e0e866b57a0767d237df3c54b9ced798a0407af00cc8a9f7d19c96fa66cd4e80

Analysis

max time kernel
422s
max time network
427s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-05-2022 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VooVMeeting_1410000197_3.3.5.510.publish.exe
Size

139.9MB
MD5

f5a4eddee715fc8bb9f0ac6cd888edc2
SHA1

5c7b6fbceef08f8798251e8495007428d013dc29
SHA256

e0e866b57a0767d237df3c54b9ced798a0407af00cc8a9f7d19c96fa66cd4e80
SHA512

0f982bebce1d4337e1e42cda6f57140e0b985dd76be99de1a09bf2245dd41ca815dfdb7c0c0d5180eac5db00c6283378ac034b0866d32286f0e5897a50411a16

Score

10^/10

bootkit discovery persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

voovmeetingapp.exe

description pid process target process

PID 5016 created 2240 5016 voovmeetingapp.exe Explorer.EXE

description	pid	process	target process
PID 5016 created 2240	5016	voovmeetingapp.exe	Explorer.EXE

Executes dropped EXE 12 IoCs

Processes:

WemeetUpdateSvc.exeoutlook_addin_upgrade_helper.exevoovmeetingapp.exevoovmeetingapp.exevoovmeetingapp.exehw_check.exehw_check.exe0eb895043ca5d740bb94fa5ce3c2f13d.exevoovmeetingapp.exehw_check.exehw_check.exehw_check.exe

pid	process
2216	WemeetUpdateSvc.exe
400	outlook_addin_upgrade_helper.exe
5016	voovmeetingapp.exe
2088	voovmeetingapp.exe
2552	voovmeetingapp.exe
4560	hw_check.exe
3660	hw_check.exe
868	0eb895043ca5d740bb94fa5ce3c2f13d.exe
1504	voovmeetingapp.exe
1808	hw_check.exe
1176	hw_check.exe
3388	hw_check.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VooVMeeting_1410000197_3.3.5.510.publish.exeoutlook_addin_upgrade_helper.exevoovmeetingapp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	VooVMeeting_1410000197_3.3.5.510.publish.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	outlook_addin_upgrade_helper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	voovmeetingapp.exe

Loads dropped DLL 64 IoCs

Processes:

VooVMeeting_1410000197_3.3.5.510.publish.exeoutlook_addin_upgrade_helper.exevoovmeetingapp.exe

pid	process
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
400	outlook_addin_upgrade_helper.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe
5016	voovmeetingapp.exe

Modifies file permissions 1 TTPs 10 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

1724 icacls.exe
3564 icacls.exe
4604 icacls.exe
3752 icacls.exe
3480 icacls.exe
4072 icacls.exe
2520 icacls.exe
916 icacls.exe
556 icacls.exe
3448 icacls.exe

pid	process
1724	icacls.exe
3564	icacls.exe
4604	icacls.exe
3752	icacls.exe
3480	icacls.exe
4072	icacls.exe
2520	icacls.exe
916	icacls.exe
556	icacls.exe
3448	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

VooVMeeting_1410000197_3.3.5.510.publish.exeoutlook_addin_upgrade_helper.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	VooVMeeting_1410000197_3.3.5.510.publish.exe
File opened for modification	\??\PhysicalDrive0	outlook_addin_upgrade_helper.exe

Drops file in System32 directory 2 IoCs

Processes:

voovmeetingapp.exevoovmeetingapp.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	voovmeetingapp.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	voovmeetingapp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

voovmeetingapp.exevoovmeetingapp.exevoovmeetingapp.exevoovmeetingapp.exe

pid process

5016 voovmeetingapp.exe
2088 voovmeetingapp.exe
2552 voovmeetingapp.exe
1504 voovmeetingapp.exe

pid	process
5016	voovmeetingapp.exe
2088	voovmeetingapp.exe
2552	voovmeetingapp.exe
1504	voovmeetingapp.exe

Drops file in Program Files directory 64 IoCs

Processes:

VooVMeeting_1410000197_3.3.5.510.publish.exe

description	ioc	process
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resource\I18N\config_ja.xml	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\aekit_resources_win\shaders\dx11\vs_beauty_deep_tune_v5.bin	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\components\text-field.json	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\res\uikit\platform\push-button\pushbutton_blue_disable.gft	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\aekit_resources_win\FilterResource\faceoff\crazyfacegray.wmc	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\beauty_resources\beauty_face_beauty.png	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\modules\record\Asset\Xtml.rdb	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\voovmeetingapp.exe	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\res\uikit\platform\push-button\pushbutton_noborder_hover.gft	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\plugins\styles\qwindowsvistastyle.dll	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\si_language_ko.xml	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\aekit_resources_win\shaders\dx11\vs_face_adjust_total_pass1.wmc	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\beauty_resources\beauty_chin.png	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\beauty_resources\beauty_nature.png	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\plugins\imageformats\qsvg.dll	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\aekit_resources_win\shaders\dx11\fs_nv122rgb.wmc	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\res\uikit\platform\message\[email protected]	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\res\uikit\platform\push-button\pushbutton_grey_normal.gft	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\res\uikit\platform\radio-button\[email protected]	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resource\I18N\1041\GFStringBundle.xml	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\components\dock-menu.json	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\components\dropdown-button.json	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\res\uikit\platform\box\box_hover.gft	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\modules\account\Asset\account.rcc	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\modules\tool_box_fb\manifest.json	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\[email protected]	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\aekit_resources_win\FilterResource\filter\qingxin.png	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\res\app\platform\setting\[email protected]	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\res\uikit\platform\drop-button\[email protected]	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\aekit_resources_win\FilterResource\faceoff\video_wuguanliti\lips_mask.wmc	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\res\uikit\platform\tab\tab_select.png	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\icon_enroll_status_approved.png	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\res\app\platform\live\[email protected]	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\modules\question_answer\question_answer_module.dll	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\aekit_resources_win\shaders\dx11\fs_beauty_face_feature_v5.wmc	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\res\uikit\platform\box\icon_code_clear_normal.png	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\modules\crash_prompt\module.res	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\modules\gift\module.res	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\aekit_resources_win\shaders\dx11\fs_yuv2rgb.bin	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\res\uikit\platform\info-button\icon_info_hover.png	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\desktop_common.dll	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\ucrtbase.dll	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resource\wemeet.xml	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resource\Default\Xtml.rdb	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\aekit_resources_win\shaders\dx11\vs_face_adjust_total_pass1.bin	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\aekit_resources_win\shaders\dx11\vs_two_input_test.wmc	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\res\app\platform\live\add_disable.png	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\res\uikit\platform\box\[email protected]	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\gf-config.xml	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\wemeet.xml	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\aekit_resources_win\FilterResource\faceoff\facekit_uv.dat	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\aekit_resources_win\shaders\dx11\fs_beauty_deep_tune_v5.wmc	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\modules\rooms_meeting\manifest.json	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\Cursor_Pen.cur	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\beauty_resources\filter_weimei.png	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\virtualdisplay\vda\x64\virtualdisplayadapter.cat	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\modules\web_app\web_app_module.dll	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\aekit_resources_win\shaders\dx11\fs_roi_blur_v2.bin	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\tbs\qb_200_percent.pak	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\aekit_resources_win\shaders\dx11\vs_roi_blur_factor.wmc	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\themes\default\res\app\platform\live\[email protected]	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-sysinfo-l1-1-0.dll	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\si_language_ms.xml	VooVMeeting_1410000197_3.3.5.510.publish.exe
File created	C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\resources\raw\aekit_resources_win\FilterResource\faceoff\video_wuguanliti\teeth_lut.png	VooVMeeting_1410000197_3.3.5.510.publish.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

voovmeetingapp.exevoovmeetingapp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	voovmeetingapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	voovmeetingapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	voovmeetingapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	voovmeetingapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	voovmeetingapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	voovmeetingapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	voovmeetingapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	voovmeetingapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	voovmeetingapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	voovmeetingapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	voovmeetingapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	voovmeetingapp.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

voovmeetingapp.exevoovmeetingapp.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	voovmeetingapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	voovmeetingapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	voovmeetingapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	voovmeetingapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	voovmeetingapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	voovmeetingapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	voovmeetingapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	voovmeetingapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	voovmeetingapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	voovmeetingapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	voovmeetingapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	voovmeetingapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

Processes:

VooVMeeting_1410000197_3.3.5.510.publish.exeWemeetUpdateSvc.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd3a82ac41e00d815d\shell\	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rdca2b0d866939bfde\DefaultIcon\ = "\"C:\\Program Files (x86)\\Tencent\\VooVMeeting\\voovmeetingapp.exe\",1"	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wemeet\shell\	VooVMeeting_1410000197_3.3.5.510.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wemeet\shell\open	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968b7869-4d1f-4128-9d8d-ef732b69de04}\TypeLib\ = "{89882228-a307-4697-b190-aef836059fc7}"	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd4806d2ddf553eb8b\DefaultIcon	VooVMeeting_1410000197_3.3.5.510.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{89882228-a307-4697-b190-aef836059fc7}	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968b7869-4d1f-4128-9d8d-ef732b69de04}\Version	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd3a82ac41e00d815d\shell\open\command\ = "\"C:\\Program Files (x86)\\Tencent\\VooVMeeting\\voovmeetingapp.exe\" \"%1\""	VooVMeeting_1410000197_3.3.5.510.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968b7869-4d1f-4128-9d8d-ef732b69de04}\TypeLib	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89882228-A307-4697-B190-AEF836059FC7}\1.0\0\win32	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F9066A5-5175-44ED-B6C2-E5505CD6CDA7}	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F9066A5-5175-44ED-B6C2-E5505CD6CDA7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F9066A5-5175-44ED-B6C2-E5505CD6CDA7}\TypeLib\Version = "1.0"	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rdca2b0d866939bfde	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wemeet\URL Protocol	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wemeet\shell\open\	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\WemeetUpdateSvc.exe\AppID = "{89882228-a307-4697-b190-aef836059fc7}"	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89882228-A307-4697-B190-AEF836059FC7}\1.0\0\win32\ = "C:\\Program Files (x86)\\Tencent\\UpdateSvr\\WemeetUpdateSvc.exe"	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F9066A5-5175-44ED-B6C2-E5505CD6CDA7}\TypeLib	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rdca2b0d866939bfde\shell	VooVMeeting_1410000197_3.3.5.510.publish.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\.wxe1097d193e4320fd\OpenWithProgids	VooVMeeting_1410000197_3.3.5.510.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968b7869-4d1f-4128-9d8d-ef732b69de04}	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968b7869-4d1f-4128-9d8d-ef732b69de04}\Programmable	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89882228-A307-4697-B190-AEF836059FC7}\1.0\HELPDIR	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F9066A5-5175-44ED-B6C2-E5505CD6CDA7}	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd4806d2ddf553eb8b\URL Protocol	VooVMeeting_1410000197_3.3.5.510.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\.wxe1097d193e4320fd\OpenWithProgids\wemeet = "0"	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968b7869-4d1f-4128-9d8d-ef732b69de04}\LocalServer32\ = "\"C:\\Program Files (x86)\\Tencent\\UpdateSvr\\WemeetUpdateSvc.exe\""	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89882228-A307-4697-B190-AEF836059FC7}\1.0\ = "WemeetUpdateSvcLib"	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F9066A5-5175-44ED-B6C2-E5505CD6CDA7}\TypeLib\Version = "1.0"	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd3a82ac41e00d815d	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd3a82ac41e00d815d\ = "VooV Meeting"	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd3a82ac41e00d815d\UseOriginalUrlEncoding = "1"	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rdca2b0d866939bfde\URL Protocol	VooVMeeting_1410000197_3.3.5.510.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89882228-A307-4697-B190-AEF836059FC7}\1.0\FLAGS	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89882228-A307-4697-B190-AEF836059FC7}\1.0\FLAGS\ = "0"	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F9066A5-5175-44ED-B6C2-E5505CD6CDA7}\TypeLib\ = "{89882228-A307-4697-B190-AEF836059FC7}"	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd4806d2ddf553eb8b\shell\open	VooVMeeting_1410000197_3.3.5.510.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rdca2b0d866939bfde\DefaultIcon	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rdca2b0d866939bfde\shell\open\	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd4806d2ddf553eb8b\UseOriginalUrlEncoding = "1"	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rdca2b0d866939bfde\ = "VooV Meeting"	VooVMeeting_1410000197_3.3.5.510.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wemeet\shell	VooVMeeting_1410000197_3.3.5.510.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\VooVMeetingUninstall.exe	VooVMeeting_1410000197_3.3.5.510.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968b7869-4d1f-4128-9d8d-ef732b69de04}\LocalServer32	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\VooVMeetingUninstall.exe\	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968b7869-4d1f-4128-9d8d-ef732b69de04}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Tencent\\UpdateSvr\\WemeetUpdateSvc.exe"	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd3a82ac41e00d815d\shell\open\	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wemeet\ = "VooV Meeting"	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\wemeet\UseOriginalUrlEncoding = "1"	VooVMeeting_1410000197_3.3.5.510.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wemeet\DefaultIcon	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968b7869-4d1f-4128-9d8d-ef732b69de04}\Version\ = "1.0"	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F9066A5-5175-44ED-B6C2-E5505CD6CDA7}\ = "IWemeetEvaluate"	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8F9066A5-5175-44ED-B6C2-E5505CD6CDA7}\TypeLib\ = "{89882228-A307-4697-B190-AEF836059FC7}"	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd3a82ac41e00d815d\shell\open	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rdca2b0d866939bfde\UseOriginalUrlEncoding = "1"	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{89882228-a307-4697-b190-aef836059fc7}\ = "WemeetUpdateSvc"	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\WemeetUpdateSvc.exe	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968b7869-4d1f-4128-9d8d-ef732b69de04}\ = "WemeetEvaluate class"	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd3a82ac41e00d815d\shell	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wemeet\shell\open\command\ = "\"C:\\Program Files (x86)\\Tencent\\VooVMeeting\\voovmeetingapp.exe\" \"%1\""	VooVMeeting_1410000197_3.3.5.510.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89882228-A307-4697-B190-AEF836059FC7}\1.0\0	WemeetUpdateSvc.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

VooVMeeting_1410000197_3.3.5.510.publish.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	VooVMeeting_1410000197_3.3.5.510.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	VooVMeeting_1410000197_3.3.5.510.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	VooVMeeting_1410000197_3.3.5.510.publish.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VooVMeeting_1410000197_3.3.5.510.publish.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

voovmeetingapp.exe

pid process

2552 voovmeetingapp.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

VooVMeeting_1410000197_3.3.5.510.publish.exevoovmeetingapp.exe0eb895043ca5d740bb94fa5ce3c2f13d.exevoovmeetingapp.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2200	VooVMeeting_1410000197_3.3.5.510.publish.exe
2552	voovmeetingapp.exe
2552	voovmeetingapp.exe
868	0eb895043ca5d740bb94fa5ce3c2f13d.exe
868	0eb895043ca5d740bb94fa5ce3c2f13d.exe
868	0eb895043ca5d740bb94fa5ce3c2f13d.exe
868	0eb895043ca5d740bb94fa5ce3c2f13d.exe
2552	voovmeetingapp.exe
2552	voovmeetingapp.exe
1504	voovmeetingapp.exe
1504	voovmeetingapp.exe
2552	voovmeetingapp.exe
2552	voovmeetingapp.exe
776	msedge.exe
776	msedge.exe
2224	msedge.exe
2224	msedge.exe
3168	identity_helper.exe
3168	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

voovmeetingapp.exe

pid process

2552 voovmeetingapp.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

2224 msedge.exe
2224 msedge.exe
2224 msedge.exe

pid	process
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

voovmeetingapp.exemsedge.exe

pid	process
2552	voovmeetingapp.exe
2552	voovmeetingapp.exe
2552	voovmeetingapp.exe
2552	voovmeetingapp.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

voovmeetingapp.exe

pid process

2552 voovmeetingapp.exe
2552 voovmeetingapp.exe
2552 voovmeetingapp.exe
2552 voovmeetingapp.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

voovmeetingapp.exe

pid process

5016 voovmeetingapp.exe

pid	process
5016	voovmeetingapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VooVMeeting_1410000197_3.3.5.510.publish.exevoovmeetingapp.exevoovmeetingapp.exevoovmeetingapp.exeoutlook_addin_upgrade_helper.exevoovmeetingapp.exemsedge.exe

description	pid	process	target process
PID 2200 wrote to memory of 1724	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 1724	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 1724	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 2520	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 2520	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 2520	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 916	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 916	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 916	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 3564	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 3564	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 3564	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 556	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 556	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 556	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 3448	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 3448	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 3448	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 4604	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 4604	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 4604	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 3752	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 3752	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 3752	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 2216	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	WemeetUpdateSvc.exe
PID 2200 wrote to memory of 2216	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	WemeetUpdateSvc.exe
PID 2200 wrote to memory of 2216	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	WemeetUpdateSvc.exe
PID 2200 wrote to memory of 3480	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 3480	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 3480	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 4072	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 4072	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 4072	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	icacls.exe
PID 2200 wrote to memory of 400	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	outlook_addin_upgrade_helper.exe
PID 2200 wrote to memory of 400	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	outlook_addin_upgrade_helper.exe
PID 2200 wrote to memory of 400	2200	VooVMeeting_1410000197_3.3.5.510.publish.exe	outlook_addin_upgrade_helper.exe
PID 5016 wrote to memory of 2088	5016	voovmeetingapp.exe	voovmeetingapp.exe
PID 5016 wrote to memory of 2088	5016	voovmeetingapp.exe	voovmeetingapp.exe
PID 5016 wrote to memory of 2088	5016	voovmeetingapp.exe	voovmeetingapp.exe
PID 2088 wrote to memory of 2552	2088	voovmeetingapp.exe	voovmeetingapp.exe
PID 2088 wrote to memory of 2552	2088	voovmeetingapp.exe	voovmeetingapp.exe
PID 2088 wrote to memory of 2552	2088	voovmeetingapp.exe	voovmeetingapp.exe
PID 2552 wrote to memory of 4560	2552	voovmeetingapp.exe	hw_check.exe
PID 2552 wrote to memory of 4560	2552	voovmeetingapp.exe	hw_check.exe
PID 2552 wrote to memory of 4560	2552	voovmeetingapp.exe	hw_check.exe
PID 2552 wrote to memory of 3660	2552	voovmeetingapp.exe	hw_check.exe
PID 2552 wrote to memory of 3660	2552	voovmeetingapp.exe	hw_check.exe
PID 2552 wrote to memory of 3660	2552	voovmeetingapp.exe	hw_check.exe
PID 400 wrote to memory of 868	400	outlook_addin_upgrade_helper.exe	0eb895043ca5d740bb94fa5ce3c2f13d.exe
PID 400 wrote to memory of 868	400	outlook_addin_upgrade_helper.exe	0eb895043ca5d740bb94fa5ce3c2f13d.exe
PID 400 wrote to memory of 868	400	outlook_addin_upgrade_helper.exe	0eb895043ca5d740bb94fa5ce3c2f13d.exe
PID 2088 wrote to memory of 1504	2088	voovmeetingapp.exe	voovmeetingapp.exe
PID 2088 wrote to memory of 1504	2088	voovmeetingapp.exe	voovmeetingapp.exe
PID 2088 wrote to memory of 1504	2088	voovmeetingapp.exe	voovmeetingapp.exe
PID 1504 wrote to memory of 1808	1504	voovmeetingapp.exe	hw_check.exe
PID 1504 wrote to memory of 1808	1504	voovmeetingapp.exe	hw_check.exe
PID 1504 wrote to memory of 1808	1504	voovmeetingapp.exe	hw_check.exe
PID 1504 wrote to memory of 1176	1504	voovmeetingapp.exe	hw_check.exe
PID 1504 wrote to memory of 1176	1504	voovmeetingapp.exe	hw_check.exe
PID 1504 wrote to memory of 1176	1504	voovmeetingapp.exe	hw_check.exe
PID 1504 wrote to memory of 3388	1504	voovmeetingapp.exe	hw_check.exe
PID 1504 wrote to memory of 3388	1504	voovmeetingapp.exe	hw_check.exe
PID 1504 wrote to memory of 3388	1504	voovmeetingapp.exe	hw_check.exe
PID 2224 wrote to memory of 4480	2224	msedge.exe	msedge.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2240
- C:\Users\Admin\AppData\Local\Temp\VooVMeeting_1410000197_3.3.5.510.publish.exe
  "C:\Users\Admin\AppData\Local\Temp\VooVMeeting_1410000197_3.3.5.510.publish.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\icacls.exe
    icacls "" /inheritance:d
    3⤵
    - Modifies file permissions
    PID:1724
- - C:\Windows\SysWOW64\icacls.exe
    icacls "" /remove:g "NT AUTHORITY\Authenticated Users"
    3⤵
    - Modifies file permissions
    PID:2520
- - C:\Windows\SysWOW64\icacls.exe
    icacls "" /inheritance:d
    3⤵
    - Modifies file permissions
    PID:916
- - C:\Windows\SysWOW64\icacls.exe
    icacls "" /remove:g "NT AUTHORITY\Authenticated Users"
    3⤵
    - Modifies file permissions
    PID:3564
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Tencent" /inheritance:d
    3⤵
    - Modifies file permissions
    PID:556
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Tencent" /remove:g "NT AUTHORITY\Authenticated Users"
    3⤵
    - Modifies file permissions
    PID:3448
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Tencent\VooVMeeting" /inheritance:d
    3⤵
    - Modifies file permissions
    PID:4604
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Tencent\VooVMeeting" /remove:g "NT AUTHORITY\Authenticated Users"
    3⤵
    - Modifies file permissions
    PID:3752
- - C:\Program Files (x86)\Tencent\UpdateSvr\WemeetUpdateSvc.exe
    "C:\Program Files (x86)\Tencent\UpdateSvr\WemeetUpdateSvc.exe" /service
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2216
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Temp\WemeetUpdateSvc.exe" /grant "Users":(RX)
    3⤵
    - Modifies file permissions
    PID:3480
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Tencent\UpdateSvr\WemeetUpdateSvc.exe" /grant "Users":(RX)
    3⤵
    - Modifies file permissions
    PID:4072
- - C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\outlook_addin_upgrade_helper.exe
    "C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\outlook_addin_upgrade_helper.exe" 0
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Users\Admin\AppData\Roaming\Tencent\WeMeet\OutlookAddin\Update\0eb895043ca5d740bb94fa5ce3c2f13d.exe
      "C:\Users\Admin\AppData\Roaming\Tencent\WeMeet\OutlookAddin\Update\0eb895043ca5d740bb94fa5ce3c2f13d.exe" install_scene=1 InstallType=0
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:868
- C:\Program Files (x86)\Tencent\VooVMeeting\voovmeetingapp.exe
  "C:\Program Files (x86)\Tencent\VooVMeeting\voovmeetingapp.exe" 1
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5016
- C:\Program Files (x86)\Tencent\VooVMeeting\voovmeetingapp.exe
  "C:\Program Files (x86)\Tencent\VooVMeeting\voovmeetingapp.exe" --command=startup --target="C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\wemeet.dll" --originalcmd=1 --creation_time=481804 --main_start_time=481919 --shell="C:\Program Files (x86)\Tencent\VooVMeeting\voovmeetingapp.exe" --detach=0 --anrtimeout=50000 --pid= --module="C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\wemeetlauncher.dll"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Program Files (x86)\Tencent\VooVMeeting\voovmeetingapp.exe
    "C:\Program Files (x86)\Tencent\VooVMeeting\voovmeetingapp.exe" 1 --originalcmd=1 --pipename=e3afe_551AE9D7AA35 --ppid=launcher --channel_token=0ca15591c9c706b8923c3160 "--module=C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\wemeet.dll"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\hw_check.exe
      hw_check.exe --check_d3d=1 --gpu_block_list="0,1"
      4⤵
      Executes dropped EXE
      PID:4560
  - - C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\hw_check.exe
      hw_check.exe --check_d3d=1 --gpu_block_list="0,1"
      4⤵
      Executes dropped EXE
      PID:3660
- - C:\Program Files (x86)\Tencent\VooVMeeting\voovmeetingapp.exe
    "C:\Program Files (x86)\Tencent\VooVMeeting\voovmeetingapp.exe" --start_by=wemeetapp --originalcmd=--start_by=wemeetapp --pipename=e3afe_551AE9D7AA35 --ppid=launcher --channel_token=c510c1d257a337cc401097c1 "--module=C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\package_update.dll"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\hw_check.exe
      hw_check.exe --check_d3d=1
      4⤵
      Executes dropped EXE
      PID:1808
  - - C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\hw_check.exe
      hw_check.exe --check_d3d=1
      4⤵
      Executes dropped EXE
      PID:1176
  - - C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\hw_check.exe
      hw_check.exe --check_d3d=1
      4⤵
      Executes dropped EXE
      PID:3388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch -contentTile -url 0 https://outlook.com
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8ba3a46f8,0x7ff8ba3a4708,0x7ff8ba3a4718
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,9334791827267610095,5767755184916057412,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,9334791827267610095,5767755184916057412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,9334791827267610095,5767755184916057412,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9334791827267610095,5767755184916057412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9334791827267610095,5767755184916057412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2056,9334791827267610095,5767755184916057412,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9334791827267610095,5767755184916057412,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2056,9334791827267610095,5767755184916057412,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,9334791827267610095,5767755184916057412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  PID:4740
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x258,0x25c,0x260,0x234,0x264,0x7ff631215460,0x7ff631215470,0x7ff631215480
    3⤵
    PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,9334791827267610095,5767755184916057412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\Default\Config.rdb

Filesize
316KB

MD5
50126331c0251e15b5044b6fa3dae442

SHA1
9bbbdb38e6ab5187922d4baaeb56067978adcfe6

SHA256
9860df9aeae5edb1899cc36114b7f72b5dea397a8f4af6a6dc92967d63a8986f

SHA512
18793d0f1fce6b23f52722765ae3d37a841356c12d944ae2570f7c8cf1a64325dd2a1c6c6250f16b731067c72cbb45892bca2eea2d1dfc059565d403804f0eaa

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\Default\Res.rdb

Filesize
1.4MB

MD5
668822414092f6627db9537c5dac6a2b

SHA1
e4b46c2dec136b1ac6cc67f94ba94bbcea1c10f3

SHA256
b843bec072b453c17ab6fbf2aa6cea20c29a7b78abd29bb147b1d133d8486114

SHA512
8fb20dab9c559ee316561a823603ccbdd6a14eb12b84ff68ab4256bd43ef7810118a5357187df1af7702057d13f4dd2c3cc5b3bac1c129314ee458cf92ade792

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\Default\Xtml.rdb

Filesize
6KB

MD5
ad44d93f934821af37324067bbd4baee

SHA1
f9942d426fe8b2e64cd2691b8c7e93a60cdf3bec

SHA256
d45c3986262d0c904cb01241c86c28d35f8da2bd7a973e2a16d8ec8696428941

SHA512
2a74284326fd903c57d9a4f92611746597d3cd7d4eb99e4ce0401549a19d3efebe2484d99cd2b7278ed07f6ca39121a32afe94d025f83051dd96b0a424b56ce4

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\Default\html\authorize.html

Filesize
815B

MD5
0826d97211629b50846dbe210ebea360

SHA1
1148db0ab720d0ac078ce5a2abbcb7962541f84f

SHA256
0d3e0a054bbf06ea2b00c853cca11cb813506cc57e12ad73d2c06226548dfbcc

SHA512
0a5421aca0b868f42d97fb33571474aeb47deb0fba7d58c44fbf61b493e8803cb5be771714fe6a03b00d11f2a04c99f37f082b542b42ff54f2d337bbb6a75a81

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\1028\GFStringBundle.xml

Filesize
83B

MD5
f3e9d060a9de2536787fee2402eb8681

SHA1
6e4ba5af5a2ac2747e9c289608186500ea728387

SHA256
758927353222faadce08b06dd2f195cfdb4be2f113a9b0daa63ab08aa8b9e890

SHA512
fa35d3ed2e04f598575948b0551e459afc63f80598f7f3b95082442590e1dbdd7053f863d779c1ac4a259cb6b5e13cf860522e739df6961b379f19b5ed201fad

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\1028\StringBundle.xml

Filesize
670B

MD5
f6e86114dbc9d9d2f8c77db06a89062a

SHA1
5e4613fcef84a7a8c934be2ce2e5e5ffc71dac58

SHA256
3630871471bfec62d025e49d48e24ea68aee02c89a1da8f3cb29f36cfd5812bb

SHA512
39cfa7f4f23c14de4415bdc4f2ddae61bd8e0478ccb9754144bbc94f36d959c99eeea93f6804c852764b32659ad46a48e50a4de0403263d34c28ea0687304e42

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\1028\UrlBundle.xml

Filesize
140B

MD5
e65dc0977d33863f628dfdb47b6402c0

SHA1
26c962b1c77c362631c728e7038fb33f1ba88fe3

SHA256
d176e9b4ca5d104a565b17258ed511a94c36d5e3934a17cb8cf1a07f64ef41b7

SHA512
d46378b07ced8a9b4a2b6b4ab36fd71e1b187330d29fac6ff86937ba8cad0d9d0693792384fded78c79c535c67df81f7917c3b0320836cecf8cf9e117c9ca770

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\1033\GFStringBundle.xml

Filesize
83B

MD5
f3e9d060a9de2536787fee2402eb8681

SHA1
6e4ba5af5a2ac2747e9c289608186500ea728387

SHA256
758927353222faadce08b06dd2f195cfdb4be2f113a9b0daa63ab08aa8b9e890

SHA512
fa35d3ed2e04f598575948b0551e459afc63f80598f7f3b95082442590e1dbdd7053f863d779c1ac4a259cb6b5e13cf860522e739df6961b379f19b5ed201fad

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\1033\StringBundle.xml

Filesize
692B

MD5
0794913bec38a2a7975438bfd00864f4

SHA1
19366978df05d58da8c9bafc308692b4615c358a

SHA256
d3f48da6a80b9774612a110f9909647b321b936eab8474dd34c56bd08ed22837

SHA512
d1b1b41f8888e4f8e8bfb119cdd0e449be1c2c8c712ab0955f8c82c319019118e070adc0592362af9c47782c339605e4f85145a2bf8b0718dfebd8a73522ce10

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\1033\UrlBundle.xml

Filesize
140B

MD5
e65dc0977d33863f628dfdb47b6402c0

SHA1
26c962b1c77c362631c728e7038fb33f1ba88fe3

SHA256
d176e9b4ca5d104a565b17258ed511a94c36d5e3934a17cb8cf1a07f64ef41b7

SHA512
d46378b07ced8a9b4a2b6b4ab36fd71e1b187330d29fac6ff86937ba8cad0d9d0693792384fded78c79c535c67df81f7917c3b0320836cecf8cf9e117c9ca770

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\1041\GFStringBundle.xml

Filesize
83B

MD5
f3e9d060a9de2536787fee2402eb8681

SHA1
6e4ba5af5a2ac2747e9c289608186500ea728387

SHA256
758927353222faadce08b06dd2f195cfdb4be2f113a9b0daa63ab08aa8b9e890

SHA512
fa35d3ed2e04f598575948b0551e459afc63f80598f7f3b95082442590e1dbdd7053f863d779c1ac4a259cb6b5e13cf860522e739df6961b379f19b5ed201fad

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\1041\StringBundle.xml

Filesize
855B

MD5
09c03d3e98bb677a8d7050b673f2f8d0

SHA1
858ce348ec01037d8387f85d4fad4d64d3d8a4c8

SHA256
9f4e06f3d80d7266c751743ae168fd1bdf21c63609eea8387becd2e7330c1976

SHA512
0d42e72cf2fc513b535fa21a931eb4dd6f7937dad6bb9a06e622e13cb066dadf552c2923cc2ae4a0a8d45696f7f9502eeaa93326d5e072a3680c42683ec28cfe

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\1041\UrlBundle.xml

Filesize
140B

MD5
e65dc0977d33863f628dfdb47b6402c0

SHA1
26c962b1c77c362631c728e7038fb33f1ba88fe3

SHA256
d176e9b4ca5d104a565b17258ed511a94c36d5e3934a17cb8cf1a07f64ef41b7

SHA512
d46378b07ced8a9b4a2b6b4ab36fd71e1b187330d29fac6ff86937ba8cad0d9d0693792384fded78c79c535c67df81f7917c3b0320836cecf8cf9e117c9ca770

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\1042\GFStringBundle.xml

Filesize
83B

MD5
f3e9d060a9de2536787fee2402eb8681

SHA1
6e4ba5af5a2ac2747e9c289608186500ea728387

SHA256
758927353222faadce08b06dd2f195cfdb4be2f113a9b0daa63ab08aa8b9e890

SHA512
fa35d3ed2e04f598575948b0551e459afc63f80598f7f3b95082442590e1dbdd7053f863d779c1ac4a259cb6b5e13cf860522e739df6961b379f19b5ed201fad

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\1042\StringBundle.xml

Filesize
744B

MD5
f00acf3abb4770cddc08ada2b835bce4

SHA1
2109a95d0671d880e45810e85a680368016996ad

SHA256
be53a5dab50b2b37b8225f7eb4bf78a732b5b0bc138be177941931a0d7c92937

SHA512
1214f0460f3efebf5af2991c9d5f011898038920e51eb8be036397a04393a6007e9a0a2b128c246993e571f09e828059a9c787e46c41eb092d4a4a31181bf47c

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\1042\UrlBundle.xml

Filesize
140B

MD5
e65dc0977d33863f628dfdb47b6402c0

SHA1
26c962b1c77c362631c728e7038fb33f1ba88fe3

SHA256
d176e9b4ca5d104a565b17258ed511a94c36d5e3934a17cb8cf1a07f64ef41b7

SHA512
d46378b07ced8a9b4a2b6b4ab36fd71e1b187330d29fac6ff86937ba8cad0d9d0693792384fded78c79c535c67df81f7917c3b0320836cecf8cf9e117c9ca770

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\1086\GFStringBundle.xml

Filesize
83B

MD5
f3e9d060a9de2536787fee2402eb8681

SHA1
6e4ba5af5a2ac2747e9c289608186500ea728387

SHA256
758927353222faadce08b06dd2f195cfdb4be2f113a9b0daa63ab08aa8b9e890

SHA512
fa35d3ed2e04f598575948b0551e459afc63f80598f7f3b95082442590e1dbdd7053f863d779c1ac4a259cb6b5e13cf860522e739df6961b379f19b5ed201fad

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\1086\StringBundle.xml

Filesize
702B

MD5
c28d3035e089b9e3c09a0f2e6984942b

SHA1
6c0b1a2729251d7f14edf1b0fc4eeade6116b55e

SHA256
d2f22f7dfde5b339a24b2dadd9910e8b8d97ec78424971ce346590b240dc5e7f

SHA512
94bff50759173e004e56e56e96c1c4af40031bdc97fdd264904819ee5b94a0759ec38af13d8693b259bffa4a0be4fab556a14d2805697c5bb496ff2c5cd84fdb

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\1086\UrlBundle.xml

Filesize
140B

MD5
e65dc0977d33863f628dfdb47b6402c0

SHA1
26c962b1c77c362631c728e7038fb33f1ba88fe3

SHA256
d176e9b4ca5d104a565b17258ed511a94c36d5e3934a17cb8cf1a07f64ef41b7

SHA512
d46378b07ced8a9b4a2b6b4ab36fd71e1b187330d29fac6ff86937ba8cad0d9d0693792384fded78c79c535c67df81f7917c3b0320836cecf8cf9e117c9ca770

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\2052\GFStringBundle.xml

Filesize
83B

MD5
f3e9d060a9de2536787fee2402eb8681

SHA1
6e4ba5af5a2ac2747e9c289608186500ea728387

SHA256
758927353222faadce08b06dd2f195cfdb4be2f113a9b0daa63ab08aa8b9e890

SHA512
fa35d3ed2e04f598575948b0551e459afc63f80598f7f3b95082442590e1dbdd7053f863d779c1ac4a259cb6b5e13cf860522e739df6961b379f19b5ed201fad

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\2052\StringBundle.xml

Filesize
670B

MD5
16fd14c1a1dc8ccd5807c72b1f502be5

SHA1
461596370a20f6b1160657842fc289f0e5732c46

SHA256
17926079ea1ae6ab4926e487a66f8cfd7f10822d0a7fd02c6d3f3987268d8598

SHA512
80dae894dbbafd08f90a4d468c00dc02cb6dac0a1e904ce15670546f700a15bb422d0160f4db9c70d7db0ccc2ff322d3df9fcb80bf01bc72e6014f5c13dc3f9a

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\2052\UrlBundle.xml

Filesize
140B

MD5
e65dc0977d33863f628dfdb47b6402c0

SHA1
26c962b1c77c362631c728e7038fb33f1ba88fe3

SHA256
d176e9b4ca5d104a565b17258ed511a94c36d5e3934a17cb8cf1a07f64ef41b7

SHA512
d46378b07ced8a9b4a2b6b4ab36fd71e1b187330d29fac6ff86937ba8cad0d9d0693792384fded78c79c535c67df81f7917c3b0320836cecf8cf9e117c9ca770

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\config.xml

Filesize
231B

MD5
1c5331fa5d58819905de75b220ebebe8

SHA1
16a8143e790d30d45c5546b74d3ef0dbb25936da

SHA256
f230b144096a5cb266460eb6baa97ea9992724d46dde5ce8bd29b095b1ff0763

SHA512
6d8c827c8a764de6da8dbe2501f703d7c51eff437eaec8b50c8b4fea9283b565aabe6108ec10df72c24be47bb8487ac4f7be9d762b1f2e984fb9a083b59d996e

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\config_en.xml

Filesize
231B

MD5
82cdeadfa13be7a48860b4b99e14fef7

SHA1
5add888aa92100bbf8ae61c971a3693abbaee2a6

SHA256
501fe3f8282554be54b2c74f3151ef7e78ecb03005285a1d7fa3c55da7d28afa

SHA512
2b48dc56507349e7e409e75f73a19daac4327b070076086ac44da42016760a2473ba8fbb54b1e5393cc00bc5a66938d5b2f0d282aebf231eadc2083965ee0377

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\config_ja.xml

Filesize
231B

MD5
8e7988b65bbd76251f0ab3a754fa9e52

SHA1
c8d76679234d06c051afffc549f9b041701e1124

SHA256
e21d718e4482943e9ed43f889f07c8827a4944df142696409be882ea948b95e6

SHA512
6c30f97d0acac3174740e555797402fee914662b9c30c346a0fcc3a0594337a58bf18b2021c6b9d4724abf872eb676e8e9d226e3eaab0a27295c18bbdd1b15ab

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\config_ko.xml

Filesize
231B

MD5
8a21658887fbb1dc3509175ce29e15ac

SHA1
df8e6cc8f5cced4c4f868847c7a1558b7c9fe913

SHA256
ce6a256a8291775ccca899a61ba90cf55064dbbf002a87dc58efb1d7f86fff61

SHA512
93df3e63eb5074bf74123058809960d2df04183274b79687b6e55889864f768cebf2adfc948c29acc1ffdffba4c71f63864ef0399e0761698d16885beac3f79e

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\config_ms.xml

Filesize
234B

MD5
2cd59a5fdbfcae03d4a94f8f07c1fad2

SHA1
db36d7f22905bbac0b070ff301eeaf66e87709c1

SHA256
c4b45a0db273d8564c093dc60521b56ea5968acd57a37aceed355717cfd942dc

SHA512
dd60694014c8e621fc55c8a2e89641612a0ae365265a10ac1b970d5d2627f7003f220a62e5559abe7cdc8b5c53072a4de6ca9089ab98881f60bd271d6cb58cb1

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\I18N\config_tc.xml

Filesize
231B

MD5
c8e64c60444f6c72bbde64c82467c43e

SHA1
ed5d24e5bcd12844796bdc90f000642d9ac2539c

SHA256
ca865a62a9e7f7c246f41a29b7634856ef95986cdb7e76ff9467f0e4ec81b456

SHA512
e6dbae6ab7f05651dc3bc07325af7c10bd7a9dc7c62004b785a961613851d8d4889c462476acc84942291c7de03f8dcd4dc5c2c4a8174bbb226a5a5d46c27eaa

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\common.xml

Filesize
9KB

MD5
33b73c3da330c2cf14e8b921a4cf64ae

SHA1
1e592c9d232ea8f2ef72799b19326be3b6e5779b

SHA256
73f389725d5ef6a291cafd36db0badd6e590297c949e8a0f629cf9a61aa06e91

SHA512
ad921094602d11428234133884e62b5d6bf309ee0524da674890ca6d24b0575cabddb7bdf795f8e268dfaf3d737839543b5f7f7898d081b43a5fd2138ee3d820

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\gf-config.xml

Filesize
526B

MD5
786f773ae933aa90b421236166cb8b87

SHA1
3d31d032686bb1651f79dfe12d3da89e90d5bce5

SHA256
9e54ff160c00df2e502107aa4124125d0d25e2e5a55d32ce35ba2a01098b2ac5

SHA512
caaea9c56bd7c71982a9874cd231828d57616ff7153d345f67ca5c73a037e4245a8638b1c22ec9b4ef76775c88307655962bace8a5ed45af19ee165934948bd2

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\addin_resource\wemeet.xml

Filesize
5KB

MD5
fb5fa5afe1c8ed5965bdb800e41f5421

SHA1
1f3a4215c2d7a7645ae65127a2d072ecbe7c41ed

SHA256
6b719fe7b185f4b0505f5b5293303f3ebab9282073b14660757eba7db1fd15ce

SHA512
e400c349b79efb186f16d4746286739d95c7af312bdade5f040da977a237f6350a0dd3893666cebffef8fe9ef9bb74edde06e0a62b3a0768f3efbab1092c34ca

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-console-l1-1-0.dll

Filesize
18KB

MD5
aabbb38c4110cc0bf7203a567734a7e7

SHA1
5df8d0cdd3e1977ffacca08faf8b1c92c13c6d48

SHA256
24b07028c1e38b9ca2f197750654a0dfb7d33c2e52c9dd67100609499e8028db

SHA512
c66c98d2669d7a180510c57bab707d1e224c12ab7e2b08994eb5fd5be2f3dee3dbdb934bcb9db168845e4d726114bce317045027215419d3f13dcfa0f143d713

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-datetime-l1-1-0.dll

Filesize
17KB

MD5
8894176af3ea65a09ae5cf4c0e6ff50f

SHA1
46858ea9029d7fc57318d27ca14e011327502910

SHA256
c64b7c6400e9bacc1a4f1baed6374bfbce9a3f8cf20c2d03f81ef18262f89c60

SHA512
64b31f9b180c2e4e692643d0ccd08c3499cae87211da6b2b737f67b5719f018ebcacc2476d487a0aeb91fea1666e6dbbf4ca7b08bb4ab5a031655bf9e02cea9a

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-debug-l1-1-0.dll

Filesize
17KB

MD5
879920c7fa905036856bcb10875121d9

SHA1
a82787ea553eefa0e7c3bb3aedb2f2c60e39459a

SHA256
7e4cba620b87189278b5631536cdad9bfda6e12abd8e4eb647cb85369a204fe8

SHA512
06650248ddbc68529ef51c8b3bc3185a22cf1685c5fa9904aee766a24e12d8a2a359b1efd7f49cc2f91471015e7c1516c71ba9d6961850553d424fa400b7ea91

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
17KB

MD5
d91bf81cf5178d47d1a588b0df98eb24

SHA1
75f9f2da06aa2735906b1c572dd556a3c30e7717

SHA256
f8e3b45fd3e22866006f16a9e73e28b5e357f31f3c275b517692a5f16918b492

SHA512
93d1b0d226e94235f1b32d42f6c1b95fadfaf103b8c1782423d2c5a4836102084fb53f871e3c434b85f0288e47f44345138de54ea5f982ca3e8bbf2d2bea0706

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-file-l1-1-0.dll

Filesize
21KB

MD5
eefe86b5a3ab256beed8621a05210df2

SHA1
90c1623a85c519adbc5ef67b63354f881507b8a7

SHA256
1d1c11fc1ad1febf9308225c4ccf0431606a4ab08680ba04494d276cb310bf15

SHA512
c326a2ca190db24e8e96c43d1df58a4859a32eb64b0363f9778a8902f1ac0307dca585be04f831a66bc32df54499681ad952ce654d607f5fdb93e9b4504d653f

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-file-l1-2-0.dll

Filesize
17KB

MD5
79ee4a2fcbe24e9a65106de834ccda4a

SHA1
fd1ba674371af7116ea06ad42886185f98ba137b

SHA256
9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613

SHA512
6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-file-l2-1-0.dll

Filesize
17KB

MD5
3f224766fe9b090333fdb43d5a22f9ea

SHA1
548d1bb707ae7a3dfccc0c2d99908561a305f57b

SHA256
ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357

SHA512
c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-handle-l1-1-0.dll

Filesize
17KB

MD5
18fd51821d0a6f3e94e3fa71db6de3af

SHA1
7d9700e98ef2d93fdbf8f27592678194b740f4e0

SHA256
dba84e704ffe5fcd42548856258109dc77c6a46fd0b784119a3548ec47e5644b

SHA512
4009b4d50e3cb17197009ac7e41a2351de980b2c5b79c0b440c7fe4c1c3c4e18f1089c6f43216eaa262062c395423f3ad92ca494f664636ff7592c540c5ef89d

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-heap-l1-1-0.dll

Filesize
17KB

MD5
ff8026dab5d3dabca8f72b6fa7d258fa

SHA1
075c8719e226a34d7b883fd62b2d7f8823d70f1a

SHA256
535e9d20f00a2f1a62f843a4a26cfb763138d5dfe358b0126d33996fba9ca4d1

SHA512
9c56ff11d5843ba09cd29e3bc6c6b9396926c6a588194193ba220cfa784b770ab6756076f16f18cfea75b51a8184a1063ef47f63804839530382f8d39d5cf006

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
18KB

MD5
cfe87d58f973daeda4ee7d2cf4ae521d

SHA1
fd0aa97b7cb6e50c6d5d2bf2d21d757040b5204a

SHA256
4997fda5d0e90b8a0ab7da314cb56f25d1450b366701c45c294d8dd3254de483

SHA512
40eb68deb940bbe1b835954183eea711994c434de0abbdea0b1a51db6233a12e07827ad4a8639ae0baf46dd26c168a775ffe606c82cbe47bae655c7f28ab730b

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
18KB

MD5
0c48220a4485f36feed84ef5dd0a5e9c

SHA1
1e7d4038c2765cffa6d4255737a2a8aa86b5551c

SHA256
2dd4ebaa12cbba142b5d61a0ebf84a14d0d1bb8826ba42b63e303fe6721408df

SHA512
e09951785b09f535340e1e6c256df1919485b4dad302b30d90126411cc49a13807b580fa2fcd0d6f7b64aac4f5b5ea3e250b66035a0e2f664d865408c9b43d48

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-localization-l1-2-0.dll

Filesize
20KB

MD5
23bd405a6cfd1e38c74c5150eec28d0a

SHA1
1d3be98e7dfe565e297e837a7085731ecd368c7b

SHA256
a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41

SHA512
c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-memory-l1-1-0.dll

Filesize
18KB

MD5
3940167ffb4383992e73f9a10e4b8b1e

SHA1
53541c824003b0f90b236eda83b06bec5e1acbf5

SHA256
ec573431338371504b7b9e57b2d91382b856aabf25d2b4ad96486efb794c198e

SHA512
9732acaa4db773f4f99f423d9feaebb35c197bbd468922348e0ad086f7131d83f6d9714dc7d375183e7cb8920cfe37f3da19b0041a9063cc60abe183375b1929

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
17KB

MD5
990ac84ae2d83eeb532a28fe29602827

SHA1
0916f85cc6cc1f01dc08bdf71517a1dc1b8eaf78

SHA256
dbd788b1c5694d65fa6f6e2202bfabb30adf77eb1973ceb9a737efb16e9edae2

SHA512
f0e4705a6890b4f81b7d46f66ca6b8ee82f647e163bce9ecad11d0bbd69caf4ff3c4f15e0d3f829c048b6849b99a7641861e6caf319904d4d61a6084f10da353

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
18KB

MD5
0c700b07c3497df4863c3f2fe37cd526

SHA1
f835118244d02304de9eb3a355420ba9d0bd9c13

SHA256
9f1f26794fd664e0a8b6fbd53bfca33dcf7b0dc37faf3eb7782bc38dff62cd8c

SHA512
8042dbd9e80e33e41993887b0289e143e967544389500ada9296b89bda37bb26918e4f370f8a1bdab8faacc4e0a6980794d6a3b5320e170ad4ef751384c9f0a8

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
19KB

MD5
1dda9cb13449ce2c6bb670598fc09dc8

SHA1
0a91fe11b9a8321ca369f665a623270e5ac23176

SHA256
4f187f1b4b14763360c325df6b04d3ec3cc6d2cecc9b796bc52a6c7196b0b2cc

SHA512
4e106c8a52033352c91b65cf65ec459de764c125136333a2f4ba026efdde65f3f71b1f6f11e4c580150ac8a9779825ba5e2af0e14df999a198cfe244e522c28d

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
18KB

MD5
95c5b49af7f2c7d3cd0bc14b1e9efacb

SHA1
c400205c81140e60dffa8811c1906ce87c58971e

SHA256
ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1

SHA512
f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-profile-l1-1-0.dll

Filesize
17KB

MD5
cedefd460bc1e36ae111668f3b658052

SHA1
9bd529fe189e0b214b9e0e51717bdf62f1da44ea

SHA256
f941c232964d01e4680e54ab04955ec6264058011b03889fe29db86509511eba

SHA512
2c845642b054bc12c2911bfe2b850f06fecafef022180c22f6ffd670f821e84fcad041c4d81ddadb781ddb36cb3e98dfe4eb75ec02b88306ef1d410cbb021454

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
17KB

MD5
65fc0b6c2ceff31336983e33b84a9313

SHA1
980de034cc3a36021fd8bafff3846b0731b7068e

SHA256
966a38ed7034f8d355e1e8772dfc92f23fb3c8a669780ed4ac3b075625d09744

SHA512
f4ebc7a6d12ae6afa5b96c06413a3438e1678b276b1517da07d33912818fc863b4d35cb46280f12cf90e37bc93e3ab5e44ea6f75767a314c59222b7d397e5b6a

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-string-l1-1-0.dll

Filesize
17KB

MD5
e7a266dd3a2a1e03d8716f92bede582d

SHA1
d4b97ce87c96de1f39fea97cca3992d292b2c14e

SHA256
339966ae75675a03f628c4ddd5d3218abb36cbcf6ddce83b88c07336d732b8ae

SHA512
31168663fd71b901b1b9152ff288d4e1567003e5fcd1f1c9dfe36d26d2eb16b0932ec8cd34833dab25531f768a01de45c2483f92d4e79f92a89389c02bc05156

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-synch-l1-1-0.dll

Filesize
19KB

MD5
c1dcdb0fabc8ae671a7c7a94f42fb79a

SHA1
99355912d7a7d622753b2a855cae4f5a4e50146f

SHA256
cc76a4e82e0e0cd08df3bb8f5ad57142305e0f666cc32599d76e363d0b43efcb

SHA512
6d92e7520aeebfe60aab43d6616b76a2dd385edcaa217db60003a0c0cbcb0e367063d240e38a19d0b8bee2f2e7d4b982c4f08c8e9ccf34c7f670cb49f6561fff

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-synch-l1-2-0.dll

Filesize
18KB

MD5
6e704280d632c2f8f2cadefcae25ad85

SHA1
699c5a1c553d64d7ff3cf4fe57da72bb151caede

SHA256
758a2f9ef6908b51745db50d89610fe1de921d93b2dbea919bfdba813d5d8893

SHA512
ade85a6cd05128536996705fd60c73f04bab808dafb5d8a93c45b2ee6237b6b4ddb087f1a009a9d289c868c98e61be49259157f5161feccf9f572fd306b460e6

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
18KB

MD5
887995a73bc7dde7b764afabce57efe7

SHA1
363fd4e7ad4a57224e8410154697df5e8629f526

SHA256
f94210b39cdc812beb7342a47e68673ea2116d0ad9266fcf8d7cedaa9561fc38

SHA512
d088eb1c6958774e20f0e2884136b4e2b978efd16f557dbc55e64011abbce0768054f7e6d881c110182824143a39101fdae273ed614738aa7ba5c727b27f6677

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-timezone-l1-1-0.dll

Filesize
18KB

MD5
c9a55de62e53d747c5a7fddedef874f9

SHA1
c5c5a7a873a4d686bfe8e3da6dc70f724ce41bad

SHA256
b5c725bbb475b5c06cc6cb2a2c3c70008f229659f88fba25ccd5d5c698d06a4b

SHA512
adca0360a1297e80a8d3c2e07f5fbc06d2848f572f551342ad4c9884e4ab4bd1d3b3d9919b4f2b929e2848c1a88a4e844dd38c86067cace9685f9640db100efb

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-util-l1-1-0.dll

Filesize
17KB

MD5
29e1922b32e5312a948e6d8b1b34e2d9

SHA1
912f54be8438f45e1562a47294091d522cd89356

SHA256
34c5dee6d566252c0ceb7d9a21e24d5f297af2b26c32e0c7808bbd088aa9a6a9

SHA512
837cd03ee0195dc94bab0662ff3b8cd1be2dedd8a3254318d25dfea6e88d07211186fa367f41ab864560e10a22220deb3ed05ccf82d60ac80c71dfed08afbea3

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-core-version-l1-1-0.dll

Filesize
11KB

MD5
48f8f75890f3e1f8baa821ab456cbdd9

SHA1
07afcca5bd1e4228fc0c85872670a4f1848c4b4e

SHA256
441e6e6bd3b29849cf7b65389ffee08a6400b46a95cddafa303b43ac05227503

SHA512
e00d99cea6b4a0b56477b31d379a293acc20345deef80652665e1d8f124cea3e5e9e2e95918fce7198ef44817523a5d003f8ebb40258bfb83ec9cf2695fdafee

Download Submit
C:\Program Files (x86)\Tencent\VooVMeeting\3.3.5.510\api-ms-win-crt-conio-l1-1-0.dll

Filesize
18KB

MD5
a668c5ee307457729203ae00edebb6b3

SHA1
2114d84cf3ec576785ebbe6b2184b0d634b86d71

SHA256
a95b1af74623d6d5d892760166b9bfac8926929571301921f1e62458e6d1a503

SHA512
73dc1a1c2ceb98ca6d9ddc7611fc44753184be00cfba07c4947d675f0b154a09e6013e1ef54ac7576e661fc51b4bc54fdd96a0c046ab4ee58282e711b1854730

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB2AC.tmp\LangDLL.dll

Filesize
5KB

MD5
3dd80dff583544514eeb3a5ed851a519

SHA1
56f7324d9d4230c96d1963e7b3e02b05a6cf5c24

SHA256
86cff5eaca76c49f924cb123d242fdcfd45ab99c4b638d3b8f4a8cfb1970ab5b

SHA512
955f4df195b5d134449904e9020f80125cfb64d70d9482ff583451f3fcb10d15577ceac4180f71a96452d8478f6365160ab15731f9a79a494383087c9310fd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB2AC.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB2AC.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB2AC.tmp\WeMeetHelper.dll

Filesize
1.4MB

MD5
40d701589303d107631d3a4bbdbecb1e

SHA1
d721affe6404e12238ef769563882945fade0d05

SHA256
33f73547cb1cb8a0dc14611212ad006aec65442a2325b63150403f12a2ec0a8f

SHA512
c38691fc442d33b4cbbf8ae57c26c4bc247e4b85390aad8b6ecb23ad20fac6303fa30d79e3e7245ab46006bfe77f90abdc5ba0fc2caa271bb47b6d4cc74cf899

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB2AC.tmp\locate.dll

Filesize
17KB

MD5
7d3317f57c1a368480ace3c0ca804eeb

SHA1
d4c7e185bc64aac82339f51ba6c21cf0713c9f1a

SHA256
d88a04c1e39db583eaad727fd390fe599ab10198ee040bfbdd22daefadbd2372

SHA512
5598c2e6caa2f66edd48f8c8305e054d4b0740b5f2b7ed92cf197a13ac66ba99a32013d34b3c2e28d007ab7979eb90a50681324eb736b1410e7df1902e4ec32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB2AC.tmp\locate.dll

Filesize
17KB

MD5
7d3317f57c1a368480ace3c0ca804eeb

SHA1
d4c7e185bc64aac82339f51ba6c21cf0713c9f1a

SHA256
d88a04c1e39db583eaad727fd390fe599ab10198ee040bfbdd22daefadbd2372

SHA512
5598c2e6caa2f66edd48f8c8305e054d4b0740b5f2b7ed92cf197a13ac66ba99a32013d34b3c2e28d007ab7979eb90a50681324eb736b1410e7df1902e4ec32a

Download Submit
memory/400-206-0x0000000000000000-mapping.dmp

Download
memory/556-141-0x0000000000000000-mapping.dmp

Download
memory/776-376-0x0000000000000000-mapping.dmp

Download
memory/868-304-0x0000000000000000-mapping.dmp

Download
memory/916-139-0x0000000000000000-mapping.dmp

Download
memory/1176-371-0x0000000000000000-mapping.dmp

Download
memory/1184-386-0x0000000000000000-mapping.dmp

Download
memory/1260-382-0x0000000000000000-mapping.dmp

Download
memory/1396-375-0x0000000000000000-mapping.dmp

Download
memory/1504-358-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-356-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-354-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-360-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-352-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-350-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-348-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-346-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-344-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-342-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-340-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-338-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-336-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-334-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-305-0x0000000000000000-mapping.dmp

Download
memory/1504-306-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-308-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-310-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-312-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-314-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-316-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-318-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-320-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-322-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-324-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-326-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-328-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-330-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1504-332-0x000000000073B000-0x000000000073E000-memory.dmp

Filesize
12KB

Download
memory/1724-137-0x0000000000000000-mapping.dmp

Download
memory/1808-370-0x0000000000000000-mapping.dmp

Download
memory/2088-270-0x00000000009D3000-0x0000000000A31000-memory.dmp

Filesize
376KB

Download
memory/2088-268-0x00000000009D3000-0x0000000000A31000-memory.dmp

Filesize
376KB

Download
memory/2088-266-0x00000000009D3000-0x0000000000A31000-memory.dmp

Filesize
376KB

Download
memory/2088-264-0x00000000009D3000-0x0000000000A31000-memory.dmp

Filesize
376KB

Download
memory/2088-263-0x0000000000000000-mapping.dmp

Download
memory/2200-380-0x0000000000000000-mapping.dmp

Download
memory/2200-136-0x0000000002D11000-0x0000000002D15000-memory.dmp

Filesize
16KB

Download
memory/2216-203-0x0000000000000000-mapping.dmp

Download
memory/2344-390-0x0000000000000000-mapping.dmp

Download
memory/2520-138-0x0000000000000000-mapping.dmp

Download
memory/2552-301-0x0000000006060000-0x0000000006070000-memory.dmp

Filesize
64KB

Download
memory/2552-300-0x0000000000000000-mapping.dmp

Download
memory/3168-391-0x0000000000000000-mapping.dmp

Download
memory/3388-372-0x0000000000000000-mapping.dmp

Download
memory/3448-200-0x0000000000000000-mapping.dmp

Download
memory/3480-204-0x0000000000000000-mapping.dmp

Download
memory/3564-140-0x0000000000000000-mapping.dmp

Download
memory/3660-303-0x0000000000000000-mapping.dmp

Download
memory/3752-202-0x0000000000000000-mapping.dmp

Download
memory/4072-205-0x0000000000000000-mapping.dmp

Download
memory/4108-384-0x0000000000000000-mapping.dmp

Download
memory/4108-388-0x0000000000000000-mapping.dmp

Download
memory/4480-373-0x0000000000000000-mapping.dmp

Download
memory/4560-302-0x0000000000000000-mapping.dmp

Download
memory/4604-201-0x0000000000000000-mapping.dmp

Download
memory/4740-389-0x0000000000000000-mapping.dmp

Download
memory/4764-378-0x0000000000000000-mapping.dmp

Download