Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Zoom.exe

Overview

General Information

Sample name:Zoom.exe
Analysis ID:1557990
MD5:da30eab35f763bc0c5100f7da5f8e676
SHA1:218134a4b2e2d00ea18cf528ae35431a01474fe3
SHA256:80e520bd05e9f430994d7108aa44e756421bb5ba84ef12972ecb280545bcef3a
Tags:exeuser-N3utralZ0ne
Infos:

Detection

PureCrypter, MicroClip
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
Suricata IDS alerts for network traffic
Yara detected MicroClip
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Zoom.exe (PID: 6496 cmdline: "C:\Users\user\Desktop\Zoom.exe" MD5: DA30EAB35F763BC0C5100F7DA5F8E676)
    • powershell.exe (PID: 7156 cmdline: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Zoom.exe (PID: 5044 cmdline: "C:\Users\user\AppData\Roaming\Zoom.exe" MD5: DA30EAB35F763BC0C5100F7DA5F8E676)
  • Zoom.exe (PID: 2292 cmdline: "C:\Users\user\AppData\Roaming\Zoom.exe" MD5: DA30EAB35F763BC0C5100F7DA5F8E676)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
PureCrypterAccording to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2363736434.0000000002D31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.4519895828.0000000003133000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: Zoom.exe PID: 6496JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: Zoom.exe PID: 6496JoeSecurity_MicroClipYara detected MicroClipJoe Security
          Process Memory Space: Zoom.exe PID: 5044JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Zoom.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7156, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zoom
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', CommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', CommandLine|base64offset|contains: E^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Zoom.exe", ParentImage: C:\Users\user\Desktop\Zoom.exe, ParentProcessId: 6496, ParentProcessName: Zoom.exe, ProcessCommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', ProcessId: 7156, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Set autostart key via New-ItemProperty Cmdlet
            Source: Process startedAuthor: Joe Security: Data: Command: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', CommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', CommandLine|base64offset|contains: E^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Zoom.exe", ParentImage: C:\Users\user\Desktop\Zoom.exe, ParentProcessId: 6496, ParentProcessName: Zoom.exe, ProcessCommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', ProcessId: 7156, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-18T20:46:11.550490+010020355951Domain Observed Used for C2 Detected172.81.130.13956001192.168.2.549704TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: Zoom.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Zoom.exeAvira: detection malicious, Label: HEUR/AGEN.1323341
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Zoom.exeReversingLabs: Detection: 44%
            Multi AV Scanner detection for submitted file
            Source: Zoom.exeReversingLabs: Detection: 44%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Zoom.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: Zoom.exeJoe Sandbox ML: detected
            Source: Zoom.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: Zoom.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 172.81.130.139:56001 -> 192.168.2.5:49704
            Source: Joe Sandbox ViewASN Name: DATAWAGONUS DATAWAGONUS
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: unknownTCP traffic detected without corresponding DNS query: 172.81.130.139
            Source: powershell.exe, 00000002.00000002.2076162638.000000000319D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
            Source: powershell.exe, 00000002.00000002.2088828355.0000000007902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft/
            Source: Zoom.exe, 00000000.00000002.4517013238.000000000140C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: Zoom.exe, 00000000.00000002.4517013238.00000000013D1000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: powershell.exe, 00000002.00000002.2087313785.000000000608B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000002.00000002.2077345397.0000000005176000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2088828355.0000000007902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: Zoom.exe, 00000000.00000002.4519895828.0000000003133000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2077345397.0000000005021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000002.00000002.2077345397.0000000005176000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2088828355.0000000007902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000002.00000002.2077345397.0000000005021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBjq
            Source: powershell.exe, 00000002.00000002.2087313785.000000000608B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000002.00000002.2087313785.000000000608B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000002.00000002.2087313785.000000000608B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: Zoom.exe, 00000000.00000002.4519895828.000000000331C000.00000004.00000800.00020000.00000000.sdmp, Zoom.exe, 00000000.00000002.4519895828.0000000003133000.00000004.00000800.00020000.00000000.sdmp, Zoom.exe, 00000004.00000002.2363736434.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
            Source: Zoom.exe, 00000000.00000002.4519895828.000000000331C000.00000004.00000800.00020000.00000000.sdmp, Zoom.exe, 00000000.00000002.4519895828.0000000003133000.00000004.00000800.00020000.00000000.sdmp, Zoom.exe, 00000004.00000002.2363736434.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
            Source: Zoom.exe, 00000000.00000002.4519895828.000000000331C000.00000004.00000800.00020000.00000000.sdmp, Zoom.exe, 00000000.00000002.4519895828.0000000003133000.00000004.00000800.00020000.00000000.sdmp, Zoom.exe, 00000004.00000002.2363736434.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
            Source: powershell.exe, 00000002.00000002.2077345397.0000000005176000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2088828355.0000000007902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.2087313785.000000000608B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: Zoom.exe, 00000000.00000002.4519895828.000000000331C000.00000004.00000800.00020000.00000000.sdmp, Zoom.exe, 00000000.00000002.4519895828.0000000003133000.00000004.00000800.00020000.00000000.sdmp, Zoom.exe, 00000004.00000002.2363736434.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
            Source: Zoom.exe, 00000000.00000002.4519895828.000000000331C000.00000004.00000800.00020000.00000000.sdmp, Zoom.exe, 00000000.00000002.4519895828.0000000003133000.00000004.00000800.00020000.00000000.sdmp, Zoom.exe, 00000004.00000002.2363736434.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
            Source: Zoom.exe, 00000000.00000002.4519895828.000000000331C000.00000004.00000800.00020000.00000000.sdmp, Zoom.exe, 00000000.00000002.4519895828.0000000003133000.00000004.00000800.00020000.00000000.sdmp, Zoom.exe, 00000004.00000002.2363736434.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot

            System Summary

            barindex
            .NET source code contains very large array initializations
            Source: Zoom.exe, RulesSingletonConnector.csLarge array initialization: PopStub: array initializer size 297280
            Source: Zoom.exe.0.dr, RulesSingletonConnector.csLarge array initialization: PopStub: array initializer size 297280
            Source: C:\Users\user\Desktop\Zoom.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_015B40C20_2_015B40C2
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_015B42580_2_015B4258
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_015B14D00_2_015B14D0
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_015B14E00_2_015B14E0
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_06DF16000_2_06DF1600
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_06DF63690_2_06DF6369
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_06DF40E00_2_06DF40E0
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_06DF0D300_2_06DF0D30
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_06DF09E80_2_06DF09E8
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_06DF36950_2_06DF3695
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_06DF642D0_2_06DF642D
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_06DF63720_2_06DF6372
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_06DF40D00_2_06DF40D0
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_06DF40380_2_06DF4038
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_06DF5E3A0_2_06DF5E3A
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_06DF5E310_2_06DF5E31
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_06DF5F180_2_06DF5F18
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_07690D750_2_07690D75
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_076921A00_2_076921A0
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_07691F010_2_07691F01
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_07691F100_2_07691F10
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_076BEA500_2_076BEA50
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_076B39600_2_076B3960
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_076BC7E00_2_076BC7E0
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_076C8C200_2_076C8C20
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_07704EC00_2_07704EC0
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_07700D7F0_2_07700D7F
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_0770E17C0_2_0770E17C
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_07700DE60_2_07700DE6
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_0770535B0_2_0770535B
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_0853EEA80_2_0853EEA8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D813A52_2_04D813A5
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D88B002_2_04D88B00
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_011514D04_2_011514D0
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_011514E04_2_011514E0
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_01151B1E4_2_01151B1E
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_01151B074_2_01151B07
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_01151B334_2_01151B33
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_01151B4A4_2_01151B4A
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_01151B7A4_2_01151B7A
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_01151B624_2_01151B62
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_01151B924_2_01151B92
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_01153BEF4_2_01153BEF
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_01151AA84_2_01151AA8
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_01151AA84_2_01151AA8
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_01151AF24_2_01151AF2
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_01153CA24_2_01153CA2
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_01152F254_2_01152F25
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_052B51504_2_052B5150
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_052B4DF04_2_052B4DF0
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_052B51424_2_052B5142
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_052B4DE04_2_052B4DE0
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_052B9AF84_2_052B9AF8
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_052B9AF34_2_052B9AF3
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_0530E1604_2_0530E160
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_053068284_2_05306828
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_053002804_2_05300280
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_0530076D4_2_0530076D
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_053021284_2_05302128
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_053099584_2_05309958
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_053048E04_2_053048E0
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_0530F3304_2_0530F330
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 6_2_013117586_2_01311758
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 6_2_013141D16_2_013141D1
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 6_2_013142586_2_01314258
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 6_2_013114E06_2_013114E0
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 6_2_013114D06_2_013114D0
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 6_2_013117586_2_01311758
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 6_2_01313DCB6_2_01313DCB
            Source: Zoom.exe, 00000000.00000002.4533314629.00000000043E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePluginClipper.dll" vs Zoom.exe
            Source: Zoom.exe, 00000000.00000002.4533314629.00000000048B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePluginTV.dll" vs Zoom.exe
            Source: Zoom.exe, 00000000.00000002.4517013238.000000000139E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Zoom.exe
            Source: Zoom.exe, 00000000.00000000.2061124344.0000000000D9A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNeqpcwp.exe" vs Zoom.exe
            Source: Zoom.exe, 00000000.00000002.4550294257.0000000007500000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePluginClipper.dll" vs Zoom.exe
            Source: Zoom.exe, 00000000.00000002.4533314629.00000000046A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePluginTV.dll" vs Zoom.exe
            Source: Zoom.exe, 00000000.00000002.4556701879.0000000007E40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePluginTV.dll" vs Zoom.exe
            Source: Zoom.exe, 00000000.00000002.4533314629.0000000004169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePluginClipper.dll" vs Zoom.exe
            Source: Zoom.exe, 00000004.00000002.2369234076.0000000003DB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZapjprdi.dll" vs Zoom.exe
            Source: Zoom.exe, 00000004.00000002.2373291863.00000000054E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameZapjprdi.dll" vs Zoom.exe
            Source: Zoom.exe, 00000004.00000002.2358641314.000000000116E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Zoom.exe
            Source: Zoom.exe, 00000004.00000002.2363736434.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZapjprdi.dll" vs Zoom.exe
            Source: Zoom.exe, 00000006.00000002.2451736368.00000000041E4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZapjprdi.dll" vs Zoom.exe
            Source: Zoom.exeBinary or memory string: OriginalFilenameNeqpcwp.exe" vs Zoom.exe
            Source: Zoom.exe.0.drBinary or memory string: OriginalFilenameNeqpcwp.exe" vs Zoom.exe
            Source: Zoom.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: Zoom.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Zoom.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Zoom.exe, RulesSingletonConnector.csCryptographic APIs: 'CreateDecryptor'
            Source: Zoom.exe, WatcherCodeInstance.csCryptographic APIs: 'CreateDecryptor'
            Source: Zoom.exe, WatcherCodeInstance.csCryptographic APIs: 'CreateDecryptor'
            Source: Zoom.exe.0.dr, RulesSingletonConnector.csCryptographic APIs: 'CreateDecryptor'
            Source: Zoom.exe.0.dr, WatcherCodeInstance.csCryptographic APIs: 'CreateDecryptor'
            Source: Zoom.exe.0.dr, WatcherCodeInstance.csCryptographic APIs: 'CreateDecryptor'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/7@0/1
            Source: C:\Users\user\Desktop\Zoom.exeFile created: C:\Users\user\AppData\Roaming\Zoom.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_03
            Source: C:\Users\user\Desktop\Zoom.exeMutant created: \Sessions\1\BaseNamedObjects\c133332651f9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k0k1tt4g.w2s.ps1Jump to behavior
            Source: Zoom.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Zoom.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\Zoom.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Zoom.exeReversingLabs: Detection: 44%
            Source: C:\Users\user\Desktop\Zoom.exeFile read: C:\Users\user\Desktop\Zoom.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Zoom.exe "C:\Users\user\Desktop\Zoom.exe"
            Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String'
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Zoom.exe "C:\Users\user\AppData\Roaming\Zoom.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Zoom.exe "C:\Users\user\AppData\Roaming\Zoom.exe"
            Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String'Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: cryptnet.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Zoom.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Zoom.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: Zoom.exe, WatcherCodeInstance.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            Source: Zoom.exe.0.dr, WatcherCodeInstance.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            .NET source code contains potential unpacker
            Source: Zoom.exe, Consumer.cs.Net Code: ForgotTokenizer System.Reflection.Assembly.Load(byte[])
            Source: Zoom.exe.0.dr, Consumer.cs.Net Code: ForgotTokenizer System.Reflection.Assembly.Load(byte[])
            Suspicious powershell command line found
            Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String'
            Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String'Jump to behavior
            Source: Zoom.exeStatic PE information: 0xACB26237 [Mon Oct 24 09:28:23 2061 UTC]
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_06DF7148 push FFFFFF98h; retf 0_2_06DF715E
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_06DFD110 pushfd ; retf 0_2_06DFD11D
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_06DFFF72 push es; retf 0_2_06DFFF73
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_07645F10 push 04418B07h; ret 0_2_07645F33
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_07649698 push B0059E7Eh; ret 0_2_076496B5
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_0769875A push edx; retf 0_2_07698761
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_07696549 push cs; iretd 0_2_0769654F
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_07697D5A push FFFFFFB3h; retf 0_2_07697D5C
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_07699357 push cs; iretd 0_2_0769935F
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_07698AE5 push ss; ret 0_2_07698AE8
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_076BA786 push edi; ret 0_2_076BA788
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_076BA677 push edi; ret 0_2_076BA679
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_076B9C62 push 8BFFFFFCh; retf 0_2_076B9C67
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_076C6378 push 8BFFFFFFh; iretd 0_2_076C637E
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_076C7104 push esp; ret 0_2_076C7109
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_0852454B push B807CF9Ch; iretd 0_2_08524555
            Source: C:\Users\user\Desktop\Zoom.exeCode function: 0_2_085350FF push edi; ret 0_2_08535101
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D80CD0 push eax; ret 2_2_04D80CDA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D80CC0 push eax; ret 2_2_04D80CCA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D80CB0 push eax; ret 2_2_04D80CBA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D80C49 push eax; ret 2_2_04D80C4A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04D80C70 push eax; ret 2_2_04D80CAA
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_052F4623 push esp; ret 4_2_052F463D
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_053059B3 push EC053173h; retf 4_2_053059BD
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_0530EB2B pushfd ; retf 4_2_0530EB31
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_0530F230 push esp; iretd 4_2_0530F231
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_0530EAAB push esp; retf 4_2_0530EAB1
            Source: Zoom.exeStatic PE information: section name: .text entropy: 7.8678306288821815
            Source: Zoom.exe.0.drStatic PE information: section name: .text entropy: 7.8678306288821815
            Source: C:\Users\user\Desktop\Zoom.exeFile created: C:\Users\user\AppData\Roaming\Zoom.exeJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZoomJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZoomJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\197E6E777F059FE30F6E8292393F615F 57cea44528b4a4ada7e68dbaaab9333cJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries memory information (via WMI often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
            Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
            Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
            Source: C:\Users\user\Desktop\Zoom.exeMemory allocated: 15B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeMemory allocated: 3110000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeMemory allocated: 1740000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: 1150000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: 2CF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: 4CF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: 1310000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: 3020000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: 1540000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 6_2_01311059 rdtsc 6_2_01311059
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeWindow / User API: threadDelayed 2986Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeWindow / User API: threadDelayed 6683Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5954Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 320Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -31359464925306218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -35000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -34796s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -34375s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -34231s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -34123s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -34012s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -33859s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -33733s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -33624s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -33515s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -33406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -33296s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -33187s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -33077s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -32968s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -32859s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -32750s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -32640s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -32531s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -32421s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -32311s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -32203s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -32082s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -31757s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -31640s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -31528s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -31421s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -31312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -31203s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -31093s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -30984s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -30874s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -30765s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -30656s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -30546s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -30437s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -30328s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -30218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exe TID: 6624Thread sleep time: -30109s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5000Thread sleep count: 5954 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5248Thread sleep count: 259 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4852Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6004Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exe TID: 2704Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exe TID: 1120Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 35000Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 34796Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 34375Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 34231Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 34123Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 34012Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 33859Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 33733Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 33624Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 33515Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 33406Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 33296Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 33187Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 33077Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 32968Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 32859Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 32750Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 32640Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 32531Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 32421Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 32311Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 32203Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 32082Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 31757Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 31640Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 31528Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 31421Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 31312Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 31203Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 31093Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 30984Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 30874Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 30765Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 30656Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 30546Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 30437Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 30328Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 30218Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 30109Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Zoom.exe, 00000000.00000002.4547570275.0000000006727000.00000004.00000020.00020000.00000000.sdmp, Zoom.exe, 00000000.00000002.4517013238.000000000140C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 6_2_01311059 rdtsc 6_2_01311059
            Source: C:\Users\user\Desktop\Zoom.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Detected PureCrypter Trojan
            Source: Zoom.exe, 00000000.00000002.4519895828.0000000003133000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 172.81.130.139MIIE6DCCAtCgAwIBAgIQAPVTIUeAi1ZxDDUvyf/w+zANBgkqhkiG9w0BAQ0FADAVMRMwEQYDVQQDDApTamJkZ2V2b2ViMCAXDTI0MTExMzEyNTAyOVoYDzk5OTkxMjMxMjM1OTU5WjAVMRMwEQYDVQQDDApTamJkZ2V2b2ViMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAybTZ2IfPpLYTU/C7aphX2Asxw0mb2BMwkqvsfceaeF0Ce0001VvyTe8qMNi0oOIes2XTH8nNsk3cceHTAu73eIWPIJXopiBcaL/u+kUaaztjO4NvPWCYeQdC8hfbQRHxroVvSU4JMKef/fApH64vqFThpKteiJqNYmywm3MzfuaKMNE3VVtvU6uJ5IExI49V05LD3Qt9PQ2NMW9z9WNwTKcH29xEukmrvmaVlaoe1NxL2BNBrDmgCgzYm+KtDxaL69YU3EK56hvzNvJF+OKLpOlshBbhpWGzAUAxDvCVrH0YbzsFEYnEKJlJtJz6bWh48V1fi/wXnXokEVZoGrVDqpQgAgvR0iu/qaiy4KIOiz9xUgkKu4dEgrn9IrXlJS/k0yp9chTUrbMPhA4eakMfitbAHJvsUKUx57OL7SqoXOruTTeI5cSdqytwiQ7jeaGxE7Gvt/BZWMsD/zADWWc7ShxePLBS8F6FE51QHv0JyoSf8j1+qqtC0p3in4GXIJdK7on73RMDZMtrCcksKsmVUYvHKpz/+Dh5Y8Z7jVBlWZYWqxiZiBqQnX7lzXbUW0RWJNA7wJOo7JSYWFeUMearAZHusocRrCZJ5c4TAvtZTVshMEMyu9+ceEMWEL289doH5OH1XEbQBwyKA4ah5hOg9APv9GpAymm9HrbLcQyvTccCAwEAAaMyMDAwHQYDVR0OBBYEFIWRNz6dBqNhU5l4J/V05+pT3nycMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAH/BWlLBvnn4mRunJhQWOzez/LMauTzwGPnQsTaRumYga8OGRjOpUW/7MwMsfUcAKXSiqc6JLVmS6lwBMYwXUxjZid7sjR1DdreoFdHV+X63BopDHdG6Oz3nr+rFjEMXNtGcTsUYKVHUwC3dam9bHCl6VOB11T8emx2UoTAjeFPtyN4UFg2JJ0p5DGbAW135v0ifUsdc3bGA9CaOWa6qFfqGJOjrrDLVqzp0ekhRhPsevFrTBrfMEbk4aUL4u1QpbnTXWvhWeac8Zi9TAVZ1DE0CzmJJvAzkbTchtmNcBh6jihXBSdn/iFSPfVQ51Y3hl2L8NiXqc5t4ZQwBYfzYEuorCiW+G+K6NLlWd6Gm9CtvtB/+ncPy6BvoKp4AKDtWNN/HMwbcLsiY87+yZgIo8VRzhI8GnDwubriX6NqNwoZS3yW90bRDqlu+hHVrvhvuJuLsQwVErbZ0MjCN7g+SOauWib8Kft/TFCVe1NcnQY7dqK9ceR1BjbhLMrjhlN9FSRjFyFXzGs+Gy20jE0TS7vk1nO6hsg//5wgob8cJHFDxoih/9KfqLJ2vsYk1zbasm/HCwS6mlf0hsN2wfLBQs+lp/kUUG2x+zaPrmR/RCVX7Get5A8QbWhcdrTFjg/w6gkiUzlrE7LlwinHjOiNxm2Mw7jiVC4bgdSXwa32Ffskd"Default(:Zoom.exeBAPPDATAJc133332651f9
            Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String'Jump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" remove-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'zoom';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'zoom' -value '"c:\users\user\appdata\roaming\zoom.exe"' -propertytype 'string'
            Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" remove-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'zoom';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'zoom' -value '"c:\users\user\appdata\roaming\zoom.exe"' -propertytype 'string'Jump to behavior
            Source: Zoom.exe, 00000000.00000002.4519895828.000000000371B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTejq
            Source: Zoom.exe, 00000000.00000002.4519895828.000000000371B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: Zoom.exe, 00000000.00000002.4519895828.000000000371B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager*
            Source: C:\Users\user\Desktop\Zoom.exeQueries volume information: C:\Users\user\Desktop\Zoom.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeQueries volume information: C:\Users\user\AppData\Roaming\Zoom.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeQueries volume information: C:\Users\user\AppData\Roaming\Zoom.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected MicroClip
            Source: Yara matchFile source: Process Memory Space: Zoom.exe PID: 6496, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: Zoom.exe, 00000000.00000002.4519895828.0000000003133000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
            Source: Zoom.exe, 00000000.00000002.4519895828.0000000003133000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
            Source: Zoom.exe, 00000000.00000002.4519895828.0000000003133000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus Web3
            Source: Zoom.exe, 00000000.00000002.4519895828.0000000003133000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
            Source: Zoom.exe, 00000000.00000002.4533314629.00000000048B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
            Tries to harvest and steal Bitcoin Wallet information
            Source: C:\Users\user\Desktop\Zoom.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
            Source: Yara matchFile source: 00000004.00000002.2363736434.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4519895828.0000000003133000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Zoom.exe PID: 6496, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Zoom.exe PID: 5044, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected MicroClip
            Source: Yara matchFile source: Process Memory Space: Zoom.exe PID: 6496, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts321
            Windows Management Instrumentation            		1
            Registry Run Keys / Startup Folder            		12
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Query Registry            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		1
            Modify Registry            		LSASS Memory531
            Security Software Discovery            		Remote Desktop Protocol1
            Data from Local System            		Junk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            PowerShell            		Logon Script (Windows)1
            DLL Side-Loading            		1
            Disable or Modify Tools            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook341
            Virtualization/Sandbox Evasion            		NTDS341
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
            Process Injection            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Deobfuscate/Decode Files or Information            		Cached Domain Credentials213
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
            Software Packing            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Timestomp            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            DLL Side-Loading            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.