY_CLASSES_ROOT\tel\shell\open\command
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe" --url="%l"
4036
Installer.exe
write
HKEY_CLASSES_ROOT\ZoomPbx.tel
URL:tel Protocol
4036
Installer.exe
write
HKEY_CLASSES_ROOT\ZoomPbx.tel
URL Protocol
4036
Installer.exe
write
HKEY_CLASSES_ROOT\ZoomPbx.tel\DefaultIcon
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe",1
4036
Installer.exe
write
HKEY_CLASSES_ROOT\ZoomPbx.tel\shell\open\command
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe" --url="%l"
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Clients\ZoomPBX\ZoomPBX\Capabilities\UrlAssociations
tel
ZoomPbx.tel
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Clients\ZoomPBX\ZoomPBX\Protocols\tel
URL:tel Protocol
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Clients\ZoomPBX\ZoomPBX\Protocols\tel
URL Protocol
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Clients\ZoomPBX\ZoomPBX\Protocols\tel\DefaultIcon
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe",1
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Clients\ZoomPBX\ZoomPBX\Protocols\tel\shell\open\command
"C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe" --url="%l"
4036
Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\tel\UserChoice
Progid
ZoomPbx.tel
3252
Zoom.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
Zoom.exe
3992
Zoom.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
Zoom.exe
3992
Zoom.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2540
cpthost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
cpthost.exe

Files activity

Executable files
85
Suspicious files
36
Text files
13
Unknown types
3

Dropped files

PID
Process
Filename
Type
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\Cmmlib.dll
executable
MD5: 0a543d7be03351f4ee241e673010321e
SHA256: 363239f128e2e1f023a8f11c86ccabe324e902fbadc7d8cb89f9f8c742e0d80f
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\XmppDll.dll
executable
MD5: 48282f9a688f0b7d5b67c5d087c46932
SHA256: 87d0a088c2cd1f889dc2635395dcb1de4625f0e7f80863f444a84ec1d9166fe3
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\zCrashReport.exe
executable
MD5: e70b129260be1335723237674b606af9
SHA256: 96af57323a0da3630af02d638ffffecf952bd6d26ef006845e2a722bf3c1d463
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\ssleay32.dll
executable
MD5: 3c6e0301f29d084ed780f51d826a2ee0
SHA256: f175c7ccfbb2cb9ee60fcf3ceea56e92d9820506ffa38dee28516ab7df78b5d1
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\zlt.dll
executable
MD5: d6b8c21a9722ce64df6b7cce3081e5f0
SHA256: 4ee4d83fa1651f227ebfd51d41a0b22cdc1e1da28dfc0f4aa588bb87ead8e44e
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\zData.dll
executable
MD5: 97431d67a9aaa33241e580edc7aaeba3
SHA256: a616f9009aac4057af47e52973db27055cd4b008f5d1f84cc476810d65ce0b18
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\zChatUI.dll
executable
MD5: 99955299492b7c039b366e12a5ad5d33
SHA256: fca43a3aa2afcf2f17ea84bae99657b3f27c5a044a3347c6d0a3040764f0acd4
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\libeay32.dll
executable
MD5: 004a18964d3813d1dc1dac3f839e5ee6
SHA256: 17079987a441cd7b8881689c028780b0d31a2c37e5daeebe0ef1b2e3a266fa7e
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\zWinRes.dll
executable
MD5: 7f66ca0b3fc76a833ab730cf12d43f93
SHA256: 6bb0a339e7c9a4eb339ad7908d354b9a8a3818b26906adb67671181460917f2c
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\DuiLib.dll
executable
MD5: 5db1a899051eaa4cc8ecf899e5ceb941
SHA256: 7a6055f410978b69e7a2d8dc7259ae4fd5cec85baae6abc9a9207dffe5eb09dc
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom_launcher.exe
executable
MD5: 3fa136788d997f017415bc16cacb9b0f
SHA256: 88896bcdd98a8ee48ef5f4cbd36bfcff61797e4d0041232c20fbb093ee61968e
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\zChatApp.dll
executable
MD5: 1a66331b8d177ceab7cd66752b73cc8d
SHA256: 4526f0faf5689da84f051142d933f359d46954afaf78bbbbe73eb2d6158ae0ec
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\ssb_sdk.dll
executable
MD5: 9b923ac59c94a9f20940a6f9dbc69736
SHA256: 716eeaa0a0a528e6d2bd494e95b4dd59bb221ffbaaee193cfeee44ad3e6f3864
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\zCrashReport.dll
executable
MD5: af91d61d820e126a28f467d2534c31d0
SHA256: 8d158b4f37b060464ff7264a60d1f4fc35be25a6a929608560e36a6e84916ada
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\zTscoder.exe
executable
MD5: c82232d89a78fdb872a3385157c56f92
SHA256: 015b4504d21c1057a1ea912dba432f78f82e393a671108bd75a36be155dd6ebf
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\zChatUI.dll
executable
MD5: 99955299492b7c039b366e12a5ad5d33
SHA256: fca43a3aa2afcf2f17ea84bae99657b3f27c5a044a3347c6d0a3040764f0acd4
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\libfaac.dll
executable
MD5: 8092e04456fe2e9396231de6bf9e0157
SHA256: 3205b0fd491e31ea3e6049e25d24fe7f2537dd244296395e1b77066308cbe989
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\zChatApp.dll
executable
MD5: 1a66331b8d177ceab7cd66752b73cc8d
SHA256: 4526f0faf5689da84f051142d933f359d46954afaf78bbbbe73eb2d6158ae0ec
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\Zoom.exe
executable
MD5: f9e8cd34351bb42b5ac4bdbbd766cbe4
SHA256: e50a27a1ba7be70ead2d3d1cfaa3231b79994ec7e61fce510421b908e49db8da
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\viper.dll
executable
MD5: 3d901dc7a78c52a098a7333689b7af65
SHA256: e5b16b5e9b930634ec4df596e7617ad288f6c5992a0c4b469b963584fda90852
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\npzoomplugin.dll
executable
MD5: b03af9f7c3c24e1d42915623c5256b9e
SHA256: 7ceef31bb2bf020079d173b117720fbb614de5fa3bf9e33355f4c0413ea65810
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\viper.dll
executable
MD5: 3d901dc7a78c52a098a7333689b7af65
SHA256: e5b16b5e9b930634ec4df596e7617ad288f6c5992a0c4b469b963584fda90852
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\reslib.dll
executable
MD5: d502f804167ee9f9ff0ed71977184619
SHA256: b2559fb84e7409b8bd6e55f2c4dafdb1316ba751487fbe885864894169d64bda
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\tp.dll
executable
MD5: b335ffd58138258e295328626826aa7f
SHA256: 516121c2c6e0fba7ace4d649aa322e97adfa368a8e4415b44b0787b79b6aecbf
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\CptInstall.exe
executable
MD5: becc8400343c7de488098746c420ec57
SHA256: 8ce01b4c3b3533d97e51f808f067265167b1d26b802fcae3a0e259c899b6086d
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\zAutoUpdate.dll
executable
MD5: 48c402f19ce66fc27f7c02ede425285a
SHA256: df571f92b67fc050be6267210e6bae47e669af1e110c1c93875407868f03b99d
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\zVideoApp.dll
executable
MD5: 760826e0bc0bb24de47c44291be2ab5b
SHA256: eb930c5efe8ba505460d54b90680768b07e976aa0ee6199c83d83d181adaa23e
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\zAutoUpdate.dll
executable
MD5: 48c402f19ce66fc27f7c02ede425285a
SHA256: df571f92b67fc050be6267210e6bae47e669af1e110c1c93875407868f03b99d
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\reslib.dll
executable
MD5: d502f804167ee9f9ff0ed71977184619
SHA256: b2559fb84e7409b8bd6e55f2c4dafdb1316ba751487fbe885864894169d64bda
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\tp.dll
executable
MD5: b335ffd58138258e295328626826aa7f
SHA256: 516121c2c6e0fba7ace4d649aa322e97adfa368a8e4415b44b0787b79b6aecbf
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\zWebService.dll
executable
MD5: c734a10d901697ae52520f3363bffe8b
SHA256: 89ed79047a228a6257ae127d9bb48faf453ec335ad85bcd1523b2035622faec6
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\util.dll
executable
MD5: 9073b1bec68d959ecd3aae429f2718a9
SHA256: 2ca987bd83fe0973ae84cf555f83ef41ed3ace515ddad5f49eed2de6c0b2845e
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\CptShare.dll
executable
MD5: d3e49ca6fb30aaf655659a57345d7619
SHA256: de123c6f6dbf1e1bdb86d2333374788f9fe6bd6c729abe97b6b09a78926d898b
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\util.dll
executable
MD5: 9073b1bec68d959ecd3aae429f2718a9
SHA256: 2ca987bd83fe0973ae84cf555f83ef41ed3ace515ddad5f49eed2de6c0b2845e
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\zmb.dll
executable
MD5: 167b69cee6053c32bfcb570100b280e3
SHA256: 14428e1839a57846a6ad946db47e6e514f43b1cc3a226e4baeb06ebd24813c38
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\Zoom.exe
executable
MD5: f9e8cd34351bb42b5ac4bdbbd766cbe4
SHA256: e50a27a1ba7be70ead2d3d1cfaa3231b79994ec7e61fce510421b908e49db8da
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\nydus.dll
executable
MD5: ee288d7ddc7d5951e04c34c5ceafe4a0
SHA256: 58003bf6d8eb4f40b760f122e4c9e0a1102d7a4d5db1a7a5398698daad50fe05
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\mcm.dll
executable
MD5: f2791cf32ffcb9281fcd4b55926502e9
SHA256: 06d0c0fae2e57855cadba94f573f925db1465eec2159f360596b1cb6a5c85175
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\zVideoUI.dll
executable
MD5: aadf421ccb127dcadf851135318e3dcd
SHA256: 3b0523429552e7fca77509d7e977e40641fb2748984f02af0799628a5467c771
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\zData.dll
executable
MD5: 97431d67a9aaa33241e580edc7aaeba3
SHA256: a616f9009aac4057af47e52973db27055cd4b008f5d1f84cc476810d65ce0b18
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\CmmBrowserEngine.dll
executable
MD5: 89921e6d6ef33ce7f13fb5acfa65c071
SHA256: 99129dbec3f212279b31f4a90babc91ce4784c127a00574cb1c57dc6267d9922
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\ssb_sdk.dll
executable
MD5: 9b923ac59c94a9f20940a6f9dbc69736
SHA256: 716eeaa0a0a528e6d2bd494e95b4dd59bb221ffbaaee193cfeee44ad3e6f3864
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\annoter.dll
executable
MD5: dce97432248c231c6a11a0d62b757e9c
SHA256: 1e35897240b5967d8ca591ec485d2c1c400626c40f101689e3ba23035be78b24
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\zlt.dll
executable
MD5: d6b8c21a9722ce64df6b7cce3081e5f0
SHA256: 4ee4d83fa1651f227ebfd51d41a0b22cdc1e1da28dfc0f4aa588bb87ead8e44e
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\CptService.exe
executable
MD5: e952f9acf362a288634ad5f62601f71c
SHA256: 91ea4d2fcfc16bd357192d2dc66746008c1a2f65a3e4b3a7f7da4cc499449886
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\npzoomplugin.dll
executable
MD5: b03af9f7c3c24e1d42915623c5256b9e
SHA256: 7ceef31bb2bf020079d173b117720fbb614de5fa3bf9e33355f4c0413ea65810
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\uninstall\Installer.exe
executable
MD5: 896690d849f668110aa38da674e810d2
SHA256: b7bc4ae2b478813fec15543db51a9483e56254049eabeb1819a9dfd74fcdbfb3
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\zTscoder.exe
executable
MD5: c82232d89a78fdb872a3385157c56f92
SHA256: 015b4504d21c1057a1ea912dba432f78f82e393a671108bd75a36be155dd6ebf
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\msaalib.dll
executable
MD5: f8b6d18364eabbbf3ebe2a0972782cb8
SHA256: 79535156cd94b8bee1033dbcc5fc893f1dc0efe1c18cd439ea44d78cb91bbf1c
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\ssleay32.dll
executable
MD5: 3c6e0301f29d084ed780f51d826a2ee0
SHA256: f175c7ccfbb2cb9ee60fcf3ceea56e92d9820506ffa38dee28516ab7df78b5d1
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\CptService.exe
executable
MD5: e952f9acf362a288634ad5f62601f71c
SHA256: 91ea4d2fcfc16bd357192d2dc66746008c1a2f65a3e4b3a7f7da4cc499449886
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\zCrashReport.dll
executable
MD5: af91d61d820e126a28f467d2534c31d0
SHA256: 8d158b4f37b060464ff7264a60d1f4fc35be25a6a929608560e36a6e84916ada
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\mcm.dll
executable
MD5: f2791cf32ffcb9281fcd4b55926502e9
SHA256: 06d0c0fae2e57855cadba94f573f925db1465eec2159f360596b1cb6a5c85175
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\libfaac.dll
executable
MD5: 8092e04456fe2e9396231de6bf9e0157
SHA256: 3205b0fd491e31ea3e6049e25d24fe7f2537dd244296395e1b77066308cbe989
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\asproxy.dll
executable
MD5: 193485d0ce02a434405ddb0439d46f30
SHA256: bd1ec70600c492680fbc6ac79a2cca539d197001b0be924d291ee97d1b6aa8e9
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\zmb.dll
executable
MD5: 167b69cee6053c32bfcb570100b280e3
SHA256: 14428e1839a57846a6ad946db47e6e514f43b1cc3a226e4baeb06ebd24813c38
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\CptControl.exe
executable
MD5: ba85ecfddfa8552d1179e4f09b490a79
SHA256: 1d7562078281378c9dedc6c9c002f999e0041ffd320c7582d9461b47a0f1b448
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\turbojpeg.dll
executable
MD5: 9fb15cfcbce81b1fdef48d43a23a0e4c
SHA256: 2e2e868d6f316b01517f078a8d96f53f78274d64f8916e67ef53124ec9f052bd
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\CptInstall.exe
executable
MD5: becc8400343c7de488098746c420ec57
SHA256: 8ce01b4c3b3533d97e51f808f067265167b1d26b802fcae3a0e259c899b6086d
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\zCrashReport.exe
executable
MD5: e70b129260be1335723237674b606af9
SHA256: 96af57323a0da3630af02d638ffffecf952bd6d26ef006845e2a722bf3c1d463
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\Installer.exe
executable
MD5: 896690d849f668110aa38da674e810d2
SHA256: b7bc4ae2b478813fec15543db51a9483e56254049eabeb1819a9dfd74fcdbfb3
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\nydus.dll
executable
MD5: ee288d7ddc7d5951e04c34c5ceafe4a0
SHA256: 58003bf6d8eb4f40b760f122e4c9e0a1102d7a4d5db1a7a5398698daad50fe05
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\XmppDll.dll
executable
MD5: 48282f9a688f0b7d5b67c5d087c46932
SHA256: 87d0a088c2cd1f889dc2635395dcb1de4625f0e7f80863f444a84ec1d9166fe3
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\Zoom_launcher.exe
executable
MD5: 3fa136788d997f017415bc16cacb9b0f
SHA256: 88896bcdd98a8ee48ef5f4cbd36bfcff61797e4d0041232c20fbb093ee61968e
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\Cmmlib.dll
executable
MD5: 0a543d7be03351f4ee241e673010321e
SHA256: 363239f128e2e1f023a8f11c86ccabe324e902fbadc7d8cb89f9f8c742e0d80f
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\libeay32.dll
executable
MD5: 004a18964d3813d1dc1dac3f839e5ee6
SHA256: 17079987a441cd7b8881689c028780b0d31a2c37e5daeebe0ef1b2e3a266fa7e
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\zzhost.dll
executable
MD5: 5884f4cb6c50187ed774bc79a1afb944
SHA256: 4f22fe4de7884ea8945f1b591a1d1d974db361d6363ab6fae08eba1e59c906c0
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\zVideoApp.dll
executable
MD5: 760826e0bc0bb24de47c44291be2ab5b
SHA256: eb930c5efe8ba505460d54b90680768b07e976aa0ee6199c83d83d181adaa23e
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\asproxy.dll
executable
MD5: 193485d0ce02a434405ddb0439d46f30
SHA256: bd1ec70600c492680fbc6ac79a2cca539d197001b0be924d291ee97d1b6aa8e9
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\zzhost.dll
executable
MD5: 5884f4cb6c50187ed774bc79a1afb944
SHA256: 4f22fe4de7884ea8945f1b591a1d1d974db361d6363ab6fae08eba1e59c906c0
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\CptControl.exe
executable
MD5: ba85ecfddfa8552d1179e4f09b490a79
SHA256: 1d7562078281378c9dedc6c9c002f999e0041ffd320c7582d9461b47a0f1b448
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\zVideoUI.dll
executable
MD5: aadf421ccb127dcadf851135318e3dcd
SHA256: 3b0523429552e7fca77509d7e977e40641fb2748984f02af0799628a5467c771
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\CmmBrowserEngine.dll
executable
MD5: 89921e6d6ef33ce7f13fb5acfa65c071
SHA256: 99129dbec3f212279b31f4a90babc91ce4784c127a00574cb1c57dc6267d9922
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\zWebService.dll
executable
MD5: c734a10d901697ae52520f3363bffe8b
SHA256: 89ed79047a228a6257ae127d9bb48faf453ec335ad85bcd1523b2035622faec6
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\DuiLib.dll
executable
MD5: 5db1a899051eaa4cc8ecf899e5ceb941
SHA256: 7a6055f410978b69e7a2d8dc7259ae4fd5cec85baae6abc9a9207dffe5eb09dc
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\zWinRes.dll
executable
MD5: 7f66ca0b3fc76a833ab730cf12d43f93
SHA256: 6bb0a339e7c9a4eb339ad7908d354b9a8a3818b26906adb67671181460917f2c
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\annoter.dll
executable
MD5: dce97432248c231c6a11a0d62b757e9c
SHA256: 1e35897240b5967d8ca591ec485d2c1c400626c40f101689e3ba23035be78b24
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\msaalib.dll
executable
MD5: f8b6d18364eabbbf3ebe2a0972782cb8
SHA256: 79535156cd94b8bee1033dbcc5fc893f1dc0efe1c18cd439ea44d78cb91bbf1c
3132
Zoom_badf4203c40a409c.exe
C:\Users\admin\AppData\Local\Temp\zm1164.tmp
executable
MD5: c42b05c459306678db2f553f881ea72f
SHA256: ebed1c6ec1ab1e4f69b6ce5533c5393660ecc3ba922ca7834d7223f6ad7bae01
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\CptHost.exe
executable
MD5: 616fd8b9eb5df3d36dad4631e6539583
SHA256: 9e0d0043a107d461c342d4136ee4daee952be121c2da774ede40b82982e22f61
3132
Zoom_badf4203c40a409c.exe
C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe
executable
MD5: 896690d849f668110aa38da674e810d2
SHA256: b7bc4ae2b478813fec15543db51a9483e56254049eabeb1819a9dfd74fcdbfb3
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\CptShare.dll
executable
MD5: d3e49ca6fb30aaf655659a57345d7619
SHA256: de123c6f6dbf1e1bdb86d2333374788f9fe6bd6c729abe97b6b09a78926d898b
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\Installer.exe
executable
MD5: 896690d849f668110aa38da674e810d2
SHA256: b7bc4ae2b478813fec15543db51a9483e56254049eabeb1819a9dfd74fcdbfb3
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\turbojpeg.dll
executable
MD5: 9fb15cfcbce81b1fdef48d43a23a0e4c
SHA256: 2e2e868d6f316b01517f078a8d96f53f78274d64f8916e67ef53124ec9f052bd
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\CptHost.exe
executable
MD5: 616fd8b9eb5df3d36dad4631e6539583
SHA256: 9e0d0043a107d461c342d4136ee4daee952be121c2da774ede40b82982e22f61
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\record_start.pcm
binary
MD5: ab8a5f2981e225d3edaacb520083835a
SHA256: 193c4ffea3de04802e97e9e62fcd8533d8ca53e7306ba113a2234959b5262eb4
3252
Zoom.exe
C:\Users\admin\AppData\Roaming\Zoom\data\zoomus.db-journal
––
MD5:  ––
SHA256:  ––
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Zoom\Start Zoom.lnk
lnk
MD5: d06424b9595859ef575d9cd2e24d7323
SHA256: 27e97a1a33e32b414ff520597ded75af096d51cddace6fb4913d296c0e598a80
3992
Zoom.exe
C:\Users\admin\AppData\Roaming\Zoom\data\zoommeeting.db-journal
––
MD5:  ––
SHA256:  ––
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\dingdong1.pcm
binary
MD5: 8fe86d9e8aa5c709bb0563243172e580
SHA256: 2fbbb9ae6a463b360e1459bee558dafa8d864db2423f0fe4d2c56d22c3f3a5a2
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\ZoomInstall.xml
xml
MD5: 2471e633d5fc8517fb62e55f120c4303
SHA256: d95204c0097d3365ba6121df939e1279fff3f0470564046482853b49c8b7e98e
3992
Zoom.exe
C:\Users\admin\AppData\Roaming\Zoom\data\zoomus.db-journal
––
MD5:  ––
SHA256:  ––
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\directui_license.txt
text
MD5: ab54b14548a4cc76dd7c27414d971111
SHA256: 6033476be3d1d41166b65984e2be94c87ac98dce55bfec887e932b696e859295
3252
Zoom.exe
C:\Users\admin\AppData\Roaming\Zoom\data\zoomus.tmp.db-journal
––
MD5:  ––
SHA256:  ––
3252
Zoom.exe
C:\Users\admin\AppData\Roaming\Zoom\data\zoomus.db-journal
binary
MD5: 4071b6dcbaa19d662e1ecb577b9d04dc
SHA256: a75f006f9563cce29b37a6467adc6b36e2fee136391b2b20fce6de93165f86c7
3252
Zoom.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\352fd027c0e8f0e5.customDestinations-ms
binary
MD5: 806dcb23cb4521d5d4bdc5dac5864079
SHA256: 91abaff908694a45a1c25dccee6603ff3704f5b8207cd2d8ce0e27bafcf28dfd
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\leave.pcm
binary
MD5: e5d30e0abc409206352d6d6dd14f3a1e
SHA256: 6a401623c2583e67868131f2194eab3321e74783388d80defdc190022018b6f7
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\crashrpt_lang.ini
text
MD5: 3be1f13a7a5c5490d4669f3051cc5572
SHA256: 9f124594495b209908d79cecadd63ee55d2282d763212c0fcd0930a5f858ca8c
3196
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\installer.txt
text
MD5: 54e01656b27e0d2e8807b00f4e17ecf8
SHA256: cb5fc66b3829b3484575f19c38443f0ef28d344f28b896130145bdd56230367c
3252
Zoom.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\969ALTQ90RGD7XBWL2K7.temp
––
MD5:  ––
SHA256:  ––
3252
Zoom.exe
C:\Users\admin\AppData\Roaming\Zoom\data\zoomus.db-journal
binary
MD5: d05d52914e1a4cfe5e13f94f1b3d02ac
SHA256: 7ea5dcc3613dd984aa81cd976df13d279cce3216b7c9760cb99b2b991120fc0e
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\duilib_license.txt
text
MD5: 7faec2006bb231d14b794a9f31769448
SHA256: 7ed2acca31a243ba107d8c12fddecd52462fd326d3d2c73b04d4cf10c76765ff
3252
Zoom.exe
C:\Users\admin\AppData\Roaming\Zoom\data\zoomus.db-journal
binary
MD5: f09eb596cb3c62873b06e42fc7684657
SHA256: 7db71335d2d8b538ee5cf1e01899929b26006efcf1336bd0a735f35a8fa1c2f5
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\zcacert.pem
text
MD5: d37f51f99f2b105be112766c030b9120
SHA256: 20c8dd6dd4665d46dc304302b48964ac617c56d88ef55ef8078d0bdf94bccf34
3252
Zoom.exe
C:\Users\admin\AppData\Roaming\Zoom\data\zoomus.db-journal
binary
MD5: 8a00bdecafeed6abc2ba9b5c9f273278
SHA256: 8b07dba93b908a677cb2b70fb056632e23939c8e79f0c2ac6311d5e9af81bc53
3252
Zoom.exe
C:\Users\admin\AppData\Roaming\Zoom\data\zoomus.db-journal
binary
MD5: 2a6b55e267f088399d755249f78fee1c
SHA256: af52cb09c7901c94b5c7299473c00c0d646a8ba7ba16629ebcdd3a164742d8d1
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Zoom\Uninstall Zoom.lnk
lnk
MD5: 988bc747c4b5fc6bed1750cb59850172
SHA256: e1820a49bc7c793053543bd6fd7cdae46ab20a4a9ee27f9e2e653ab21e8a310d
3132
Zoom_badf4203c40a409c.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
dat
MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\dingdong.pcm
binary
MD5: 6634b90ac989dc297da9f37ce3f656ac
SHA256: 80a9a24a19c9749f7d76d2e3a37587a19ac812659de2e76b50b08f5f293884cd
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\installer.txt
text
MD5: 85f82446e513bf7ae0e78eb8ce857b35
SHA256: 4fc0c183dc118034da6c2032e6d228c1dec4507d232333af8caeb90636314ee5
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\ring.pcm
binary
MD5: 8cb38998ffa6b56164c375375eb01db0
SHA256: 2f6bbe479c720072ce7a34182389bec94aac83310326f312c826f2f95c2a6eea
3132
Zoom_badf4203c40a409c.exe
C:\Users\admin\AppData\Local\Temp\zopener_8a4800ea0a3f43f4bafd7706c1a4e7ee.log
––
MD5:  ––
SHA256:  ––
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\ZoomInstall.xml
xml
MD5: 2471e633d5fc8517fb62e55f120c4303
SHA256: d95204c0097d3365ba6121df939e1279fff3f0470564046482853b49c8b7e98e
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\record_stop.pcm
binary
MD5: 0001fecb6b6e044d221fbc6a7e22e313
SHA256: 8cd8b4d3e8447d82dd045c7a3a8f175b97376c3db5895506cab0af6a0075226f
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\leave.pcm
binary
MD5: e5d30e0abc409206352d6d6dd14f3a1e
SHA256: 6a401623c2583e67868131f2194eab3321e74783388d80defdc190022018b6f7
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\record_start.pcm
binary
MD5: ab8a5f2981e225d3edaacb520083835a
SHA256: 193c4ffea3de04802e97e9e62fcd8533d8ca53e7306ba113a2234959b5262eb4
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\ring.pcm
binary
MD5: 8cb38998ffa6b56164c375375eb01db0
SHA256: 2f6bbe479c720072ce7a34182389bec94aac83310326f312c826f2f95c2a6eea
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\zcacert.pem
text
MD5: d37f51f99f2b105be112766c030b9120
SHA256: 20c8dd6dd4665d46dc304302b48964ac617c56d88ef55ef8078d0bdf94bccf34
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\duilib_license.txt
text
MD5: 7faec2006bb231d14b794a9f31769448
SHA256: 7ed2acca31a243ba107d8c12fddecd52462fd326d3d2c73b04d4cf10c76765ff
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\dingdong1.pcm
binary
MD5: 8fe86d9e8aa5c709bb0563243172e580
SHA256: 2fbbb9ae6a463b360e1459bee558dafa8d864db2423f0fe4d2c56d22c3f3a5a2
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\directui_license.txt
text
MD5: ab54b14548a4cc76dd7c27414d971111
SHA256: 6033476be3d1d41166b65984e2be94c87ac98dce55bfec887e932b696e859295
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\dingdong.pcm
binary
MD5: 6634b90ac989dc297da9f37ce3f656ac
SHA256: 80a9a24a19c9749f7d76d2e3a37587a19ac812659de2e76b50b08f5f293884cd
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\zoom_install_src\crashrpt_lang.ini
text
MD5: 3be1f13a7a5c5490d4669f3051cc5572
SHA256: 9f124594495b209908d79cecadd63ee55d2282d763212c0fcd0930a5f858ca8c
3132
Zoom_badf4203c40a409c.exe
C:\Users\admin\AppData\Roaming\Zoom\ZoomDownload\Zoom.msi
––
MD5:  ––
SHA256:  ––
4036
Installer.exe
C:\Users\admin\AppData\Roaming\Zoom\bin\record_stop.pcm
binary
MD5: 0001fecb6b6e044d221fbc6a7e22e313
SHA256: 8cd8b4d3e8447d82dd045c7a3a8f175b97376c3db5895506cab0af6a0075226f
3132
Zoom_badf4203c40a409c.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 9ad9def6a823460e9f5f7559d2bd0b9e
SHA256: 33ab65a77e7135cd96df05ef94da3e95cb54423917777dbcb494e255dca95f79
3132
Zoom_badf4203c40a409c.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
17
DNS requests
11
Threats
1

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3132 Zoom_badf4203c40a409c.exe 52.202.62.237:443 Amazon.com, Inc. US unknown
3132 Zoom_badf4203c40a409c.exe 54.230.14.184:443 Amazon.com, Inc. US unknown
3252 Zoom.exe 52.202.62.237:443 Amazon.com, Inc. US unknown
3252 Zoom.exe 52.202.62.235:443 Amazon.com, Inc. US suspicious
3992 Zoom.exe 52.202.62.236:443 Amazon.com, Inc. US unknown
3992 Zoom.exe 213.244.140.84:443 Level 3 Communications, Inc. GB unknown
3992 Zoom.exe 213.244.140.85:443 Level 3 Communications, Inc. GB unknown
3992 Zoom.exe 213.19.144.104:443 Zoom Video Communications, Inc GB unknown
3992 Zoom.exe 213.19.144.105:443 Zoom Video Communications, Inc GB unknown
3992 Zoom.exe 109.94.160.130:443 UA unknown
3992 Zoom.exe 109.94.160.130:8801 UA unknown

DNS requests

Domain IP Reputation
launcher.zoom.us 52.202.62.237
unknown
d11yldzmag5yn.cloudfront.net 54.230.14.184
54.230.14.19
54.230.14.236
54.230.14.108
whitelisted
log.zoom.us 52.202.62.237
unknown
zoom.us 52.202.62.235
whitelisted
www3.zoom.us 52.202.62.236
suspicious
zoomfr85zc.zoom.us 213.244.140.85
unknown
zoomam104zc.zoom.us 213.19.144.104
unknown
zoomfr84zc.zoom.us 213.244.140.84
unknown
zoomam105zc.zoom.us 213.19.144.105
unknown
zoomfrn130mmr.zoom.us 109.94.160.130
unknown

Threats

PID Process Class Message
3132 Zoom_badf4203c40a409c.exe Generic Protocol Command Decode SURICATA STREAM excessive retransmissions

Debug output strings

Process Message
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.
cpthost.exe Parse Menu. Load file success! menu counts:3.