{"report_id":"987547e4-2fde-41a7-b62f-bc2086d28ce4","version":6,"status":"done","tags":["suspicious"],"date":"2026-05-21T20:21:35Z","url":{"schema":"http","addr":"us04web-zoom-workspace9786677402028402.online","fqdn":"us04web-zoom-workspace9786677402028402.online","domain":"us04web-zoom-workspace9786677402028402.online","tld":"online"},"ip":{"addr":"185.199.108.153","port":0,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"final":{"url":{"schema":"https","addr":"us04web-zoom-workspace9786677402028402.online/","fqdn":"us04web-zoom-workspace9786677402028402.online","domain":"us04web-zoom-workspace9786677402028402.online","tld":"online"},"title":"Launch Meeting - Zoom","dom":{"size":450,"mime_type":"text/html; charset=utf-8","magic":"HTML document, ASCII text, with very long lines (450), with no line terminators","md5":"e71b8e2692ff99c30ed516589b8d1f62","sha1":"909e4074f1afa9b8dbc05d58f18d043c129c2174","sha256":"4d40ff39fa5cf3f4dde0dbbb4050b33e732e6797529143efde7438daffce785c","sha512":"eda89316af423a1efc25454cf04df417682b042d956cc12686a3203f4eac2de64c0bd2e5363c6db64389ed7090be0cce7fc5d58854026d752cb3dc3feb6c569d","ssdeep":"","tlshash":"abf05cfe2d26c42672a5168510f0f26c512662547940d65489f9cc27a910fd718b3994","dom_hash":"domhashfa92bf49a0529f3ae8099507699ba65b","first_seen":"","last_seen":"","times_seen":0,"resource_available":false,"data":null}},"submit":{"url":{"schema":"http","addr":"us04web-zoom-workspace9786677402028402.online","fqdn":"us04web-zoom-workspace9786677402028402.online","domain":"us04web-zoom-workspace9786677402028402.online","tld":"online"},"ip":{"addr":"185.199.108.153","port":0,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2027-06-25T20:21:35Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":3,"urlquery":2,"analyzer":2}},"detection":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-05-21T20:21:13Z","timestamp":1779394873,"ip_dst":{"addr":"104.26.12.205","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":42392,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI","source":"{\"timestamp\":\"2026-05-21T20:21:13.059903+0000\",\"flow_id\":90711474688292,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.3\",\"src_port\":42392,\"dest_ip\":\"104.26.12.205\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2047703,\"rev\":1,\"signature\":\"ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"affected_product\":[\"Any\"],\"attack_target\":[\"Client_and_Server\"],\"confidence\":[\"High\"],\"created_at\":[\"2023_08_22\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Low\"],\"reviewed_at\":[\"2023_08_22\"],\"signature_severity\":[\"Informational\"],\"tag\":[\"External_IP_Lookup\"],\"updated_at\":[\"2023_08_22\"]}},\"tls\":{\"sni\":\"api.ipify.org\",\"version\":\"TLS 1.3\",\"ja3\":{\"hash\":\"650c82854aed91a22996035b295a0c3e\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-21,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"eb1d94daa7e0344597e756a1fb6e7054\",\"string\":\"771,4865,51-43\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":5,\"bytes_toserver\":789,\"bytes_toclient\":3436,\"start\":\"2026-05-21T20:21:13.053540+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-05-21T20:21:13Z","timestamp":1779394873,"ip_dst":{"addr":"149.154.166.110","port":443,"asn":62041,"as":"Telegram Messenger Inc","country":"United Kingdom","country_code":"GB"},"ip_src":{"addr":"Client IP","port":41040,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)","source":"{\"timestamp\":\"2026-05-21T20:21:13.305972+0000\",\"flow_id\":1801905902321053,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.3\",\"src_port\":41040,\"dest_ip\":\"149.154.166.110\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2033967,\"rev\":1,\"signature\":\"ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2021_09_16\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2021_09_16\"]}},\"tls\":{\"sni\":\"api.telegram.org\",\"version\":\"TLS 1.3\",\"ja3\":{\"hash\":\"0faf2a91198d40dbd58b9308f3fca2fd\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-65037,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"15af977ce25de452b96affa2addb1036\",\"string\":\"771,4866,43-51\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":6,\"bytes_toserver\":918,\"bytes_toclient\":4500,\"start\":\"2026-05-21T20:21:13.261533+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2026-05-21T20:21:13Z","timestamp":1779394873,"ip_dst":{"addr":"149.154.166.110","port":443,"asn":62041,"as":"Telegram Messenger Inc","country":"United Kingdom","country_code":"GB"},"ip_src":{"addr":"Client IP","port":41052,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)","source":"{\"timestamp\":\"2026-05-21T20:21:13.308477+0000\",\"flow_id\":2242956093947441,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.3\",\"src_port\":41052,\"dest_ip\":\"149.154.166.110\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2033967,\"rev\":1,\"signature\":\"ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2021_09_16\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2021_09_16\"]}},\"tls\":{\"sni\":\"api.telegram.org\",\"version\":\"TLS 1.3\",\"ja3\":{\"hash\":\"0faf2a91198d40dbd58b9308f3fca2fd\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-65037,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"15af977ce25de452b96affa2addb1036\",\"string\":\"771,4866,43-51\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":4,\"bytes_toserver\":918,\"bytes_toclient\":2728,\"start\":\"2026-05-21T20:21:13.261681+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2026-05-21","alert":"Detects file containing Telegram Bot API","trigger":"us04web-zoom-workspace9786677402028402.online/","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"rectifyq","date":"2024-09-07","description":"Detects file containing Telegram Bot API","rule":"telegram_bot_api","yarahub_author_twitter":"@_rectifyq","yarahub_license":"CC0 1.0","yarahub_reference_md5":"9DA48D34DC999B4E05E0C6716A3B3B83","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"58c9e4fe-d1e9-46ed-913c-dba943ac16d6"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-05-21","alert":"Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable","trigger":"us04web-zoom-workspace9786677402028402.online/zoomupdate/ZoomInstaller-ClientsSetup.msi","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-06-10","description":"Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable","reference":"Internal Research","rule":"SUSP_PS1_JAB_Pattern_Jun22_1","score":"70"}}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - Suspicious Javascript code","verdict":"suspicious","severity":"medium","comment":"","tags":["suspicious"],"meta":null},{"sensor_name":"urlquery","alert":"Suspicious - Suspicious Javascript code","verdict":"suspicious","severity":"medium","comment":"","tags":["suspicious"],"meta":null}]},"summary":[{"fqdn":"api.ipify.org","ip":{"addr":"104.26.12.205","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"domain_registered":"2014-01-05","domain_rank":8166,"first_seen":"2014-10-06T12:38:43Z","last_seen":"2026-05-18T13:09:34.199276Z","alert_count":0,"request_count":1,"received_data":269,"sent_data":503,"comment":"","tags":null,"fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}]},{"fqdn":"static.cloudflareinsights.com","ip":{"addr":"104.16.79.73","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"domain_registered":"2019-08-30","domain_rank":4073,"first_seen":"2019-09-24T14:34:56Z","last_seen":"2026-05-17T22:48:39.617247Z","alert_count":0,"request_count":1,"received_data":33601,"sent_data":568,"comment":"","tags":null,"fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}]},{"fqdn":"us04web-zoom-workspace9786677402028402.online","ip":{"addr":"185.199.109.153","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"domain_registered":"2026-05-20","domain_rank":0,"first_seen":"2026-05-21T11:34:13.359034Z","last_seen":"2026-05-21T11:34:13.359034Z","alert_count":3,"request_count":4,"received_data":5618979,"sent_data":2171,"comment":"","tags":null,"fingerprints":[{"name":"GitHub Pages","description":"GitHub Pages is a static site hosting service.","website":"https://pages.github.com/","common_platform_enumeration":"","icon":"GitHub.svg","categories":["PaaS"]},{"name":"Fastly","description":"Fastly is a cloud computing services provider. Fastly's cloud platform provides a content delivery network, Internet security services, load balancing, and video \u0026 streaming services.","website":"https://www.fastly.com","common_platform_enumeration":"","icon":"Fastly.svg","categories":["CDN"]},{"name":"Varnish","description":"Varnish is a reverse caching proxy.","website":"https://www.varnish-cache.org","common_platform_enumeration":"cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*","icon":"Varnish.svg","categories":["Caching"]},{"name":"Cloudflare Browser Insights","description":"Cloudflare Browser Insights is a tool that measures the performance of websites from the perspective of users.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["Analytics","RUM"]}]},{"fqdn":"api.telegram.org","ip":{"addr":"149.154.166.110","port":443,"asn":62041,"as":"Telegram Messenger Inc","country":"United Kingdom","country_code":"GB"},"domain_registered":"2003-12-15","domain_rank":206724,"first_seen":"2015-06-25T10:09:00Z","last_seen":"2026-05-17T10:30:38.298298Z","alert_count":0,"request_count":2,"received_data":745,"sent_data":1251,"comment":"","tags":null,"fingerprints":[{"name":"Nginx:1.30.1","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]},{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"27947ff35ead8ef4e9086ef8ad45afdd","sha1":"243c0f69e6ae15e33767afcfd3e42fcc0834f214","sha256":"bab77f6f2d0b65c2c674e4598f537a39ce85232b23aa89b8c17fc35127b937fb","sha512":"822832251ead06e7c4d0e7bc0045dd4197db5a91d0f2372290bc33d71657c61f59eb046a335931d72bf11fb416fb9f4c58df348fab8af07202bc8cd9396c5e64","magic":"Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: ZoomClient Installer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 12.0.5.9, Subject: ZoomClient Installer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Zoom US, Keywords: Installer, Template: Intel;1033, Revision Number: {D95590A6-B25D-4696-8089-4B53D599D1C9}, Create Time/Date: Sat Jul 19 13:02:12 2025, Last Saved Time/Date: Sat Jul 19 13:02:12 2025, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (25.0.54.0), Security: 2","size":5595136,"url":{"schema":"https","addr":"us04web-zoom-workspace9786677402028402.online/zoomupdate/ZoomInstaller-ClientsSetup.msi","fqdn":"us04web-zoom-workspace9786677402028402.online","domain":"us04web-zoom-workspace9786677402028402.online","tld":"online"},"ip":{"addr":"185.199.109.153","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-05-21","alert":"Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable","trigger":"us04web-zoom-workspace9786677402028402.online/zoomupdate/ZoomInstaller-ClientsSetup.msi","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-06-10","description":"Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable","reference":"Internal Research","rule":"SUSP_PS1_JAB_Pattern_Jun22_1","score":"70"}}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":null,"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - Suspicious Javascript code","verdict":"suspicious","severity":"medium","comment":"","tags":["suspicious"],"meta":null}]},"javascript":{"script":[{"url":{"schema":"https","addr":"us04web-zoom-workspace9786677402028402.online/","fqdn":"us04web-zoom-workspace9786677402028402.online","domain":"us04web-zoom-workspace9786677402028402.online","tld":"online"},"ip":{"addr":"185.199.109.153","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"introduction_type":"scriptElement","is_inline":true,"md5":"b0b1b7a6000e859e29e1940b18e71872","sha1":"0cbdc7ad65d8901bb27eb7787e885de4bc5ac788","sha256":"382bcc98ee6519f8f8a03fdd5599e1e77fbd617ca9945a073f80c91219cc9ce3","sha512":"ede1b7457cfa5257163291f870d6abf0ce880d02d04ed176c6285554b7eb9c7a2f3eedf5bf62e3d8f2a3c4f5b43dfaa609c7ad2b5f135cc0be3cba076a8eeefa","ssdeep":"","tlshash":"a881205e25b3143007a330e9971fe2163022e11f369aec557a9ec794af1067de993bca","size":3864,"data":"","first_seen":"2026-05-21T11:34:27.90379Z","last_seen":"2026-05-21T20:21:39.722261Z","times_seen":2,"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2026-05-21","alert":"Detects file containing Telegram Bot API","trigger":"us04web-zoom-workspace9786677402028402.online/","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"rectifyq","date":"2024-09-07","description":"Detects file containing Telegram Bot API","rule":"telegram_bot_api","yarahub_author_twitter":"@_rectifyq","yarahub_license":"CC0 1.0","yarahub_reference_md5":"9DA48D34DC999B4E05E0C6716A3B3B83","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"58c9e4fe-d1e9-46ed-913c-dba943ac16d6"}}],"urlquery":null}},{"url":{"schema":"https","addr":"us04web-zoom-workspace9786677402028402.online/","fqdn":"us04web-zoom-workspace9786677402028402.online","domain":"us04web-zoom-workspace9786677402028402.online","tld":"online"},"ip":{"addr":"185.199.109.153","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"introduction_type":"scriptElement","is_inline":true,"md5":"610494467ea42e5e5ba1a5f8f07a1cfe","sha1":"ab669536cb6e72f17c68fea744602714b209853f","sha256":"94f8a3401c9df3e15d276db985de5bb356f220b3e1b493117f873b6f3ba83b10","sha512":"e8885d40888ec83470aeba3925be330794d010a89dd24ce38ebecd6c58acfa78392410d5582ae1831a8f1af81484ca3897abd0ba504398dbb3c95abc166517a8","ssdeep":"","tlshash":"c711e1b93a161534c6864046317de7a8393250657a019084c27ccc259918e8714efcbe","size":955,"data":"","first_seen":"2026-05-21T11:34:27.918513Z","last_seen":"2026-05-21T20:21:39.723591Z","times_seen":2,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"about","addr":"about:blank","fqdn":"","domain":"","tld":""},"ip":{"addr":"0.0.0.0","port":0,"asn":0,"as":"","country":"","country_code":"ZZ"},"introduction_type":"scriptElement","is_inline":false,"md5":"8dd4c1243d29a246e7bd231946afb392","sha1":"4e2f72b300048bf3159a9fb4042b41c59b258ddc","sha256":"609be9984dfe7c45bc325e16f91c7b89ee7e44ba51225450f578e05532e361ad","sha512":"f14a2b97df35805c4746f0fe805ec77e6b6970d553e0c8a2c30f34da2b499805614f2df713d110913b90dd143977179cd7e970de3ba32ac6929abc258ea3f7a8","ssdeep":"","tlshash":"75d02bea25368531629a014510b1e3b8626262947650a25085fdcc1bb921e9720f2998","size":270,"data":"","first_seen":"2026-05-21T11:34:27.922236Z","last_seen":"2026-05-21T20:21:39.724605Z","times_seen":2,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"static.cloudflareinsights.com/beacon.min.js/v833ccba57c9e4d2798f2e76cebdd09a11778172276447","fqdn":"static.cloudflareinsights.com","domain":"cloudflareinsights.com","tld":"com"},"ip":{"addr":"104.16.79.73","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"introduction_type":"scriptElement","is_inline":false,"md5":"3ec2f610910f9dfd8e87975604e5e34c","sha1":"10d61ee41e8fe816ca08616159d7b6b8294a2011","sha256":"aca73fc574e12740e3368860b88a284d01b643456f3ed6a06322ecb47750563f","sha512":"e7b30399c71c25762d3671fe662070cc2e236f6aef815084a2460df8bfe72e598ef2b7d84ff808a56d80e7af6227fddbfb45046ac8218ee647fe66b7c08b3f11","ssdeep":"384:qVCILwCiUg1IX33sDycq+AgMXUQKxrhxIZOGNG620vbgZLTE5egwolSV0yuuokwz:AwCiUqHmcd/5xdKZdt8Z3Cer2yuuDPQB","tlshash":"6ce219e9b595713613f350b2406f220bb33a7562588e8018e22bd7c16c78eded267f6d","size":33228,"data":"","first_seen":"2026-05-07T16:46:10.96487Z","last_seen":"2026-06-06T23:14:48.64952Z","times_seen":29507,"alerts":{"ids":null,"analyzer":null,"urlquery":null}}],"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"api.ipify.org/?format=json","fqdn":"api.ipify.org","domain":"ipify.org","tld":"org"},"ip":{"addr":"104.26.12.205","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"fetch","requested_by":"https://us04web-zoom-workspace9786677402028402.online/","date":"2026-05-21T20:21:13.037Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"ipify.org","organization":""},"issuer":{"commonName":"WE1","organization":"Google Trust Services"},"validity":{"start":"Wed, 29 Apr 2026 21:16:17 GMT","end":"Tue, 28 Jul 2026 22:16:15 GMT"},"fingerprint":{"sha1":"6D:CC:48:D6:E1:8C:50:0D:7C:B9:13:15:F0:18:E0:73:56:59:60:F7","sha256":"00:FD:76:18:CB:8D:B6:5A:4C:B7:0A:37:77:28:B1:01:5C:3D:6A:E4:2D:06:02:C1:9D:B8:6B:F8:6F:F8:31:77"}}},"request":{"raw":"GET /?format=json HTTP/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nReferer: https://us04web-zoom-workspace9786677402028402.online/\r\nOrigin: https://us04web-zoom-workspace9786677402028402.online\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Thu, 21 May 2026 20:21:13 GMT\r\ncontent-type: application/json\r\ncontent-length: 21\r\nserver: cloudflare\r\naccess-control-allow-origin: *\r\nvary: Origin\r\ncf-cache-status: DYNAMIC\r\ncf-ray: 9ff64944bc9656c0-OSL\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":21,"size_decoded":0,"mime_type":"application/json","magic":"JSON text data","md5":"7d69c71af0f191e9a72db6153f8018d1","sha1":"f67c5f2887bc05654b47f76e9621e53a4091aed1","sha256":"5bac6e06cf0e1ad38c55f9f9d12122272bf4b8157877629fe68cd33fe2133c65","sha512":"fdf43a8f3d843fe9008949d6709c8e2a5cd640f6101522319745f0a829f21dc8f4bd4d70ff3e2f6e1fd53ca0d2dd872bf3588c593a403071102ab28763cbdba5","ssdeep":"","tlshash":"b8700022000000208c80800eca0a032223a0000ac20a00088e800b2288a0b380282032","first_seen":"2023-04-05T02:54:03Z","last_seen":"2026-06-06T23:32:02.434888Z","times_seen":93288,"resource_available":false,"data":null}},"time_used":176,"timings":{"blocked":35,"dns":21,"connect":1,"send":0,"wait":101,"receive":1,"ssl":13},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"static.cloudflareinsights.com/beacon.min.js/v833ccba57c9e4d2798f2e76cebdd09a11778172276447","fqdn":"static.cloudflareinsights.com","domain":"cloudflareinsights.com","tld":"com"},"ip":{"addr":"104.16.79.73","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"script","requested_by":"https://us04web-zoom-workspace9786677402028402.online/","date":"2026-05-21T20:21:13.033Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"cloudflareinsights.com","organization":""},"issuer":{"commonName":"WE1","organization":"Google Trust Services"},"validity":{"start":"Fri, 17 Apr 2026 18:57:25 GMT","end":"Thu, 16 Jul 2026 19:57:22 GMT"},"fingerprint":{"sha1":"AB:25:45:8F:55:B6:2B:26:B5:B1:EF:90:E0:60:64:9C:56:47:0F:B5","sha256":"47:83:31:CC:5E:02:0E:51:A7:52:AC:83:1B:8A:A8:4C:74:11:A5:F1:61:8D:C5:6D:29:3C:9D:6A:C9:29:AF:7F"}}},"request":{"raw":"GET /beacon.min.js/v833ccba57c9e4d2798f2e76cebdd09a11778172276447 HTTP/1.1\r\nHost: static.cloudflareinsights.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nOrigin: https://us04web-zoom-workspace9786677402028402.online\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://us04web-zoom-workspace9786677402028402.online/\r\nSec-Fetch-Dest: script\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Thu, 21 May 2026 20:21:13 GMT\r\ncontent-type: text/javascript;charset=UTF-8\r\naccess-control-allow-origin: *\r\ncache-control: public, max-age=86400\r\netag: W/\"2026.5.0\"\r\nlast-modified: Thu, 07 May 2026 16:44:36 GMT\r\ncross-origin-resource-policy: cross-origin\r\ncontent-encoding: gzip\r\nserver: cloudflare\r\ncf-ray: 9ff649449c25569d-OSL\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":33228,"size_decoded":0,"mime_type":"text/javascript; charset=UTF-8","magic":"JavaScript source, ASCII text, with very long lines (33228), with no line terminators","md5":"3ec2f610910f9dfd8e87975604e5e34c","sha1":"10d61ee41e8fe816ca08616159d7b6b8294a2011","sha256":"aca73fc574e12740e3368860b88a284d01b643456f3ed6a06322ecb47750563f","sha512":"e7b30399c71c25762d3671fe662070cc2e236f6aef815084a2460df8bfe72e598ef2b7d84ff808a56d80e7af6227fddbfb45046ac8218ee647fe66b7c08b3f11","ssdeep":"384:qVCILwCiUg1IX33sDycq+AgMXUQKxrhxIZOGNG620vbgZLTE5egwolSV0yuuokwz:AwCiUqHmcd/5xdKZdt8Z3Cer2yuuDPQB","tlshash":"6ce219e9b595713613f350b2406f220bb33a7562588e8018e22bd7c16c78eded267f6d","first_seen":"2026-05-07T16:46:10.96487Z","last_seen":"2026-06-06T23:14:48.64952Z","times_seen":29507,"resource_available":true,"data":null}},"time_used":68,"timings":{"blocked":19,"dns":1,"connect":1,"send":0,"wait":28,"receive":0,"ssl":15},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"us04web-zoom-workspace9786677402028402.online/cdn-cgi/challenge-platform/scripts/jsd/main.js","fqdn":"us04web-zoom-workspace9786677402028402.online","domain":"us04web-zoom-workspace9786677402028402.online","tld":"online"},"ip":{"addr":"185.199.109.153","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"script","requested_by":"https://us04web-zoom-workspace9786677402028402.online/","date":"2026-05-21T20:21:13.140Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"us04web-zoom-workspace9786677402028402.online","organization":""},"issuer":{"commonName":"R12","organization":"Let's Encrypt"},"validity":{"start":"Thu, 21 May 2026 08:43:30 GMT","end":"Wed, 19 Aug 2026 08:43:29 GMT"},"fingerprint":{"sha1":"48:A6:B9:76:68:92:DE:9F:6B:7D:4F:AF:CC:60:9B:E5:D0:C4:06:B0","sha256":"E7:D2:61:83:20:D1:C2:2A:92:A6:1B:7A:FF:BD:53:22:89:AB:E8:98:A6:F4:2D:A2:D2:68:B3:9C:91:E8:36:A4"}}},"request":{"raw":"GET /cdn-cgi/challenge-platform/scripts/jsd/main.js HTTP/1.1\r\nHost: us04web-zoom-workspace9786677402028402.online\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: script\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 404 Not Found\r\nserver: GitHub.com\r\ncontent-type: text/html; charset=utf-8\r\naccess-control-allow-origin: *\r\netag: W/\"69a01f78-24a3\"\r\ncontent-security-policy: default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self'\r\ncontent-encoding: gzip\r\nx-proxy-cache: MISS\r\nx-github-request-id: EAC4:EAA9:40A216:417481:6A0F6939\r\naccept-ranges: bytes\r\nage: 0\r\ndate: Thu, 21 May 2026 20:21:13 GMT\r\nvia: 1.1 varnish\r\nx-served-by: cache-hel1410030-HEL\r\nx-cache: MISS\r\nx-cache-hits: 0\r\nx-timer: S1779394873.160526,VS0,VE154\r\nvary: Accept-Encoding\r\nx-fastly-request-id: 0b6dc2379f193a002dccbffe1dd8dfad091dc8ea\r\ncontent-length: 5254\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"404","status_text":"Not Found","fingerprints":[{"name":"GitHub Pages","description":"GitHub Pages is a static site hosting service.","website":"https://pages.github.com/","common_platform_enumeration":"","icon":"GitHub.svg","categories":["PaaS"]},{"name":"Fastly","description":"Fastly is a cloud computing services provider. Fastly's cloud platform provides a content delivery network, Internet security services, load balancing, and video \u0026 streaming services.","website":"https://www.fastly.com","common_platform_enumeration":"","icon":"Fastly.svg","categories":["CDN"]},{"name":"Varnish","description":"Varnish is a reverse caching proxy.","website":"https://www.varnish-cache.org","common_platform_enumeration":"cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*","icon":"Varnish.svg","categories":["Caching"]}],"data":{"size":9379,"size_decoded":0,"mime_type":"text/html; charset=utf-8","magic":"HTML document, ASCII text, with very long lines (3909)","md5":"c1f9838a645648cb3b25359f7890a288","sha1":"0cf12d25140e329bcb4c304feefce63f8f0ba7b3","sha256":"b620507312c5e97566a3c6cfaf99144fefc18a0da7d941401dfa0f5f58fb0368","sha512":"385898ec5d1ce3d13e8169945128724f6717cc35cec01d642b90046f7e03dd28a688771ca84ea53b81c8ef8cec8c1e28012c37732b80d1278a233468514a13f3","ssdeep":"192:Iwnb1iC9OA9XXMa9bYnr7JMkrALQDUnulGVopLAGCALQD6vnglET31iCLL3d:rB8HN3DUulGmmv3D6vglETliCfN","tlshash":"5a125c7f19e93705d8028e1539f227993d65840f9a866f6eb9ad1312cf8ed10e1a37cc","first_seen":"2023-06-17T01:23:25Z","last_seen":"2026-06-06T22:14:33.069924Z","times_seen":17544,"resource_available":true,"data":null}},"time_used":182,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":181,"receive":1,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"api.telegram.org/bot8492475642:AAGaBV0lQI2h-kE1ZhnUZM3mfFr3pr0C5Xk/sendMessage","fqdn":"api.telegram.org","domain":"telegram.org","tld":"org"},"ip":{"addr":"149.154.166.110","port":443,"asn":62041,"as":"Telegram Messenger Inc","country":"United Kingdom","country_code":"GB"},"is_navigation_request":false,"resource_type":"fetch","requested_by":"https://us04web-zoom-workspace9786677402028402.online/","date":"2026-05-21T20:21:14.399Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"api.telegram.org","organization":""},"issuer":{"commonName":"Go Daddy Secure Certificate Authority - G2","organization":"GoDaddy.com, Inc."},"validity":{"start":"Tue, 11 Nov 2025 15:14:09 GMT","end":"Sun, 13 Dec 2026 15:14:09 GMT"},"fingerprint":{"sha1":"EC:27:13:72:1E:6C:94:9F:47:59:A4:24:4F:AB:9B:02:E3:6E:54:41","sha256":"64:47:03:9A:C9:ED:B9:03:8C:07:6E:AA:3D:BF:75:4B:4C:C1:4E:C1:A5:8C:83:2D:3E:FD:0C:E7:F7:82:C2:71"}}},"request":{"raw":"POST /bot8492475642:AAGaBV0lQI2h-kE1ZhnUZM3mfFr3pr0C5Xk/sendMessage HTTP/1.1\r\nHost: api.telegram.org\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nReferer: https://us04web-zoom-workspace9786677402028402.online/\r\nContent-Type: application/json\r\nContent-Length: 353\r\nOrigin: https://us04web-zoom-workspace9786677402028402.online\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"POST"},"response":{"raw":"HTTP/2 400 Bad Request\r\nserver: nginx/1.30.1\r\ndate: Thu, 21 May 2026 20:21:14 GMT\r\ncontent-type: application/json\r\ncontent-length: 56\r\nstrict-transport-security: max-age=31536000; includeSubDomains; preload\r\naccess-control-allow-origin: *\r\naccess-control-expose-headers: Content-Length,Content-Type,Date,Server,Connection\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"400","status_text":"Bad Request","fingerprints":[{"name":"Nginx:1.30.1","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]},{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}],"data":{"size":56,"size_decoded":0,"mime_type":"application/json","magic":"JSON text data","md5":"d948d5845276032d39194409db9ad97b","sha1":"475fe4e71224df85d494e34e0cb8ed799afcdb0d","sha256":"a0a1e0f24b392c6da875c10977d169497a47f669b7e671e62330e125a56721fb","sha512":"3e538a78d85dc32eb47db705c97d627ed8851f6dd87904e2e39aa1d5357cdeaea2a7746fc2ccddbde9bcbcab66ddcceff4ab5cf8db169c49e0f81c592104c67f","ssdeep":"","tlshash":"22900244098ed56744da11605935954855b756b8641964404d95611d56421ea58f240a","first_seen":"2023-07-28T20:34:41Z","last_seen":"2026-06-05T17:32:24.536796Z","times_seen":416,"resource_available":true,"data":null}},"time_used":22,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":22,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"us04web-zoom-workspace9786677402028402.online/zoomupdate/ZoomInstaller-ClientsSetup.msi","fqdn":"us04web-zoom-workspace9786677402028402.online","domain":"us04web-zoom-workspace9786677402028402.online","tld":"online"},"ip":{"addr":"185.199.109.153","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2026-05-21T20:21:16.523Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"us04web-zoom-workspace9786677402028402.online","organization":""},"issuer":{"commonName":"R12","organization":"Let's Encrypt"},"validity":{"start":"Thu, 21 May 2026 08:43:30 GMT","end":"Wed, 19 Aug 2026 08:43:29 GMT"},"fingerprint":{"sha1":"48:A6:B9:76:68:92:DE:9F:6B:7D:4F:AF:CC:60:9B:E5:D0:C4:06:B0","sha256":"E7:D2:61:83:20:D1:C2:2A:92:A6:1B:7A:FF:BD:53:22:89:AB:E8:98:A6:F4:2D:A2:D2:68:B3:9C:91:E8:36:A4"}}},"request":{"raw":"GET /zoomupdate/ZoomInstaller-ClientsSetup.msi HTTP/1.1\r\nHost: us04web-zoom-workspace9786677402028402.online\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://us04web-zoom-workspace9786677402028402.online/\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\nserver: GitHub.com\r\ncontent-type: application/octet-stream\r\nlast-modified: Thu, 21 May 2026 11:35:19 GMT\r\naccess-control-allow-origin: *\r\netag: W/\"6a0eedf7-556000\"\r\nexpires: Thu, 21 May 2026 20:31:16 GMT\r\ncache-control: max-age=600\r\ncontent-encoding: gzip\r\nx-proxy-cache: MISS\r\nx-github-request-id: D330:329A9E:3FE873:40BA9F:6A0F693B\r\naccept-ranges: bytes\r\nage: 0\r\ndate: Thu, 21 May 2026 20:21:16 GMT\r\nvia: 1.1 varnish\r\nx-served-by: cache-hel1410030-HEL\r\nx-cache: MISS\r\nx-cache-hits: 0\r\nx-timer: S1779394877.544988,VS0,VE370\r\nvary: Accept-Encoding\r\nx-fastly-request-id: 39d5c7eee77dd546ea4792792c862df08621bdb2\r\ncontent-length: 3817479\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Varnish","description":"Varnish is a reverse caching proxy.","website":"https://www.varnish-cache.org","common_platform_enumeration":"cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*","icon":"Varnish.svg","categories":["Caching"]},{"name":"GitHub Pages","description":"GitHub Pages is a static site hosting service.","website":"https://pages.github.com/","common_platform_enumeration":"","icon":"GitHub.svg","categories":["PaaS"]},{"name":"Fastly","description":"Fastly is a cloud computing services provider. Fastly's cloud platform provides a content delivery network, Internet security services, load balancing, and video \u0026 streaming services.","website":"https://www.fastly.com","common_platform_enumeration":"","icon":"Fastly.svg","categories":["CDN"]}],"data":{"size":5595136,"size_decoded":0,"mime_type":"application/octet-stream","magic":"Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: ZoomClient Installer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 12.0.5.9, Subject: ZoomClient Installer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Zoom US, Keywords: Installer, Template: Intel;1033, Revision Number: {D95590A6-B25D-4696-8089-4B53D599D1C9}, Create Time/Date: Sat Jul 19 13:02:12 2025, Last Saved Time/Date: Sat Jul 19 13:02:12 2025, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (25.0.54.0), Security: 2","md5":"27947ff35ead8ef4e9086ef8ad45afdd","sha1":"243c0f69e6ae15e33767afcfd3e42fcc0834f214","sha256":"bab77f6f2d0b65c2c674e4598f537a39ce85232b23aa89b8c17fc35127b937fb","sha512":"822832251ead06e7c4d0e7bc0045dd4197db5a91d0f2372290bc33d71657c61f59eb046a335931d72bf11fb416fb9f4c58df348fab8af07202bc8cd9396c5e64","ssdeep":"24576:atMcpV2OqUSDINYZRdx0B+X3bBH+ZZvzruLni:WpMOqrI2XdmBwHy3Si","tlshash":"9b2502313bc99a3fc776183995759b255e19ff634b20c1cba30438ea2e716f2a938744","first_seen":"2026-05-21T11:34:27.901661Z","last_seen":"2026-05-21T20:21:39.717146Z","times_seen":2,"resource_available":true,"data":null}},"time_used":774,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":397,"receive":377,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2026-05-21","alert":"Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable","trigger":"us04web-zoom-workspace9786677402028402.online/zoomupdate/ZoomInstaller-ClientsSetup.msi","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2022-06-10","description":"Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable","reference":"Internal Research","rule":"SUSP_PS1_JAB_Pattern_Jun22_1","score":"70"}}],"urlquery":null}},{"url":{"schema":"https","addr":"us04web-zoom-workspace9786677402028402.online/","fqdn":"us04web-zoom-workspace9786677402028402.online","domain":"us04web-zoom-workspace9786677402028402.online","tld":"online"},"ip":{"addr":"185.199.109.153","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2026-05-21T20:21:12.575Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"us04web-zoom-workspace9786677402028402.online","organization":""},"issuer":{"commonName":"R12","organization":"Let's Encrypt"},"validity":{"start":"Thu, 21 May 2026 08:43:30 GMT","end":"Wed, 19 Aug 2026 08:43:29 GMT"},"fingerprint":{"sha1":"48:A6:B9:76:68:92:DE:9F:6B:7D:4F:AF:CC:60:9B:E5:D0:C4:06:B0","sha256":"E7:D2:61:83:20:D1:C2:2A:92:A6:1B:7A:FF:BD:53:22:89:AB:E8:98:A6:F4:2D:A2:D2:68:B3:9C:91:E8:36:A4"}}},"request":{"raw":"GET / HTTP/1.1\r\nHost: us04web-zoom-workspace9786677402028402.online\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\nserver: GitHub.com\r\ncontent-type: text/html; charset=utf-8\r\nlast-modified: Thu, 21 May 2026 11:35:19 GMT\r\naccess-control-allow-origin: *\r\netag: W/\"6a0eedf7-2ec6\"\r\nexpires: Thu, 21 May 2026 20:31:12 GMT\r\ncache-control: max-age=600\r\ncontent-encoding: gzip\r\nx-proxy-cache: MISS\r\nx-github-request-id: D32A:378A:3F1551:3FE6B2:6A0F6938\r\naccept-ranges: bytes\r\nage: 0\r\ndate: Thu, 21 May 2026 20:21:12 GMT\r\nvia: 1.1 varnish\r\nx-served-by: cache-hel1410030-HEL\r\nx-cache: MISS\r\nx-cache-hits: 0\r\nx-timer: S1779394873.747629,VS0,VE131\r\nvary: Accept-Encoding\r\nx-fastly-request-id: 7c2914d7bf624534b9a22ceaf40559ac52bd26b3\r\ncontent-length: 4572\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare Browser Insights","description":"Cloudflare Browser Insights is a tool that measures the performance of websites from the perspective of users.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["Analytics","RUM"]},{"name":"Fastly","description":"Fastly is a cloud computing services provider. Fastly's cloud platform provides a content delivery network, Internet security services, load balancing, and video \u0026 streaming services.","website":"https://www.fastly.com","common_platform_enumeration":"","icon":"Fastly.svg","categories":["CDN"]},{"name":"Varnish","description":"Varnish is a reverse caching proxy.","website":"https://www.varnish-cache.org","common_platform_enumeration":"cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*","icon":"Varnish.svg","categories":["Caching"]},{"name":"GitHub Pages","description":"GitHub Pages is a static site hosting service.","website":"https://pages.github.com/","common_platform_enumeration":"","icon":"GitHub.svg","categories":["PaaS"]}],"data":{"size":11974,"size_decoded":0,"mime_type":"text/html; charset=utf-8","magic":"HTML document, Unicode text, UTF-8 text, with very long lines (1569)","md5":"3f1559c41029b75ff4184e327192b95f","sha1":"acdca56462a496c5d33da6de933bbb270ffbc78e","sha256":"c9c0ffe7f4b3fb80d1149d7e5ff1bfe5137340ef4767212f766e64ec62ceb5ae","sha512":"4937a092c252e0f9c1c52730dc9de2eb0771a673cf7d7ce356058236d20764d045de9af149b6c9084f40171ea14c15f8bf766c4a6f7d881a863a31bbf4f60559","ssdeep":"192:uOIG5EcAWk1APIBwgkRiJVP1KTrlO3CexS8UmhYQ2atAURx6Y66iQEnx/3djqA:uOI9gdaCeY9mAatA3Y66iQEnx/3MA","tlshash":"9232d6ef26730025561362e45b6fe7253573e00b7202e81877edc368ef506add4a3a9e","first_seen":"2026-05-21T20:21:39.718618Z","last_seen":"2026-05-21T20:21:39.718618Z","times_seen":1,"resource_available":true,"data":null}},"time_used":461,"timings":{"blocked":151,"dns":89,"connect":26,"send":0,"wait":158,"receive":0,"ssl":33},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2026-05-21","alert":"Detects file containing Telegram Bot API","trigger":"us04web-zoom-workspace9786677402028402.online/","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"rectifyq","date":"2024-09-07","description":"Detects file containing Telegram Bot API","rule":"telegram_bot_api","yarahub_author_twitter":"@_rectifyq","yarahub_license":"CC0 1.0","yarahub_reference_md5":"9DA48D34DC999B4E05E0C6716A3B3B83","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"58c9e4fe-d1e9-46ed-913c-dba943ac16d6"}}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - Suspicious Javascript code","verdict":"suspicious","severity":"medium","comment":"","tags":["suspicious"],"meta":null}]}},{"url":{"schema":"https","addr":"us04web-zoom-workspace9786677402028402.online/cdn-cgi/rum?","fqdn":"us04web-zoom-workspace9786677402028402.online","domain":"us04web-zoom-workspace9786677402028402.online","tld":"online"},"ip":{"addr":"185.199.109.153","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"xhr","requested_by":"https://us04web-zoom-workspace9786677402028402.online/","date":"2026-05-21T20:21:13.156Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"us04web-zoom-workspace9786677402028402.online","organization":""},"issuer":{"commonName":"R12","organization":"Let's Encrypt"},"validity":{"start":"Thu, 21 May 2026 08:43:30 GMT","end":"Wed, 19 Aug 2026 08:43:29 GMT"},"fingerprint":{"sha1":"48:A6:B9:76:68:92:DE:9F:6B:7D:4F:AF:CC:60:9B:E5:D0:C4:06:B0","sha256":"E7:D2:61:83:20:D1:C2:2A:92:A6:1B:7A:FF:BD:53:22:89:AB:E8:98:A6:F4:2D:A2:D2:68:B3:9C:91:E8:36:A4"}}},"request":{"raw":"POST /cdn-cgi/rum? HTTP/1.1\r\nHost: us04web-zoom-workspace9786677402028402.online\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\ncontent-type: application/json\r\nContent-Length: 670\r\nOrigin: https://us04web-zoom-workspace9786677402028402.online\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://us04web-zoom-workspace9786677402028402.online/\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"POST","post_data":{"size":670,"data":"{\"memory\":{},\"resources\":[],\"referrer\":\"\",\"eventType\":1,\"firstPaint\":0,\"firstContentfulPaint\":526,\"startTime\":1779394872550,\"versions\":{\"fl\":\"2024.11.0\",\"js\":\"2026.5.0\",\"timings\":2},\"pageloadId\":\"0a84b49b-e3b6-4229-8110-7f8c222b1e03\",\"location\":\"https://us04web-zoom-workspace9786677402028402.online/\",\"nt\":\"navigate\",\"timingsV2\":{\"nextHopProtocol\":\"h2\",\"domainLookupStart\":23,\"domainLookupEnd\":113,\"connectStart\":113,\"connectEnd\":175,\"requestStart\":175,\"responseStart\":333,\"responseEnd\":334,\"domInteractive\":516,\"domComplete\":589,\"loadEventStart\":589,\"loadEventEnd\":589,\"transferSize\":5236,\"decodedBodySize\":11974},\"siteToken\":\"418323d1593047bfa0d7624c42e22fde\",\"st\":2}"}},"response":{"raw":"HTTP/2 405 Method Not Allowed\r\nserver: Varnish\r\nretry-after: 0\r\naccept-ranges: bytes\r\ndate: Thu, 21 May 2026 20:21:13 GMT\r\nvia: 1.1 varnish\r\nx-served-by: cache-hel1410030-HEL\r\nx-cache: MISS\r\nx-cache-hits: 0\r\nx-timer: S1779394873.175994,VS0,VE0\r\nx-fastly-request-id: ffcd3205e002d4274bd17530d2ffa24c47061a53\r\ncontent-length: 131\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"405","status_text":"Method Not Allowed","fingerprints":[{"name":"Varnish","description":"Varnish is a reverse caching proxy.","website":"https://www.varnish-cache.org","common_platform_enumeration":"cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*","icon":"Varnish.svg","categories":["Caching"]},{"name":"Fastly","description":"Fastly is a cloud computing services provider. Fastly's cloud platform provides a content delivery network, Internet security services, load balancing, and video \u0026 streaming services.","website":"https://www.fastly.com","common_platform_enumeration":"","icon":"Fastly.svg","categories":["CDN"]}],"data":{"size":131,"size_decoded":0,"mime_type":"text/xml","magic":"HTML document, ASCII text","md5":"9a67f98ebf567e0b2b3cdeb58be2da2d","sha1":"36870e81e17d2a0ad49eaa5d208961f0290ba751","sha256":"db9c83197aadfaf315c26741f15264db83844a31372701a8465737d63508df7f","sha512":"c82addd9ad18c1bc8c37c7cbbca525db0759db12cc489c1e23286e39ecbcebc6032675c445bf187730a83630aff3f2ceecf3fca0162084a60dc43d818c6964db","ssdeep":"","tlshash":"22c09b5d530b7845860310440fc2f561915d821788f547003a898153b093519d585694","first_seen":"2023-04-12T09:13:00Z","last_seen":"2026-06-06T06:43:35.355189Z","times_seen":840,"resource_available":true,"data":null}},"time_used":30,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":29,"receive":1,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"api.telegram.org/bot8492475642:AAGaBV0lQI2h-kE1ZhnUZM3mfFr3pr0C5Xk/sendMessage","fqdn":"api.telegram.org","domain":"telegram.org","tld":"org"},"ip":{"addr":"149.154.166.110","port":443,"asn":62041,"as":"Telegram Messenger Inc","country":"United Kingdom","country_code":"GB"},"is_navigation_request":false,"resource_type":"fetch","requested_by":"https://us04web-zoom-workspace9786677402028402.online/","date":"2026-05-21T20:21:13.236Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"api.telegram.org","organization":""},"issuer":{"commonName":"Go Daddy Secure Certificate Authority - G2","organization":"GoDaddy.com, Inc."},"validity":{"start":"Tue, 11 Nov 2025 15:14:09 GMT","end":"Sun, 13 Dec 2026 15:14:09 GMT"},"fingerprint":{"sha1":"EC:27:13:72:1E:6C:94:9F:47:59:A4:24:4F:AB:9B:02:E3:6E:54:41","sha256":"64:47:03:9A:C9:ED:B9:03:8C:07:6E:AA:3D:BF:75:4B:4C:C1:4E:C1:A5:8C:83:2D:3E:FD:0C:E7:F7:82:C2:71"}}},"request":{"raw":"OPTIONS /bot8492475642:AAGaBV0lQI2h-kE1ZhnUZM3mfFr3pr0C5Xk/sendMessage HTTP/1.1\r\nHost: api.telegram.org\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nAccess-Control-Request-Method: POST\r\nAccess-Control-Request-Headers: content-type\r\nReferer: https://us04web-zoom-workspace9786677402028402.online/\r\nOrigin: https://us04web-zoom-workspace9786677402028402.online\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"OPTIONS"},"response":{"raw":"HTTP/2 204 No Content\r\nserver: nginx/1.30.1\r\ndate: Thu, 21 May 2026 20:21:14 GMT\r\naccess-control-max-age: 86400\r\naccess-control-allow-origin: *\r\naccess-control-allow-methods: GET, POST, OPTIONS\r\naccess-control-allow-headers: content-type\r\naccess-control-expose-headers: Content-Length,Content-Type,Date,Server,Connection\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"204","status_text":"No Content","fingerprints":[{"name":"Nginx:1.30.1","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]}],"data":{"size":0,"size_decoded":0,"mime_type":"text/plain","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-06-06T23:09:45.281132Z","times_seen":16194959,"resource_available":true,"data":null}},"time_used":2210,"timings":{"blocked":1092,"dns":28,"connect":21,"send":0,"wait":21,"receive":2,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}