Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Zoom.exe

"C:\Users\user\Desktop\Zoom.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7876
Target ID:	0
Parent PID:	3964
Name:	Zoom.exe
Path:	C:\Users\user\Desktop\Zoom.exe
Commandline:	"C:\Users\user\Desktop\Zoom.exe"
Size:	1054248
MD5:	3DED2B22F85E0720A350969315CE9575
Time:	03:22:17
Date:	06/04/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6a2120000
Modulesize:	1081344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE / OLE file has an invalid certificate	System Summary
PE file contains sections with non-standard names	Data Obfuscation
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7932
Target ID:	2
Parent PID:	7876
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	03:22:18
Date:	06/04/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x8e0000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7884
Target ID:	1
Parent PID:	7876
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:22:17
Date:	06/04/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff62fc20000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

144.202.100.226:1912

http://tempuri.org/Entity/Id10Response

unknown

http://tempuri.org/Entity/Id24LR

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://tempuri.org/Entity/Id22LR

unknown

http://tempuri.org/Entity/Id20LR

unknown

http://ocsp.entrust.net03

unknown

http://ocsp.entrust.net02

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://tempuri.org/Entity/Id6ResponseP

unknown

http://tempuri.org/Entity/Id19LR

unknown

http://tempuri.org/Entity/Id23Response

unknown

http://tempuri.org/Entity/Id17LR

unknown

http://tempuri.org/Entity/Id15LR

unknown

http://tempuri.org/Entity/Id9LR

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://tempuri.org/Entity/Id13LR

unknown

http://tempuri.org/Entity/Id7LR

unknown

http://tempuri.org/Entity/Id11LR

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/fault

unknown

http://tempuri.org/Entity/Id17Response

unknown

http://tempuri.org/Entity/Id1LR

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id5LR

unknown

http://tempuri.org/Entity/Id20Response

unknown

http://tempuri.org/Entity/Id3LR

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://tempuri.org/Entity/Id13Response

unknown

http://tempuri.org/Entity/Id4Response

unknown

http://crl.entrust.net/ts1ca.crl0

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty

unknown

http://tempuri.org/Entity/Id6Response

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement

unknown

http://tempuri.org/Entity/Id23LR

unknown

http://tempuri.org/Entity/Id7Response

unknown

http://tempuri.org/Entity/Id21LR

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

unknown

http://tempuri.org/x

unknown

http://www.entrust.net/rpa03

unknown

http://tempuri.org/Entity/Id11Response

unknown

http://tempuri.org/Entity/Id9Response

unknown

http://aia.entrust.net/ts1-chain256.cer01

unknown

http://tempuri.org/Entity/Id22Response

unknown

http://tempuri.org/Entity/Id24Response

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://tempuri.org/Entity/Id18LR

unknown

http://tempuri.org/Entity/Id16LR

unknown

http://tempuri.org/Entity/Id8LR

unknown

http://tempuri.org/Entity/Id14LR

unknown

http://tempuri.org/Entity/Id6LR

unknown

http://tempuri.org/Entity/Id18Response

unknown

http://tempuri.org/Entity/

unknown

http://tempuri.org/Entity/Id12LR

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://tempuri.org/Entity/Id10LR

unknown

http://tempuri.org/Entity/Id4LR

unknown

http://tempuri.org/Entity/Id2LR

unknown

http://schemas.xmlsoap.org/ws/2005/02/rmX

unknown

http://tempuri.org/Entity/Id3Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://tempuri.org/Entity/P

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://crl.entrust.net/2048ca.crl0

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence

unknown

http://schemas.xmlsoap.org/soap/actor/next

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

https://www.entrust.net/rpa0

unknown

http://tempuri.org/Entity/Id14Response

unknown

There are 65 hidden URLs, click here to show them.

Domains

Name

Malicious

us02web-zoom.icu

144.202.100.226

Details

Name:	us02web-zoom.icu
IP:	144.202.100.226
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

144.202.100.226

us02web-zoom.icu

United States

Details

IP:	144.202.100.226
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	United States
Countrycode:	USA
ASN number:	20473
ASN name:	AS-CHOOPAUS
Private:	false
Domain:	us02web-zoom.icu

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

402000

remote allocation

page execute and read and write

2C61000

trusted library allocation

page read and write

1260000

trusted library allocation

page read and write

60CE000

stack

page read and write

55E1000

trusted library allocation

page read and write

2B30000

trusted library allocation

page read and write

4DFE000

stack

page read and write

56C4000

heap

page read and write

1230000

trusted library allocation

page read and write

10F0000

trusted library allocation

page read and write

5340000

trusted library allocation

page read and write

10C0000

trusted library allocation

page read and write

2AE0000

trusted library allocation

page read and write

56B0000

heap

page read and write

7FF6A2121000

unkown

page execute read

5810000

trusted library allocation

page read and write

F1E000

heap

page read and write

2359B8A0000

heap

page read and write

2359D320000

heap

page read and write

7FF6A2120000

unkown

page readonly

7FF6A217B000

unkown

page readonly

6110000

trusted library allocation

page read and write

55B0000

trusted library allocation

page read and write

5680000

trusted library allocation

page read and write

1250000

trusted library allocation

page read and write

56F2000

heap

page read and write

536B000

trusted library allocation

page read and write

2AE4000

trusted library allocation

page read and write

2B28000

trusted library allocation

page read and write

437000

remote allocation

page execute and read and write

2AEE000

trusted library allocation

page read and write

EA8000

heap

page read and write

55D2000

trusted library allocation

page read and write

2C5F000

stack

page read and write

7FF6A2186000

unkown

page write copy

55DE000

trusted library allocation

page read and write

547E000

stack

page read and write

3C61000

trusted library allocation

page read and write

10D0000

trusted library allocation

page read and write

1217000

trusted library allocation

page execute and read and write

5150000

trusted library allocation

page read and write

D70000

heap

page read and write

2B0D000

trusted library allocation

page read and write

560B000

trusted library allocation

page read and write

5610000

trusted library allocation

page read and write

56A0000

heap

page read and write

10D4000

trusted library allocation

page read and write

2B12000

trusted library allocation

page read and write

560E000

trusted library allocation

page read and write

5600000

trusted library allocation

page read and write

7FF6A2189000

unkown

page readonly

10ED000

trusted library allocation

page execute and read and write

10E3000

trusted library allocation

page read and write

FFB00000

trusted library allocation

page execute and read and write

5690000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

5330000

heap

page read and write

2B35000

trusted library allocation

page read and write

5640000

trusted library allocation

page execute and read and write

446000

remote allocation

page execute and read and write

D75000

heap

page read and write

2AFE000

trusted library allocation

page read and write

D60000

heap

page read and write

5263000

heap

page read and write

2B40000

trusted library allocation

page read and write

5342000

trusted library allocation

page read and write

543E000

stack

page read and write

1210000

trusted library allocation

page read and write

63C1BFF000

stack

page read and write

1212000

trusted library allocation

page read and write

2B50000

heap

page read and write

5260000

heap

page read and write

10E0000

trusted library allocation

page read and write

5FCF000

stack

page read and write

7FF6A2189000

unkown

page readonly

5620000

trusted library allocation

page read and write

5490000

trusted library allocation

page read and write

5360000

trusted library allocation

page read and write

1215000

trusted library allocation

page execute and read and write

2B01000

trusted library allocation

page read and write

432000

remote allocation

page execute and read and write

3C6F000

trusted library allocation

page read and write

7FF6A2121000

unkown

page execute read

9A9000

stack

page read and write

55EA000

trusted library allocation

page read and write

2AA0000

heap

page read and write

CF7000

stack

page read and write

55BB000

trusted library allocation

page read and write

2359B850000

heap

page read and write

2359B8AB000

heap

page read and write

7FF6A218E000

unkown

page readonly

2AE6000

trusted library allocation

page read and write

7FF6A217B000

unkown

page readonly

5605000

trusted library allocation

page read and write

E70000

heap

page read and write

10DD000

trusted library allocation

page execute and read and write

57C0000

trusted library allocation

page execute and read and write

F05000

heap

page read and write

2AC0000

trusted library allocation

page read and write

57B0000

trusted library allocation

page read and write

5350000

trusted library allocation

page execute and read and write

5365000

trusted library allocation

page read and write

1100000

heap

page read and write

7FF6A2120000

unkown

page readonly

63C1CFE000

stack

page read and write

5800000

trusted library allocation

page execute and read and write

2359B840000

heap

page read and write

10F6000

trusted library allocation

page execute and read and write

5480000

trusted library allocation

page read and write

57F0000

trusted library allocation

page read and write

F30000

heap

page read and write

57D0000

trusted library allocation

page execute and read and write

2A5E000

stack

page read and write

10D3000

trusted library allocation

page execute and read and write

570D000

heap

page read and write

7FF6A218E000

unkown

page readonly

E9A000

heap

page read and write

2AEB000

trusted library allocation

page read and write

2AF2000

trusted library allocation

page read and write

57E0000

trusted library allocation

page read and write

63C1AFC000

stack

page read and write

1240000

trusted library allocation

page execute and read and write

55F1000

trusted library allocation

page read and write

10F2000

trusted library allocation

page read and write

1270000

heap

page read and write

55C6000

trusted library allocation

page read and write

7FF6A2186000

unkown

page read and write

55C1000

trusted library allocation

page read and write

2B06000

trusted library allocation

page read and write

2AD0000

heap

page execute and read and write

5670000

trusted library allocation

page read and write

7FF6A2190000

unkown

page write copy

2A9E000

stack

page read and write

E78000

heap

page read and write

D10000

heap

page read and write

3C81000

trusted library allocation

page read and write

2359D21C000

heap

page read and write

121B000

trusted library allocation

page execute and read and write

7FF6A2190000

unkown

page write copy

54A0000

heap

page execute and read and write

2359D3F0000

heap

page read and write

5630000

trusted library allocation

page read and write

2B20000

trusted library allocation

page read and write

10FA000

trusted library allocation

page execute and read and write

F6C000

heap

page read and write

There are 135 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Zoom.exe

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportZoom.exe

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Zoom.exe