Manalyze report for 3a5444b13adebba987d703b8bb2a9c8f13585374506ec621d458f233762e2ce7

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2021-Mar-15 07:29:23
Detected languages	English - United States
Debug artifacts	C:\jenkins\workspace\zoomci\Windows\release\Bin\Release\NewZoomWebLauncher.pdb
Comments	Zoom Opener
CompanyName	Zoom Video Communications, Inc.
FileDescription	Zoom Opener
FileVersion	`5,6,0,526`
InternalName	Zoom Opener
LegalCopyright	© Zoom Video Communications, Inc. All rights reserved.
LegalTrademarks	Zoom Opener
OriginalFilename	Zoom Opener
ProductName	Zoom Opener
ProductVersion	`5,6,0,526`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: rundll32.exe` `Contains domain names: .devgov.zipow.com .meetzoom.net .zipow.com .zoom.com .zoom.com.cn .zoom.us .zoomdev.us .zoomgov.com .zoomgovdev.com .zoomus.cn devgov.zipow.com https://support.zoom.us https://support.zoom.us/hc/en-us/articles/201362003-Zoom-Video-Communications-Technical-Support https://zoom.com https://zoom.com.cn https://zoom.com.cn/ https://zoom.us https://zoomgov.com meetzoom.net support.zoom.us zipow.com zoom.com.cn zoomdev.us zoomgov.com zoomgovdev.com zoomus.cn`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA LoadLibraryExW LoadLibraryExA GetProcAddress` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot FindWindowA` `Code injection capabilities (PowerLoader): GetWindowLongA FindWindowA` `Can access the registry: RegCloseKey RegQueryValueExA RegOpenKeyExA` `Possibly launches other programs: CreateProcessA ShellExecuteA` `Uses Microsoft's cryptographic API: CryptDecodeObjectEx CryptStringToBinaryA CryptImportPublicKeyInfo CryptVerifySignatureA CryptHashData CryptDestroyHash CryptReleaseContext CryptDestroyKey CryptCreateHash CryptAcquireContextA` `Can create temporary files: CreateFileA GetTempPathA` `Uses functions commonly found in keyloggers: GetForegroundWindow AttachThreadInput` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` `Functions related to the privilege level: CheckTokenMembership OpenProcessToken DuplicateTokenEx` `Manipulates other processes: Process32Next OpenProcess Process32First`
Info	The PE is digitally signed.	`Signer: Zoom Video Communications` `Issuer: DigiCert EV Code Signing CA (SHA2)`
Safe	VirusTotal score: 0/68 (Scanned on 2021-03-31 21:54:51)	`All the AVs think this file is safe.`

Hashes

MD5	`dbcfe7a22a422bf72001d943a574234e`
SHA1	`50885bca83a8f511b3757db235a43670a36a603e`
SHA256	`3a5444b13adebba987d703b8bb2a9c8f13585374506ec621d458f233762e2ce7`
SHA3	`644da3e47347bde612da85382b274fa763a1ae55836827c30cacc1fdadf58cc5`
SSDeep	`3072:LPX+0+lrADGXOLOcRm8ZmIwfvNUo+yiX:LPX+0+OAOLRTo`
Imports Hash	`e47192d11f3a744111d996dac07c6d5d`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2021-Mar-15 07:29:23
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x10000`
SizeOfInitializedData	`0xb200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00007920 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x11000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x1d000`
SizeOfHeaders	`0x400`
Checksum	`0x2d822`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`c923bad0b8a4277e43515505fe7fab61`
SHA1	`33b939038068c473fba711beb081cce311ac1c06`
SHA256	`545bef2066d064c9dadf122d3b977435d8bb0a04dba0dc1c194d79a48f507bbd`
SHA3	`d6f5eb42cef714d4216f183376fc26e8acca6a9517fefc17530d1843016216b0`
VirtualSize	`0xfee8`
VirtualAddress	`0x1000`
SizeOfRawData	`0x10000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.48031`

.rdata

MD5	`0e1ec4f5b78d257144e46f0ac37d46bb`
SHA1	`2a522b3b5f4c814f5a02a63b0cf0110469c291b8`
SHA256	`32d66bcf8c90551da8d002d4e27adf9006e2f0d039dcfab9ccdacd75e687dc85`
SHA3	`b9c0c13d65b235a5c8cfc17f81257db284e90acc642e8c964e1bbeaafda613d5`
VirtualSize	`0x6e9e`
VirtualAddress	`0x11000`
SizeOfRawData	`0x7000`
PointerToRawData	`0x10400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.20077`

.data

MD5	`0e89820b5350cdd9b2cc3c3e068f170d`
SHA1	`f4ffb241c982a0367995656a1889a11fb9f002d6`
SHA256	`cb8f47b0d584c519675a85522f5d72c6ad7b0e405279aa301e50802a14dbd88d`
SHA3	`e64c4d06791a48338336369596f49599b3fd491ba6f220c4a0a3befa36268540`
VirtualSize	`0xd94`
VirtualAddress	`0x18000`
SizeOfRawData	`0x800`
PointerToRawData	`0x17400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.93047`

.rsrc

MD5	`c2e2fed56b234775abef62cb3380800c`
SHA1	`3faf762a6ba3a30aff379b6c964b11ae3cccda63`
SHA256	`895cfa5ec9eadd1c672d6b38c880eadb09133cc28bd13857996d94fc9708a1f2`
SHA3	`2e956f0fc32829d0c6e8aebaeb075a9db883c46c3f5e90f8bc15975a389d9236`
VirtualSize	`0x1ee0`
VirtualAddress	`0x19000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x17c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.95927`

.reloc

MD5	`51aa9f22f85d16f4a7773b7b8c7a700d`
SHA1	`5c501e734510d5e368259aed140cfd428a60b585`
SHA256	`e219afed5a9ef73aa0960920a2a1f3fd42a986de7b4c57a468f1f69f4d7c8ce1`
SHA3	`47904d3533697264b7bc2c50580b2444d2592e75654c778c81448c4c079174c1`
VirtualSize	`0x134c`
VirtualAddress	`0x1b000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x19c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.60721`

Imports

CRYPT32.dll	`CryptDecodeObjectEx` `CryptStringToBinaryA` `CryptImportPublicKeyInfo` `CertGetNameStringA`
WINTRUST.dll	`WTHelperProvDataFromStateData` `WTHelperGetProvCertFromChain` `WTHelperGetProvSignerFromChain` `WinVerifyTrust`
SHLWAPI.dll	`PathIsRelativeA` `StrCmpNIA` `#155` `StrStrA` `PathAppendA`
KERNEL32.dll	`GetLastError` `GetFileAttributesA` `CreateFileA` `LoadLibraryA` `HeapAlloc` `VerSetConditionMask` `GetProcessHeap` `RaiseException` `LocalFree` `GetModuleFileNameA` `FindFirstFileA` `SetLastError` `FindClose` `CreateMutexA` `WaitForSingleObject` `GetCurrentThreadId` `Sleep` `GetTempPathA` `CopyFileA` `OpenMutexA` `MoveFileExA` `DeleteFileA` `FreeLibrary` `CreateProcessA` `GetTempFileNameA` `FileTimeToSystemTime` `GetSystemTime` `GetFileTime` `ExpandEnvironmentStringsA` `CreateDirectoryA` `SetUnhandledExceptionFilter` `GetTickCount` `ExitProcess` `HeapLock` `HeapWalk` `HeapUnlock` `ReleaseSemaphore` `CreateSemaphoreA` `GetCommandLineA` `GetStartupInfoA` `EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSection` `ExitThread` `TerminateThread` `CreateThread` `DeleteCriticalSection` `CompareFileTime` `WriteFile` `SetFilePointer` `SetEndOfFile` `SystemTimeToFileTime` `FlushFileBuffers` `ReleaseMutex` `GetLocalTime` `GetSystemInfo` `VirtualAlloc` `VirtualProtect` `VirtualQuery` `IsDebuggerPresent` `UnhandledExceptionFilter` `TerminateProcess` `IsProcessorFeaturePresent` `TlsGetValue` `TlsSetValue` `GetSystemTimeAsFileTime` `LoadLibraryExW` `LCMapStringW` `WideCharToMultiByte` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCPInfo` `GetStringTypeW` `GetModuleHandleW` `GetModuleHandleExW` `QueryPerformanceCounter` `RtlUnwind` `LoadLibraryExA` `HeapFree` `VerifyVersionInfoA` `GetProcessTimes` `GetCurrentProcessId` `GetProcAddress` `GetWindowsDirectoryA` `CloseHandle` `Process32Next` `MultiByteToWideChar` `CreateToolhelp32Snapshot` `OpenProcess` `GetModuleHandleA` `QueryDosDeviceA` `K32GetProcessImageFileNameA` `GetCurrentProcess` `Process32First` `GetVersion`
USER32.dll	`LoadStringA` `IsIconic` `SetForegroundWindow` `RegisterClassExA` `LoadIconA` `SetFocus` `GetForegroundWindow` `AttachThreadInput` `FrameRect` `GetWindowLongA` `MapWindowPoints` `DrawTextA` `GetSystemMetrics` `SetActiveWindow` `SetWindowPos` `InflateRect` `LoadCursorA` `SetPropA` `GetClassInfoA` `GetWindowRect` `GetClientRect` `UpdateWindow` `InvalidateRect` `BeginPaint` `EndPaint` `PostThreadMessageA` `GetMessageA` `DispatchMessageA` `SetTimer` `TranslateMessage` `PeekMessageA` `KillTimer` `SendMessageA` `PostQuitMessage` `PostMessageA` `GetWindowThreadProcessId` `FindWindowA` `DestroyWindow` `RegisterClassA` `UnregisterClassA` `IsWindowVisible` `FillRect` `IntersectRect` `GetDesktopWindow` `ShowWindow` `IsWindow` `SetWindowLongA` `MoveWindow` `ShowWindowAsync` `GetPropA` `DefWindowProcA` `CreateWindowExA`
GDI32.dll	`DeleteObject` `SelectObject` `GetStockObject` `SetTextColor` `SetBkMode` `CreateFontIndirectA` `GetObjectA` `CreateSolidBrush`
ADVAPI32.dll	`CryptVerifySignatureA` `CryptHashData` `CryptDestroyHash` `CryptReleaseContext` `AllocateAndInitializeSid` `FreeSid` `CheckTokenMembership` `RegCloseKey` `RegQueryValueExA` `RegOpenKeyExA` `GetUserNameA` `CryptDestroyKey` `CryptCreateHash` `CryptAcquireContextA` `OpenProcessToken` `DuplicateTokenEx`
SHELL32.dll	`SHGetFolderPathA` `ShellExecuteA`
ole32.dll	`CoUninitialize` `CoInitialize` `CoCreateInstance`
OLEAUT32.dll	`SysAllocStringLen` `SysFreeString` `VariantClear` `VariantInit` `SysAllocString`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.97506`
MD5	`923633dbdf8f6f0b611dc97c1386a887`
SHA1	`abb8d5e04011e7b64d4eab661b760c1172b42b4a`
SHA256	`e483d0ced2ecd0284ec1c5fed490d368a8eda298009dbdd7b8935ea0ab2933cb`
SHA3	`4d52c9b60305459e82850ac6c715f74de64fbd53a2f5a5dcd5e42f59fb9da995`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.01974`
MD5	`e2dd5e109ba9dfaa5d14fbc815d5299f`
SHA1	`08942490a2908787d7bbbef5e7a43a9b053b7875`
SHA256	`df340ed9118c9d7fbd6f5df72e676cc71f5e81d33af77d0f8c6f59cbcb8e9082`
SHA3	`effead78ba05b233d9ee891f330e03542272d4801cfa622892e3483b42c4209a`

7

Type	`RT_STRING`
Language	English - United States
Codepage	UNKNOWN
Size	`0x8e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.77789`
MD5	`6255e834070b7c811cdd89698109136f`
SHA1	`895143845c163082c9421689dc6d81eb7681ec04`
SHA256	`7b1435e38c8caf28dc7aadd7f31216d84cae473ac60c9c7810da3a0169900924`
SHA3	`3bc7f937026bb83170a33ab884e98f795c6b23635cae3647005b70b4ac70184e`

32

Type	`RT_STRING`
Language	English - United States
Codepage	UNKNOWN
Size	`0x160`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.10562`
MD5	`483663fa2348c2b0ea8a1b18ae06b143`
SHA1	`8702192a2f6c66f085496db7cea1f4b9af48f9f2`
SHA256	`021a026a2c4e37ddac53eaaa49a8dcac9f58b5d397c40d9adc64f60c8c7e2f5a`
SHA3	`537bd43ad4c27e3dc6088486afeaae297e2252b4313d71cfdee59b430e9dec0f`

33

Type	`RT_STRING`
Language	English - United States
Codepage	UNKNOWN
Size	`0x258`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.31299`
MD5	`1cd143e3ef272c85e0bfbca6e3ccd3c5`
SHA1	`3c9c866b1e6376893a9e37ef3c2894694c149750`
SHA256	`b8f5863e28e8ec630e166535015744eb6789f820c2dc5014b045428e5b1e725b`
SHA3	`7d3baf4b16906b22ee8154c8b6625897d9571acdd09cdaf4cf925bc13ed1c54c`

2 (#2)

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x22`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.21059`
Detected Filetype	Icon file
MD5	`86561693760b088960969f3b7654507a`
SHA1	`82368be1644244e0fd66f1d737b3d45d26b2218f`
SHA256	`b1a9ff73f6a9d486c67f409a629924792ca40aa8966d45e48239863f63629fd0`
SHA3	`206e8d2db4680b7736ddcf7885984ca26fa1a66e72ec9073e8052ba82ea94408`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x39c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.3996`
MD5	`f62f0c05868f61a05eade969859988be`
SHA1	`c3e940beb28578e04b87191b776a4c07c2b54e0c`
SHA256	`583c61bf8e489e896020c62fe987d3fd744e34f513ad59fa2936deb0de8378bc`
SHA3	`939b078d270c53fbf01f3c0bfb721479b38e40b3a2ae42598b5c8c9865bb9d95`

String Table contents

zlaunchermain
Retry
Please contact Zoom Support for help.
An unknown error has occurred
Join from browser
Installing Zoom...
Please do not close this window
Network Connection failed
Please check your network and try again.
Yes
No
Are you sure you want to close this window? Installation will be canceled.
Your disk is full
Free up storage and try again
zlauncheraskleave
Get support
Installing Zoom requires TLS 1.1&&1.2
Open Internet Options > Advanced to enable. Then click Retry to continue.
Open Internet Options

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	5.6.0.526
ProductVersion	5.6.0.526
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
Comments	Zoom Opener
CompanyName	Zoom Video Communications, Inc.
FileDescription	Zoom Opener
FileVersion (#2)	5,6,0,526
InternalName	Zoom Opener
LegalCopyright	© Zoom Video Communications, Inc. All rights reserved.
LegalTrademarks	Zoom Opener
OriginalFilename	Zoom Opener
ProductName	Zoom Opener
ProductVersion (#2)	5,6,0,526

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2021-Mar-15 07:29:23
Version	`0.0`
SizeofData	`103`
AddressOfRawData	`0x1684c`
PointerToRawData	`0x15c4c`
Referenced File	C:\jenkins\workspace\zoomci\Windows\release\Bin\Release\NewZoomWebLauncher.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2021-Mar-15 07:29:23
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x168b4`
PointerToRawData	`0x15cb4`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2021-Mar-15 07:29:23
Version	`0.0`
SizeofData	`528`
AddressOfRawData	`0x168c8`
PointerToRawData	`0x15cc8`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2021-Mar-15 07:29:23
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

Size	`0xbc`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x418654`
SEHandlerTable	`0x416840`
SEHandlerCount	`3`
GuardCFCheckFunctionPointer	`4264756`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0x427935fd`
Unmarked objects	`0`
262 (26715)	`1`
Imports (26715)	`23`
Total imports	`224`
C++ objects (VS 2015/2017/2019 runtime 29118)	`9`
C objects (VS 2015/2017/2019 runtime 29118)	`12`
ASM objects (VS 2015/2017/2019 runtime 29118)	`10`
C++ objects (26715)	`69`
C objects (26715)	`2`
265 (VS2019 Update 8 (16.8.4) compiler 29336)	`33`
Resource objects (VS2019 Update 8 (16.8.4) compiler 29336)	`1`
Linker (VS2019 Update 8 (16.8.4) compiler 29336)	`1`

Errors

Leave a comment

No comments yet.