faf0b906501ec9fd41ba46a920055eed58ff6fa5ef227e1feb42fb66bbf23ec1

Analysis

max time kernel
273s
max time network
278s
platform
windows7_x64
resource
win7-20220414-en
submitted
26-05-2022 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TencentMeeting_0300000000_3.7.9.426.publish.exe
Size

148.1MB
MD5

fe7d7cb3026cb7e537b947964cabd2c1
SHA1

c22094f75eb5c03fd53269c4deefafb26df58b0c
SHA256

faf0b906501ec9fd41ba46a920055eed58ff6fa5ef227e1feb42fb66bbf23ec1
SHA512

b3f257e60dae651a8d547ac16a87c4aa5a58f07b0aea0c536b6a5abe0b9d4e8f14d135097a380819e58d555eb7b2fa31565bc9ba263a23468032da5085adda41

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 14 IoCs

Processes:

WemeetUpdateSvc.exeoutlook_addin_upgrade_helper.exewemeetapp.exewemeetapp.exewemeetapp.exewemeetapp.exe1f883fb3345bce8bd72eecde4ec09a62.exewemeetapp.exehw_check.exeWemeetUpdateSvc.exeWemeetRepair.exeDeleteHelper.exehw_check.exeOLPUpdateService.exe

pid	process
540	WemeetUpdateSvc.exe
2008	outlook_addin_upgrade_helper.exe
1784	wemeetapp.exe
1412	wemeetapp.exe
1592	wemeetapp.exe
1264	wemeetapp.exe
2080	1f883fb3345bce8bd72eecde4ec09a62.exe
2140	wemeetapp.exe
2548	hw_check.exe
2660	WemeetUpdateSvc.exe
2712	WemeetRepair.exe
2756	DeleteHelper.exe
2788	hw_check.exe
2824	OLPUpdateService.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wemeetapp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	wemeetapp.exe

Loads dropped DLL 64 IoCs

Processes:

TencentMeeting_0300000000_3.7.9.426.publish.exeoutlook_addin_upgrade_helper.exewemeetapp.exe

pid	process
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
2008	outlook_addin_upgrade_helper.exe
1784	wemeetapp.exe
1784	wemeetapp.exe
1784	wemeetapp.exe

Modifies file permissions 1 TTPs 12 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
904	icacls.exe
1644	icacls.exe
1736	icacls.exe
2032	icacls.exe
2024	icacls.exe
1976	icacls.exe
2024	icacls.exe
940	icacls.exe
2840	icacls.exe
2884	icacls.exe
1680	icacls.exe
760	icacls.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

TencentMeeting_0300000000_3.7.9.426.publish.exeoutlook_addin_upgrade_helper.exe1f883fb3345bce8bd72eecde4ec09a62.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	TencentMeeting_0300000000_3.7.9.426.publish.exe
File opened for modification	\??\PhysicalDrive0	outlook_addin_upgrade_helper.exe
File opened for modification	\??\PhysicalDrive0	1f883fb3345bce8bd72eecde4ec09a62.exe

Drops file in System32 directory 2 IoCs

Processes:

WemeetUpdateSvc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\SYSTEM~1\AppData\Local\tencent\wemeet\temp\{6B97621E-E186-4304-910A-DFE785AC5F13}\WemeetRepair.exe	WemeetUpdateSvc.exe
File opened for modification	C:\Windows\SysWOW64\config\SYSTEM~1\AppData\Local\tencent\wemeet\temp\{6B97621E-E186-4304-910A-DFE785AC5F13}\WemeetRepair.exe	WemeetUpdateSvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

wemeetapp.exewemeetapp.exewemeetapp.exewemeetapp.exewemeetapp.exe

pid process

1784 wemeetapp.exe
1412 wemeetapp.exe
1592 wemeetapp.exe
1264 wemeetapp.exe
2140 wemeetapp.exe

pid	process
1784	wemeetapp.exe
1412	wemeetapp.exe
1592	wemeetapp.exe
1264	wemeetapp.exe
2140	wemeetapp.exe

Drops file in Program Files directory 64 IoCs

Processes:

TencentMeeting_0300000000_3.7.9.426.publish.exe1f883fb3345bce8bd72eecde4ec09a62.exewemeetapp.exe

description	ioc	process
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\yt_facebeauty_rc_entry.dll	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\humansegment_pc\model.json.en2	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\themes\default\components\tab.json	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\themes\default\res\app\platform\live\[email protected]	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\tbs\qb.pak	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-console-l1-1-0.dll	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resource\wemeet.xml	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\aekit_resources_win\FilterResource\faceoff\nomouthgray.png	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-namedpipe-l1-1-0.dll	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\aekit_resources_win\shaders\dx11\fs_face_adjust_total_pass2.wmc	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\aekit_resources_win\shaders\dx11\fs_filter_openglshader.bin	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\aekit_resources_win\shaders\dx11\vs_filter_normal.wmc	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\sr_model\u8_model_180\config.json	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\themes\default\components\edit-menu.json	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\modules\historical_meetings\module.res	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\gru_16k.bin	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\aekit_resources_win\FilterResource\realtimefaceedit\dayan.wmc	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\pendant_list\avatar_model_cfg.xml	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\themes\default\res\uikit\platform\radio-button\deselected_disable.png	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\modules\caption\Asset\Xtml.rdb	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\modules\quick_meeting\Asset\Res.rdb	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeetPlugins\WemeetOutlookPlugin\1.2.0.7\x64\ucrtbase.dll	1f883fb3345bce8bd72eecde4ec09a62.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\libffmpeg.dll	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\xcast.dll	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\config.xml	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\modules\account\Asset\Xtml.rdb	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\modules\safety\Asset\Xtml.rdb	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeetPlugins\WemeetOutlookPlugin\1.2.0.7\x64\api-ms-win-crt-locale-l1-1-0.dll	1f883fb3345bce8bd72eecde4ec09a62.exe
File opened for modification	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\misc.db-journal	wemeetapp.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\aekit_resources_win\shaders\dx11\vs_roi_blur_v2.wmc	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\aekit_resources_win\shaders\dx11\vs_roi_v2.bin	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\themes\default\res\app\platform\live\copy_hover.png	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\themes\default\res\uikit\platform\box\[email protected]	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\modules\company_contacts\company_contacts_module.dll	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\modules\member\member_module.dll	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\Cursor_Drag_Y.png	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\plugins\imageformats\qgif.dll	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeetPlugins\WemeetOutlookPlugin\1.2.0.7\api-ms-win-crt-filesystem-l1-1-0.dll	1f883fb3345bce8bd72eecde4ec09a62.exe
File opened for modification	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\connection_data.tv	wemeetapp.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\aekit_resources_win\FilterResource\facecolor\lut_whiteskin.png	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\aekit_resources_win\FilterResource\faceoff\maskModel.json	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\aekit_resources_win\FilterResource\faceoff\video_wuguanliti\lips_mask.wmc	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\aekit_resources_win\shaders\dx11\vs_test.wmc	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\modules\audio\module.res	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\modules\historical_meetings\Asset\historical_meetings.rcc	TencentMeeting_0300000000_3.7.9.426.publish.exe
File opened for modification	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\wemeet.db-journal	wemeetapp.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\xGraphic32.dll	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\zlib.dll	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\si_language_ru.xml	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\aekit_resources_win\shaders\dx11\fs_readtexture.bin	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\themes\default\res\app\platform\setting\icon_about_normal.png	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\themes\default\res\uikit\platform\area-button\areabutton_blue_disable.gft	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\modules\schedule_meeting\module.res	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\update_lib.dll	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\cnn_popdetector_6.bin	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\emoji_3.png	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\themes\default\res\app\platform\setting\icon_quality_normal.png	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\modules\account\module.res	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\modules\chat\chat_module.dll	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\themes\default\res\app\platform\setting\[email protected]	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\common.xml	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\Cursor_Hightlighter.cur	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\Cursor_Selector.png	TencentMeeting_0300000000_3.7.9.426.publish.exe
File created	C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\resources\raw\give_like_1.png	TencentMeeting_0300000000_3.7.9.426.publish.exe

Drops file in Windows directory 2 IoCs

Processes:

wemeetapp.exewemeetapp.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	wemeetapp.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	wemeetapp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wemeetapp.exewemeetapp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	wemeetapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wemeetapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wemeetapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	wemeetapp.exe

Enumerates system info in registry 2 TTPs 14 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wemeetapp.exeTencentMeeting_0300000000_3.7.9.426.publish.exewemeetapp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wemeetapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	TencentMeeting_0300000000_3.7.9.426.publish.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	TencentMeeting_0300000000_3.7.9.426.publish.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	wemeetapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wemeetapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	wemeetapp.exe

Modifies data under HKEY_USERS 51 IoCs

Processes:

WemeetUpdateSvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	WemeetUpdateSvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	WemeetUpdateSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	WemeetUpdateSvc.exe

Modifies registry class 64 IoCs

Processes:

TencentMeeting_0300000000_3.7.9.426.publish.exeregsvr32.exeWemeetUpdateSvc.exeregsvr32.exeOLPUpdateService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wemeet\URL Protocol	TencentMeeting_0300000000_3.7.9.426.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35F7AF4A-3D5E-480C-A71A-3568F315CEDD}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{968b7869-4d1f-4128-9d8d-ef732b69de04}\TypeLib	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TencentMeeting.TMOutlookAddin.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35F7AF4A-3D5E-480C-A71A-3568F315CEDD}\ = "TMOutlookAddin class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{829CF793-ACB8-4368-9C3D-81527433CDD3}\ProxyStubClsid32	OLPUpdateService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{968b7869-4d1f-4128-9d8d-ef732b69de04}\AppID = "{89882228-a307-4697-b190-aef836059fc7}"	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd3a82ac41e00d815d\DefaultIcon	TencentMeeting_0300000000_3.7.9.426.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd3a82ac41e00d815d\shell\open	TencentMeeting_0300000000_3.7.9.426.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rdca2b0d866939bfde	TencentMeeting_0300000000_3.7.9.426.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rdca2b0d866939bfde\DefaultIcon\ = "\"C:\\Program Files (x86)\\Tencent\\WeMeet\\wemeetapp.exe\",1"	TencentMeeting_0300000000_3.7.9.426.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87C0462D-2EB4-4E65-85B1-036D026063AB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wemeet_transcode_file	TencentMeeting_0300000000_3.7.9.426.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wemeet_transcode_file\shell	TencentMeeting_0300000000_3.7.9.426.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wemtc	TencentMeeting_0300000000_3.7.9.426.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F9066A5-5175-44ED-B6C2-E5505CD6CDA7}\TypeLib\ = "{89882228-A307-4697-B190-AEF836059FC7}"	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd3a82ac41e00d815d\DefaultIcon\ = "\"C:\\Program Files (x86)\\Tencent\\WeMeet\\wemeetapp.exe\",1"	TencentMeeting_0300000000_3.7.9.426.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{968b7869-4d1f-4128-9d8d-ef732b69de04}\LocalServer32	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TencentMeeting.TMOutlookAddin.1\ = "TMOutlookAddin class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{829CF793-ACB8-4368-9C3D-81527433CDD3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OLPUpdateService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wemeet\shell\open\	TencentMeeting_0300000000_3.7.9.426.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rdca2b0d866939bfde\shell\	TencentMeeting_0300000000_3.7.9.426.publish.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35F7AF4A-3D5E-480C-A71A-3568F315CEDD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{829CF793-ACB8-4368-9C3D-81527433CDD3}	OLPUpdateService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89882228-A307-4697-B190-AEF836059FC7}\1.0\ = "WemeetUpdateSvcLib"	WemeetUpdateSvc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35F7AF4A-3D5E-480C-A71A-3568F315CEDD}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35F7AF4A-3D5E-480C-A71A-3568F315CEDD}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F9066A5-5175-44ED-B6C2-E5505CD6CDA7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd4806d2ddf553eb8b\DefaultIcon	TencentMeeting_0300000000_3.7.9.426.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35F7AF4A-3D5E-480C-A71A-3568F315CEDD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\WeMeetUninstall.exe\	TencentMeeting_0300000000_3.7.9.426.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{968b7869-4d1f-4128-9d8d-ef732b69de04}\Programmable	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rdca2b0d866939bfde\DefaultIcon	TencentMeeting_0300000000_3.7.9.426.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rdca2b0d866939bfde\shell	TencentMeeting_0300000000_3.7.9.426.publish.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35F7AF4A-3D5E-480C-A71A-3568F315CEDD}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35F7AF4A-3D5E-480C-A71A-3568F315CEDD}\ = "TMOutlookAddin class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35F7AF4A-3D5E-480C-A71A-3568F315CEDD}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35F7AF4A-3D5E-480C-A71A-3568F315CEDD}\TypeLib\ = "{740E88B9-AAAA-4BA3-B25B-19A49B3679F2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AE289816-BAD0-45CF-8D09-ABEDBEF9AEF6}\1.0\0\win64\ = "C:\\Program Files (x86)\\Tencent\\WeMeetPlugins\\WemeetOutlookPlugin\\1.2.0.7\\wemeet_outlook_addin.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wemeet_transcode_file\DefaultIcon	TencentMeeting_0300000000_3.7.9.426.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F9066A5-5175-44ED-B6C2-E5505CD6CDA7}\ProxyStubClsid32	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd4806d2ddf553eb8b\shell\open\command\ = "\"C:\\Program Files (x86)\\Tencent\\WeMeet\\wemeetapp.exe\" \"%1\""	TencentMeeting_0300000000_3.7.9.426.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\OLPUpdateService.exe\AppID = "{35904E9E-0F29-4B94-8259-084D27FBD2FC}"	OLPUpdateService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rd3a82ac41e00d815d\shell\	TencentMeeting_0300000000_3.7.9.426.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{829CF793-ACB8-4368-9C3D-81527433CDD3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OLPUpdateService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{89882228-a307-4697-b190-aef836059fc7}\ = "WemeetUpdateSvc"	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{968b7869-4d1f-4128-9d8d-ef732b69de04}\LocalServer32\ = "\"C:\\Program Files (x86)\\Tencent\\UpdateSvr\\WemeetUpdateSvc.exe\""	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89882228-A307-4697-B190-AEF836059FC7}\1.0\0\win32	WemeetUpdateSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F889F045-2C73-4448-83E0-921D9137EC72}\ = "OutlookPluginEvaluate class"	OLPUpdateService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F889F045-2C73-4448-83E0-921D9137EC72}\Version\ = "1.0"	OLPUpdateService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35F7AF4A-3D5E-480C-A71A-3568F315CEDD}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F889F045-2C73-4448-83E0-921D9137EC72}\Programmable	OLPUpdateService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{829CF793-ACB8-4368-9C3D-81527433CDD3}\ = "IOutlookPluginEvaluate"	OLPUpdateService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F9066A5-5175-44ED-B6C2-E5505CD6CDA7}\ = "IWemeetEvaluate"	WemeetUpdateSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35F7AF4A-3D5E-480C-A71A-3568F315CEDD}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{35904E9E-0F29-4B94-8259-084D27FBD2FC}\1.0\0\win32\ = "C:\\Program Files (x86)\\Tencent\\UpdateSvr\\OLPUpdateService.exe"	OLPUpdateService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{829CF793-ACB8-4368-9C3D-81527433CDD3}\TypeLib	OLPUpdateService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wemeet\shell	TencentMeeting_0300000000_3.7.9.426.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{87C0462D-2EB4-4E65-85B1-036D026063AB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F889F045-2C73-4448-83E0-921D9137EC72}\LocalServer32\ = "\"C:\\Program Files (x86)\\Tencent\\UpdateSvr\\OLPUpdateService.exe\""	OLPUpdateService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{35904E9E-0F29-4B94-8259-084D27FBD2FC}\1.0\FLAGS	OLPUpdateService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{829CF793-ACB8-4368-9C3D-81527433CDD3}	OLPUpdateService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\wwauth3rdca2b0d866939bfde\UseOriginalUrlEncoding = "1"	TencentMeeting_0300000000_3.7.9.426.publish.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TencentMeeting.TMOutlookAddin\CurVer\ = "TencentMeeting.TMOutlookAddin.1"	regsvr32.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

TencentMeeting_0300000000_3.7.9.426.publish.exewemeetapp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	TencentMeeting_0300000000_3.7.9.426.publish.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TencentMeeting_0300000000_3.7.9.426.publish.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TencentMeeting_0300000000_3.7.9.426.publish.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TencentMeeting_0300000000_3.7.9.426.publish.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	wemeetapp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	wemeetapp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

wemeetapp.exe

pid process

1412 wemeetapp.exe

pid	process
1412	wemeetapp.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

TencentMeeting_0300000000_3.7.9.426.publish.exewemeetapp.exe1f883fb3345bce8bd72eecde4ec09a62.exewemeetapp.exeWemeetRepair.exe

pid	process
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1808	TencentMeeting_0300000000_3.7.9.426.publish.exe
1412	wemeetapp.exe
1412	wemeetapp.exe
2080	1f883fb3345bce8bd72eecde4ec09a62.exe
2080	1f883fb3345bce8bd72eecde4ec09a62.exe
2080	1f883fb3345bce8bd72eecde4ec09a62.exe
2080	1f883fb3345bce8bd72eecde4ec09a62.exe
1412	wemeetapp.exe
2140	wemeetapp.exe
2712	WemeetRepair.exe
2712	WemeetRepair.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

wemeetapp.exewemeetapp.exe

description	pid	process
Token: SeRestorePrivilege	1412	wemeetapp.exe
Token: SeRestorePrivilege	1412	wemeetapp.exe
Token: SeRestorePrivilege	1412	wemeetapp.exe
Token: SeRestorePrivilege	1412	wemeetapp.exe
Token: SeRestorePrivilege	1412	wemeetapp.exe
Token: SeRestorePrivilege	1412	wemeetapp.exe
Token: SeRestorePrivilege	1412	wemeetapp.exe
Token: SeRestorePrivilege	2140	wemeetapp.exe
Token: SeRestorePrivilege	2140	wemeetapp.exe
Token: SeRestorePrivilege	2140	wemeetapp.exe
Token: SeRestorePrivilege	2140	wemeetapp.exe
Token: SeRestorePrivilege	2140	wemeetapp.exe
Token: SeRestorePrivilege	2140	wemeetapp.exe
Token: SeRestorePrivilege	2140	wemeetapp.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

wemeetapp.exe

pid process

1412 wemeetapp.exe
1412 wemeetapp.exe
1412 wemeetapp.exe
1412 wemeetapp.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

wemeetapp.exe

pid process

1412 wemeetapp.exe
1412 wemeetapp.exe
1412 wemeetapp.exe
1412 wemeetapp.exe

pid	process
1412	wemeetapp.exe
1412	wemeetapp.exe
1412	wemeetapp.exe
1412	wemeetapp.exe

pid	process
1412	wemeetapp.exe
1412	wemeetapp.exe
1412	wemeetapp.exe
1412	wemeetapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TencentMeeting_0300000000_3.7.9.426.publish.exewemeetapp.exewemeetapp.exeoutlook_addin_upgrade_helper.exe

description	pid	process	target process
PID 1808 wrote to memory of 1976	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 1976	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 1976	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 1976	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 2024	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 2024	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 2024	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 2024	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 940	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 940	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 940	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 940	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 904	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 904	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 904	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 904	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 1680	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 1680	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 1680	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 1680	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 760	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 760	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 760	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 760	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 1644	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 1644	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 1644	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 1644	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 1736	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 1736	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 1736	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 1736	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 540	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	WemeetUpdateSvc.exe
PID 1808 wrote to memory of 540	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	WemeetUpdateSvc.exe
PID 1808 wrote to memory of 540	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	WemeetUpdateSvc.exe
PID 1808 wrote to memory of 540	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	WemeetUpdateSvc.exe
PID 1808 wrote to memory of 540	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	WemeetUpdateSvc.exe
PID 1808 wrote to memory of 540	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	WemeetUpdateSvc.exe
PID 1808 wrote to memory of 540	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	WemeetUpdateSvc.exe
PID 1808 wrote to memory of 2032	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 2032	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 2032	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 2032	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 2024	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 2024	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 2024	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 2024	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	icacls.exe
PID 1808 wrote to memory of 2008	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	outlook_addin_upgrade_helper.exe
PID 1808 wrote to memory of 2008	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	outlook_addin_upgrade_helper.exe
PID 1808 wrote to memory of 2008	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	outlook_addin_upgrade_helper.exe
PID 1808 wrote to memory of 2008	1808	TencentMeeting_0300000000_3.7.9.426.publish.exe	outlook_addin_upgrade_helper.exe
PID 1784 wrote to memory of 1412	1784	wemeetapp.exe	wemeetapp.exe
PID 1784 wrote to memory of 1412	1784	wemeetapp.exe	wemeetapp.exe
PID 1784 wrote to memory of 1412	1784	wemeetapp.exe	wemeetapp.exe
PID 1784 wrote to memory of 1412	1784	wemeetapp.exe	wemeetapp.exe
PID 1412 wrote to memory of 1592	1412	wemeetapp.exe	wemeetapp.exe
PID 1412 wrote to memory of 1592	1412	wemeetapp.exe	wemeetapp.exe
PID 1412 wrote to memory of 1592	1412	wemeetapp.exe	wemeetapp.exe
PID 1412 wrote to memory of 1592	1412	wemeetapp.exe	wemeetapp.exe
PID 1412 wrote to memory of 1264	1412	wemeetapp.exe	wemeetapp.exe
PID 1412 wrote to memory of 1264	1412	wemeetapp.exe	wemeetapp.exe
PID 1412 wrote to memory of 1264	1412	wemeetapp.exe	wemeetapp.exe
PID 1412 wrote to memory of 1264	1412	wemeetapp.exe	wemeetapp.exe
PID 2008 wrote to memory of 2080	2008	outlook_addin_upgrade_helper.exe	1f883fb3345bce8bd72eecde4ec09a62.exe

C:\Users\Admin\AppData\Local\Temp\TencentMeeting_0300000000_3.7.9.426.publish.exe
"C:\Users\Admin\AppData\Local\Temp\TencentMeeting_0300000000_3.7.9.426.publish.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\icacls.exe
icacls "" /inheritance:d
2⤵
- Modifies file permissions
PID:1976

C:\Windows\SysWOW64\icacls.exe
icacls "" /remove:g "NT AUTHORITY\Authenticated Users"
2⤵
- Modifies file permissions
PID:2024

C:\Windows\SysWOW64\icacls.exe
icacls "" /inheritance:d
2⤵
- Modifies file permissions
PID:940

C:\Windows\SysWOW64\icacls.exe
icacls "" /remove:g "NT AUTHORITY\Authenticated Users"
2⤵
- Modifies file permissions
PID:904

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Tencent" /inheritance:d
2⤵
- Modifies file permissions
PID:1680

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Tencent" /remove:g "NT AUTHORITY\Authenticated Users"
2⤵
- Modifies file permissions
PID:760

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Tencent\WeMeet" /inheritance:d
2⤵
- Modifies file permissions
PID:1644

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Tencent\WeMeet" /remove:g "NT AUTHORITY\Authenticated Users"
2⤵
- Modifies file permissions
PID:1736

C:\Program Files (x86)\Tencent\UpdateSvr\WemeetUpdateSvc.exe
"C:\Program Files (x86)\Tencent\UpdateSvr\WemeetUpdateSvc.exe" /service
2⤵
- Executes dropped EXE
- Modifies registry class
PID:540

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Temp\WemeetUpdateSvc.exe" /grant "Users":(RX)
2⤵
- Modifies file permissions
PID:2032

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Tencent\UpdateSvr\WemeetUpdateSvc.exe" /grant "Users":(RX)
2⤵
- Modifies file permissions
PID:2024

C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\outlook_addin_upgrade_helper.exe
"C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\outlook_addin_upgrade_helper.exe" 3.7.9.426
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Roaming\Tencent\WeMeet\OutlookAddin\Update\1f883fb3345bce8bd72eecde4ec09a62.exe
"C:\Users\Admin\AppData\Roaming\Tencent\WeMeet\OutlookAddin\Update\1f883fb3345bce8bd72eecde4ec09a62.exe" /install_scene=1 /InstallType=0 /SourceType=helper /AppVersion=Files
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2080

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s -i "C:\Program Files (x86)\Tencent\WeMeetPlugins\WemeetOutlookPlugin\1.2.0.7\wemeet_outlook_addin.dll"
4⤵
- Modifies registry class
PID:2248

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s -i "C:\Program Files (x86)\Tencent\WeMeetPlugins\WemeetOutlookPlugin\1.2.0.7\x64\wemeet_outlook_addin_x64.dll"
4⤵
PID:2476

C:\Windows\system32\regsvr32.exe
/s -i "C:\Program Files (x86)\Tencent\WeMeetPlugins\WemeetOutlookPlugin\1.2.0.7\x64\wemeet_outlook_addin_x64.dll"
5⤵
- Modifies registry class
PID:2504

C:\Program Files (x86)\Tencent\UpdateSvr\OLPUpdateService.exe
"C:\Program Files (x86)\Tencent\UpdateSvr\OLPUpdateService.exe" /service
4⤵
- Executes dropped EXE
- Modifies registry class
PID:2824

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Temp\OLPUpdateService.exe" /grant "Users":(RX)
4⤵
- Modifies file permissions
PID:2840

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Tencent\UpdateSvr\OLPUpdateService.exe" /grant "Users":(RX)
4⤵
- Modifies file permissions
PID:2884

C:\Program Files (x86)\Tencent\WeMeet\wemeetapp.exe
"C:\Program Files (x86)\Tencent\WeMeet\wemeetapp.exe" 1
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1784

C:\Program Files (x86)\Tencent\WeMeet\wemeetapp.exe
"--module=C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\wemeet.dll" "--target=C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\wemeet.dll" --anrtimeout=50000 --command=startup --ppid=launcher --creation_time=725194 --channel_token=b441c5a9d9d97163d71ef6d2 --detach=0 "--shell=C:\Program Files (x86)\Tencent\WeMeet\wemeetapp.exe" --main_start_time=725220 --process_model=standard --pipename=e3afe_740AA3E2CC28 --start_by_launcher=1
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412

C:\Program Files (x86)\Tencent\WeMeet\wemeetapp.exe
"--module=C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\codecloader.dll" "--xcast_dir=C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426" --uid=
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1592

C:\Program Files (x86)\Tencent\WeMeet\wemeetapp.exe
"--module=C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\codecloader.dll" "--xcast_dir=C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426" --uid=
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1264

C:\Program Files (x86)\Tencent\WeMeet\wemeetapp.exe
"--module=C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\package_update.dll" "--target=C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\package_update.dll" --anrtimeout=50000 --detach=0 --channel_token=59da97da495ed592c4113349 --pipename=e3afe_740AA3E2CC28 --pid= --originalcmd=--start_by=wemeetapp "--shell=C:\Program Files (x86)\Tencent\WeMeet\wemeetapp.exe" --start_by_launcher=1 --process_model=standard --ppid=launcher --command=startup
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\hw_check.exe
hw_check.exe --check_d3d=1
3⤵
- Executes dropped EXE
PID:2548

C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\hw_check.exe
hw_check.exe --check_d3d=1
3⤵
- Executes dropped EXE
PID:2788

C:\Program Files (x86)\Tencent\UpdateSvr\WemeetUpdateSvc.exe
"C:\Program Files (x86)\Tencent\UpdateSvr\WemeetUpdateSvc.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2660

C:\Windows\SysWOW64\config\SYSTEM~1\AppData\Local\tencent\wemeet\temp\{6B97621E-E186-4304-910A-DFE785AC5F13}\WemeetRepair.exe
C:\Windows\System32\config\SYSTEM~1\AppData\Local\tencent\wemeet\temp\{6B97621E-E186-4304-910A-DFE785AC5F13}\WemeetRepair.exe /WemeetPath=C:\Program Files (x86)\Tencent\WeMeet /WemeetRepairPath=C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\WemeetRepair.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2712

C:\Windows\Temp\DeleteHelper.exe
"C:\Windows\Temp\DeleteHelper.exe" 2712 C:\Windows\SysWOW64\config\SYSTEM~1\AppData\Local\tencent\wemeet\temp\{6B97621E-E186-4304-910A-DFE785AC5F13}\WemeetRepair.exe
3⤵
- Executes dropped EXE
PID:2756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\Default\Config.rdb

Filesize
316KB

MD5
cb2231998e97ea0cf3c2f8fc1c212d79

SHA1
da07b6d2f7abc8f26872d105c9b8537aa1dfba05

SHA256
ae0b481d808401be6a7ff1002cfcead753e75653bfd76fa2f09470aa70750263

SHA512
d1aa535104adb374890094f0c61011baa892e34b42c83f0279207b61c08e6898492abc173e89beebbcb84f27e3ac03bf92c1c373c9ab79e1d154c4df1464bbf0

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\Default\Res.rdb

Filesize
946KB

MD5
5f644e91b27ccc0cb6593495c061b5be

SHA1
300a92b1036a60f0a950a702cd0d8df1fde8b597

SHA256
c6d5bf1ce49202c13222738e1ce6c90f015adbaae107ac619daa85fa44117cbb

SHA512
2e80447c36bedfc85aaffa018b4232362b090c78ca41cb0b16021b2ab259c0902a410ba750dd676ee37f29f7db8b01cbcc6f10394394b9e381a0668a13952841

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\Default\Xtml.rdb

Filesize
6KB

MD5
ad44d93f934821af37324067bbd4baee

SHA1
f9942d426fe8b2e64cd2691b8c7e93a60cdf3bec

SHA256
d45c3986262d0c904cb01241c86c28d35f8da2bd7a973e2a16d8ec8696428941

SHA512
2a74284326fd903c57d9a4f92611746597d3cd7d4eb99e4ce0401549a19d3efebe2484d99cd2b7278ed07f6ca39121a32afe94d025f83051dd96b0a424b56ce4

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\Default\html\authorize.html

Filesize
815B

MD5
0826d97211629b50846dbe210ebea360

SHA1
1148db0ab720d0ac078ce5a2abbcb7962541f84f

SHA256
0d3e0a054bbf06ea2b00c853cca11cb813506cc57e12ad73d2c06226548dfbcc

SHA512
0a5421aca0b868f42d97fb33571474aeb47deb0fba7d58c44fbf61b493e8803cb5be771714fe6a03b00d11f2a04c99f37f082b542b42ff54f2d337bbb6a75a81

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\1028\GFStringBundle.xml

Filesize
83B

MD5
f3e9d060a9de2536787fee2402eb8681

SHA1
6e4ba5af5a2ac2747e9c289608186500ea728387

SHA256
758927353222faadce08b06dd2f195cfdb4be2f113a9b0daa63ab08aa8b9e890

SHA512
fa35d3ed2e04f598575948b0551e459afc63f80598f7f3b95082442590e1dbdd7053f863d779c1ac4a259cb6b5e13cf860522e739df6961b379f19b5ed201fad

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\1028\StringBundle.xml

Filesize
670B

MD5
f6e86114dbc9d9d2f8c77db06a89062a

SHA1
5e4613fcef84a7a8c934be2ce2e5e5ffc71dac58

SHA256
3630871471bfec62d025e49d48e24ea68aee02c89a1da8f3cb29f36cfd5812bb

SHA512
39cfa7f4f23c14de4415bdc4f2ddae61bd8e0478ccb9754144bbc94f36d959c99eeea93f6804c852764b32659ad46a48e50a4de0403263d34c28ea0687304e42

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\1028\UrlBundle.xml

Filesize
140B

MD5
e65dc0977d33863f628dfdb47b6402c0

SHA1
26c962b1c77c362631c728e7038fb33f1ba88fe3

SHA256
d176e9b4ca5d104a565b17258ed511a94c36d5e3934a17cb8cf1a07f64ef41b7

SHA512
d46378b07ced8a9b4a2b6b4ab36fd71e1b187330d29fac6ff86937ba8cad0d9d0693792384fded78c79c535c67df81f7917c3b0320836cecf8cf9e117c9ca770

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\1033\GFStringBundle.xml

Filesize
83B

MD5
f3e9d060a9de2536787fee2402eb8681

SHA1
6e4ba5af5a2ac2747e9c289608186500ea728387

SHA256
758927353222faadce08b06dd2f195cfdb4be2f113a9b0daa63ab08aa8b9e890

SHA512
fa35d3ed2e04f598575948b0551e459afc63f80598f7f3b95082442590e1dbdd7053f863d779c1ac4a259cb6b5e13cf860522e739df6961b379f19b5ed201fad

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\1033\StringBundle.xml

Filesize
692B

MD5
0794913bec38a2a7975438bfd00864f4

SHA1
19366978df05d58da8c9bafc308692b4615c358a

SHA256
d3f48da6a80b9774612a110f9909647b321b936eab8474dd34c56bd08ed22837

SHA512
d1b1b41f8888e4f8e8bfb119cdd0e449be1c2c8c712ab0955f8c82c319019118e070adc0592362af9c47782c339605e4f85145a2bf8b0718dfebd8a73522ce10

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\1033\UrlBundle.xml

Filesize
140B

MD5
e65dc0977d33863f628dfdb47b6402c0

SHA1
26c962b1c77c362631c728e7038fb33f1ba88fe3

SHA256
d176e9b4ca5d104a565b17258ed511a94c36d5e3934a17cb8cf1a07f64ef41b7

SHA512
d46378b07ced8a9b4a2b6b4ab36fd71e1b187330d29fac6ff86937ba8cad0d9d0693792384fded78c79c535c67df81f7917c3b0320836cecf8cf9e117c9ca770

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\1041\GFStringBundle.xml

Filesize
83B

MD5
f3e9d060a9de2536787fee2402eb8681

SHA1
6e4ba5af5a2ac2747e9c289608186500ea728387

SHA256
758927353222faadce08b06dd2f195cfdb4be2f113a9b0daa63ab08aa8b9e890

SHA512
fa35d3ed2e04f598575948b0551e459afc63f80598f7f3b95082442590e1dbdd7053f863d779c1ac4a259cb6b5e13cf860522e739df6961b379f19b5ed201fad

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\1041\StringBundle.xml

Filesize
855B

MD5
09c03d3e98bb677a8d7050b673f2f8d0

SHA1
858ce348ec01037d8387f85d4fad4d64d3d8a4c8

SHA256
9f4e06f3d80d7266c751743ae168fd1bdf21c63609eea8387becd2e7330c1976

SHA512
0d42e72cf2fc513b535fa21a931eb4dd6f7937dad6bb9a06e622e13cb066dadf552c2923cc2ae4a0a8d45696f7f9502eeaa93326d5e072a3680c42683ec28cfe

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\1041\UrlBundle.xml

Filesize
140B

MD5
e65dc0977d33863f628dfdb47b6402c0

SHA1
26c962b1c77c362631c728e7038fb33f1ba88fe3

SHA256
d176e9b4ca5d104a565b17258ed511a94c36d5e3934a17cb8cf1a07f64ef41b7

SHA512
d46378b07ced8a9b4a2b6b4ab36fd71e1b187330d29fac6ff86937ba8cad0d9d0693792384fded78c79c535c67df81f7917c3b0320836cecf8cf9e117c9ca770

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\1042\GFStringBundle.xml

Filesize
83B

MD5
f3e9d060a9de2536787fee2402eb8681

SHA1
6e4ba5af5a2ac2747e9c289608186500ea728387

SHA256
758927353222faadce08b06dd2f195cfdb4be2f113a9b0daa63ab08aa8b9e890

SHA512
fa35d3ed2e04f598575948b0551e459afc63f80598f7f3b95082442590e1dbdd7053f863d779c1ac4a259cb6b5e13cf860522e739df6961b379f19b5ed201fad

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\1042\StringBundle.xml

Filesize
744B

MD5
f00acf3abb4770cddc08ada2b835bce4

SHA1
2109a95d0671d880e45810e85a680368016996ad

SHA256
be53a5dab50b2b37b8225f7eb4bf78a732b5b0bc138be177941931a0d7c92937

SHA512
1214f0460f3efebf5af2991c9d5f011898038920e51eb8be036397a04393a6007e9a0a2b128c246993e571f09e828059a9c787e46c41eb092d4a4a31181bf47c

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\1042\UrlBundle.xml

Filesize
140B

MD5
e65dc0977d33863f628dfdb47b6402c0

SHA1
26c962b1c77c362631c728e7038fb33f1ba88fe3

SHA256
d176e9b4ca5d104a565b17258ed511a94c36d5e3934a17cb8cf1a07f64ef41b7

SHA512
d46378b07ced8a9b4a2b6b4ab36fd71e1b187330d29fac6ff86937ba8cad0d9d0693792384fded78c79c535c67df81f7917c3b0320836cecf8cf9e117c9ca770

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\1086\GFStringBundle.xml

Filesize
83B

MD5
f3e9d060a9de2536787fee2402eb8681

SHA1
6e4ba5af5a2ac2747e9c289608186500ea728387

SHA256
758927353222faadce08b06dd2f195cfdb4be2f113a9b0daa63ab08aa8b9e890

SHA512
fa35d3ed2e04f598575948b0551e459afc63f80598f7f3b95082442590e1dbdd7053f863d779c1ac4a259cb6b5e13cf860522e739df6961b379f19b5ed201fad

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\1086\StringBundle.xml

Filesize
702B

MD5
c28d3035e089b9e3c09a0f2e6984942b

SHA1
6c0b1a2729251d7f14edf1b0fc4eeade6116b55e

SHA256
d2f22f7dfde5b339a24b2dadd9910e8b8d97ec78424971ce346590b240dc5e7f

SHA512
94bff50759173e004e56e56e96c1c4af40031bdc97fdd264904819ee5b94a0759ec38af13d8693b259bffa4a0be4fab556a14d2805697c5bb496ff2c5cd84fdb

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\1086\UrlBundle.xml

Filesize
140B

MD5
e65dc0977d33863f628dfdb47b6402c0

SHA1
26c962b1c77c362631c728e7038fb33f1ba88fe3

SHA256
d176e9b4ca5d104a565b17258ed511a94c36d5e3934a17cb8cf1a07f64ef41b7

SHA512
d46378b07ced8a9b4a2b6b4ab36fd71e1b187330d29fac6ff86937ba8cad0d9d0693792384fded78c79c535c67df81f7917c3b0320836cecf8cf9e117c9ca770

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\2052\GFStringBundle.xml

Filesize
83B

MD5
f3e9d060a9de2536787fee2402eb8681

SHA1
6e4ba5af5a2ac2747e9c289608186500ea728387

SHA256
758927353222faadce08b06dd2f195cfdb4be2f113a9b0daa63ab08aa8b9e890

SHA512
fa35d3ed2e04f598575948b0551e459afc63f80598f7f3b95082442590e1dbdd7053f863d779c1ac4a259cb6b5e13cf860522e739df6961b379f19b5ed201fad

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\2052\StringBundle.xml

Filesize
670B

MD5
16fd14c1a1dc8ccd5807c72b1f502be5

SHA1
461596370a20f6b1160657842fc289f0e5732c46

SHA256
17926079ea1ae6ab4926e487a66f8cfd7f10822d0a7fd02c6d3f3987268d8598

SHA512
80dae894dbbafd08f90a4d468c00dc02cb6dac0a1e904ce15670546f700a15bb422d0160f4db9c70d7db0ccc2ff322d3df9fcb80bf01bc72e6014f5c13dc3f9a

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\2052\UrlBundle.xml

Filesize
140B

MD5
e65dc0977d33863f628dfdb47b6402c0

SHA1
26c962b1c77c362631c728e7038fb33f1ba88fe3

SHA256
d176e9b4ca5d104a565b17258ed511a94c36d5e3934a17cb8cf1a07f64ef41b7

SHA512
d46378b07ced8a9b4a2b6b4ab36fd71e1b187330d29fac6ff86937ba8cad0d9d0693792384fded78c79c535c67df81f7917c3b0320836cecf8cf9e117c9ca770

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\config.xml

Filesize
231B

MD5
1c5331fa5d58819905de75b220ebebe8

SHA1
16a8143e790d30d45c5546b74d3ef0dbb25936da

SHA256
f230b144096a5cb266460eb6baa97ea9992724d46dde5ce8bd29b095b1ff0763

SHA512
6d8c827c8a764de6da8dbe2501f703d7c51eff437eaec8b50c8b4fea9283b565aabe6108ec10df72c24be47bb8487ac4f7be9d762b1f2e984fb9a083b59d996e

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\config_en.xml

Filesize
231B

MD5
82cdeadfa13be7a48860b4b99e14fef7

SHA1
5add888aa92100bbf8ae61c971a3693abbaee2a6

SHA256
501fe3f8282554be54b2c74f3151ef7e78ecb03005285a1d7fa3c55da7d28afa

SHA512
2b48dc56507349e7e409e75f73a19daac4327b070076086ac44da42016760a2473ba8fbb54b1e5393cc00bc5a66938d5b2f0d282aebf231eadc2083965ee0377

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\config_ja.xml

Filesize
231B

MD5
8e7988b65bbd76251f0ab3a754fa9e52

SHA1
c8d76679234d06c051afffc549f9b041701e1124

SHA256
e21d718e4482943e9ed43f889f07c8827a4944df142696409be882ea948b95e6

SHA512
6c30f97d0acac3174740e555797402fee914662b9c30c346a0fcc3a0594337a58bf18b2021c6b9d4724abf872eb676e8e9d226e3eaab0a27295c18bbdd1b15ab

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\config_ko.xml

Filesize
231B

MD5
8a21658887fbb1dc3509175ce29e15ac

SHA1
df8e6cc8f5cced4c4f868847c7a1558b7c9fe913

SHA256
ce6a256a8291775ccca899a61ba90cf55064dbbf002a87dc58efb1d7f86fff61

SHA512
93df3e63eb5074bf74123058809960d2df04183274b79687b6e55889864f768cebf2adfc948c29acc1ffdffba4c71f63864ef0399e0761698d16885beac3f79e

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\config_ms.xml

Filesize
234B

MD5
2cd59a5fdbfcae03d4a94f8f07c1fad2

SHA1
db36d7f22905bbac0b070ff301eeaf66e87709c1

SHA256
c4b45a0db273d8564c093dc60521b56ea5968acd57a37aceed355717cfd942dc

SHA512
dd60694014c8e621fc55c8a2e89641612a0ae365265a10ac1b970d5d2627f7003f220a62e5559abe7cdc8b5c53072a4de6ca9089ab98881f60bd271d6cb58cb1

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\I18N\config_tc.xml

Filesize
231B

MD5
c8e64c60444f6c72bbde64c82467c43e

SHA1
ed5d24e5bcd12844796bdc90f000642d9ac2539c

SHA256
ca865a62a9e7f7c246f41a29b7634856ef95986cdb7e76ff9467f0e4ec81b456

SHA512
e6dbae6ab7f05651dc3bc07325af7c10bd7a9dc7c62004b785a961613851d8d4889c462476acc84942291c7de03f8dcd4dc5c2c4a8174bbb226a5a5d46c27eaa

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\common.xml

Filesize
9KB

MD5
33b73c3da330c2cf14e8b921a4cf64ae

SHA1
1e592c9d232ea8f2ef72799b19326be3b6e5779b

SHA256
73f389725d5ef6a291cafd36db0badd6e590297c949e8a0f629cf9a61aa06e91

SHA512
ad921094602d11428234133884e62b5d6bf309ee0524da674890ca6d24b0575cabddb7bdf795f8e268dfaf3d737839543b5f7f7898d081b43a5fd2138ee3d820

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\gf-config.xml

Filesize
526B

MD5
786f773ae933aa90b421236166cb8b87

SHA1
3d31d032686bb1651f79dfe12d3da89e90d5bce5

SHA256
9e54ff160c00df2e502107aa4124125d0d25e2e5a55d32ce35ba2a01098b2ac5

SHA512
caaea9c56bd7c71982a9874cd231828d57616ff7153d345f67ca5c73a037e4245a8638b1c22ec9b4ef76775c88307655962bace8a5ed45af19ee165934948bd2

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\addin_resource\wemeet.xml

Filesize
5KB

MD5
135a6c98afa182be885f02ae6dd4039f

SHA1
e2200ede21935f7cc9e52ee1ef50e3cae9d46157

SHA256
2fa575c8a7e9ec3e71c0bf4ee35ae072ba534fadaa678fafa71463ae25ae4035

SHA512
c542930cab17b2622de6cf0cc0e674348b8b096641ff769a523623807163746d6da08a12b56a43a44e6088fc98c1c108f1da232b3a1904f7431a755413b367a5

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-console-l1-1-0.dll

Filesize
18KB

MD5
aabbb38c4110cc0bf7203a567734a7e7

SHA1
5df8d0cdd3e1977ffacca08faf8b1c92c13c6d48

SHA256
24b07028c1e38b9ca2f197750654a0dfb7d33c2e52c9dd67100609499e8028db

SHA512
c66c98d2669d7a180510c57bab707d1e224c12ab7e2b08994eb5fd5be2f3dee3dbdb934bcb9db168845e4d726114bce317045027215419d3f13dcfa0f143d713

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-datetime-l1-1-0.dll

Filesize
17KB

MD5
8894176af3ea65a09ae5cf4c0e6ff50f

SHA1
46858ea9029d7fc57318d27ca14e011327502910

SHA256
c64b7c6400e9bacc1a4f1baed6374bfbce9a3f8cf20c2d03f81ef18262f89c60

SHA512
64b31f9b180c2e4e692643d0ccd08c3499cae87211da6b2b737f67b5719f018ebcacc2476d487a0aeb91fea1666e6dbbf4ca7b08bb4ab5a031655bf9e02cea9a

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-debug-l1-1-0.dll

Filesize
17KB

MD5
879920c7fa905036856bcb10875121d9

SHA1
a82787ea553eefa0e7c3bb3aedb2f2c60e39459a

SHA256
7e4cba620b87189278b5631536cdad9bfda6e12abd8e4eb647cb85369a204fe8

SHA512
06650248ddbc68529ef51c8b3bc3185a22cf1685c5fa9904aee766a24e12d8a2a359b1efd7f49cc2f91471015e7c1516c71ba9d6961850553d424fa400b7ea91

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
17KB

MD5
d91bf81cf5178d47d1a588b0df98eb24

SHA1
75f9f2da06aa2735906b1c572dd556a3c30e7717

SHA256
f8e3b45fd3e22866006f16a9e73e28b5e357f31f3c275b517692a5f16918b492

SHA512
93d1b0d226e94235f1b32d42f6c1b95fadfaf103b8c1782423d2c5a4836102084fb53f871e3c434b85f0288e47f44345138de54ea5f982ca3e8bbf2d2bea0706

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-file-l1-1-0.dll

Filesize
21KB

MD5
eefe86b5a3ab256beed8621a05210df2

SHA1
90c1623a85c519adbc5ef67b63354f881507b8a7

SHA256
1d1c11fc1ad1febf9308225c4ccf0431606a4ab08680ba04494d276cb310bf15

SHA512
c326a2ca190db24e8e96c43d1df58a4859a32eb64b0363f9778a8902f1ac0307dca585be04f831a66bc32df54499681ad952ce654d607f5fdb93e9b4504d653f

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-file-l1-2-0.dll

Filesize
17KB

MD5
79ee4a2fcbe24e9a65106de834ccda4a

SHA1
fd1ba674371af7116ea06ad42886185f98ba137b

SHA256
9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613

SHA512
6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-file-l2-1-0.dll

Filesize
17KB

MD5
3f224766fe9b090333fdb43d5a22f9ea

SHA1
548d1bb707ae7a3dfccc0c2d99908561a305f57b

SHA256
ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357

SHA512
c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-handle-l1-1-0.dll

Filesize
17KB

MD5
18fd51821d0a6f3e94e3fa71db6de3af

SHA1
7d9700e98ef2d93fdbf8f27592678194b740f4e0

SHA256
dba84e704ffe5fcd42548856258109dc77c6a46fd0b784119a3548ec47e5644b

SHA512
4009b4d50e3cb17197009ac7e41a2351de980b2c5b79c0b440c7fe4c1c3c4e18f1089c6f43216eaa262062c395423f3ad92ca494f664636ff7592c540c5ef89d

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-heap-l1-1-0.dll

Filesize
17KB

MD5
ff8026dab5d3dabca8f72b6fa7d258fa

SHA1
075c8719e226a34d7b883fd62b2d7f8823d70f1a

SHA256
535e9d20f00a2f1a62f843a4a26cfb763138d5dfe358b0126d33996fba9ca4d1

SHA512
9c56ff11d5843ba09cd29e3bc6c6b9396926c6a588194193ba220cfa784b770ab6756076f16f18cfea75b51a8184a1063ef47f63804839530382f8d39d5cf006

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
18KB

MD5
cfe87d58f973daeda4ee7d2cf4ae521d

SHA1
fd0aa97b7cb6e50c6d5d2bf2d21d757040b5204a

SHA256
4997fda5d0e90b8a0ab7da314cb56f25d1450b366701c45c294d8dd3254de483

SHA512
40eb68deb940bbe1b835954183eea711994c434de0abbdea0b1a51db6233a12e07827ad4a8639ae0baf46dd26c168a775ffe606c82cbe47bae655c7f28ab730b

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
18KB

MD5
0c48220a4485f36feed84ef5dd0a5e9c

SHA1
1e7d4038c2765cffa6d4255737a2a8aa86b5551c

SHA256
2dd4ebaa12cbba142b5d61a0ebf84a14d0d1bb8826ba42b63e303fe6721408df

SHA512
e09951785b09f535340e1e6c256df1919485b4dad302b30d90126411cc49a13807b580fa2fcd0d6f7b64aac4f5b5ea3e250b66035a0e2f664d865408c9b43d48

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-localization-l1-2-0.dll

Filesize
20KB

MD5
23bd405a6cfd1e38c74c5150eec28d0a

SHA1
1d3be98e7dfe565e297e837a7085731ecd368c7b

SHA256
a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41

SHA512
c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-memory-l1-1-0.dll

Filesize
18KB

MD5
3940167ffb4383992e73f9a10e4b8b1e

SHA1
53541c824003b0f90b236eda83b06bec5e1acbf5

SHA256
ec573431338371504b7b9e57b2d91382b856aabf25d2b4ad96486efb794c198e

SHA512
9732acaa4db773f4f99f423d9feaebb35c197bbd468922348e0ad086f7131d83f6d9714dc7d375183e7cb8920cfe37f3da19b0041a9063cc60abe183375b1929

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
17KB

MD5
990ac84ae2d83eeb532a28fe29602827

SHA1
0916f85cc6cc1f01dc08bdf71517a1dc1b8eaf78

SHA256
dbd788b1c5694d65fa6f6e2202bfabb30adf77eb1973ceb9a737efb16e9edae2

SHA512
f0e4705a6890b4f81b7d46f66ca6b8ee82f647e163bce9ecad11d0bbd69caf4ff3c4f15e0d3f829c048b6849b99a7641861e6caf319904d4d61a6084f10da353

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
18KB

MD5
0c700b07c3497df4863c3f2fe37cd526

SHA1
f835118244d02304de9eb3a355420ba9d0bd9c13

SHA256
9f1f26794fd664e0a8b6fbd53bfca33dcf7b0dc37faf3eb7782bc38dff62cd8c

SHA512
8042dbd9e80e33e41993887b0289e143e967544389500ada9296b89bda37bb26918e4f370f8a1bdab8faacc4e0a6980794d6a3b5320e170ad4ef751384c9f0a8

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
19KB

MD5
1dda9cb13449ce2c6bb670598fc09dc8

SHA1
0a91fe11b9a8321ca369f665a623270e5ac23176

SHA256
4f187f1b4b14763360c325df6b04d3ec3cc6d2cecc9b796bc52a6c7196b0b2cc

SHA512
4e106c8a52033352c91b65cf65ec459de764c125136333a2f4ba026efdde65f3f71b1f6f11e4c580150ac8a9779825ba5e2af0e14df999a198cfe244e522c28d

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
18KB

MD5
95c5b49af7f2c7d3cd0bc14b1e9efacb

SHA1
c400205c81140e60dffa8811c1906ce87c58971e

SHA256
ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1

SHA512
f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-profile-l1-1-0.dll

Filesize
17KB

MD5
cedefd460bc1e36ae111668f3b658052

SHA1
9bd529fe189e0b214b9e0e51717bdf62f1da44ea

SHA256
f941c232964d01e4680e54ab04955ec6264058011b03889fe29db86509511eba

SHA512
2c845642b054bc12c2911bfe2b850f06fecafef022180c22f6ffd670f821e84fcad041c4d81ddadb781ddb36cb3e98dfe4eb75ec02b88306ef1d410cbb021454

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
17KB

MD5
65fc0b6c2ceff31336983e33b84a9313

SHA1
980de034cc3a36021fd8bafff3846b0731b7068e

SHA256
966a38ed7034f8d355e1e8772dfc92f23fb3c8a669780ed4ac3b075625d09744

SHA512
f4ebc7a6d12ae6afa5b96c06413a3438e1678b276b1517da07d33912818fc863b4d35cb46280f12cf90e37bc93e3ab5e44ea6f75767a314c59222b7d397e5b6a

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-string-l1-1-0.dll

Filesize
17KB

MD5
e7a266dd3a2a1e03d8716f92bede582d

SHA1
d4b97ce87c96de1f39fea97cca3992d292b2c14e

SHA256
339966ae75675a03f628c4ddd5d3218abb36cbcf6ddce83b88c07336d732b8ae

SHA512
31168663fd71b901b1b9152ff288d4e1567003e5fcd1f1c9dfe36d26d2eb16b0932ec8cd34833dab25531f768a01de45c2483f92d4e79f92a89389c02bc05156

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-synch-l1-1-0.dll

Filesize
19KB

MD5
c1dcdb0fabc8ae671a7c7a94f42fb79a

SHA1
99355912d7a7d622753b2a855cae4f5a4e50146f

SHA256
cc76a4e82e0e0cd08df3bb8f5ad57142305e0f666cc32599d76e363d0b43efcb

SHA512
6d92e7520aeebfe60aab43d6616b76a2dd385edcaa217db60003a0c0cbcb0e367063d240e38a19d0b8bee2f2e7d4b982c4f08c8e9ccf34c7f670cb49f6561fff

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-synch-l1-2-0.dll

Filesize
18KB

MD5
6e704280d632c2f8f2cadefcae25ad85

SHA1
699c5a1c553d64d7ff3cf4fe57da72bb151caede

SHA256
758a2f9ef6908b51745db50d89610fe1de921d93b2dbea919bfdba813d5d8893

SHA512
ade85a6cd05128536996705fd60c73f04bab808dafb5d8a93c45b2ee6237b6b4ddb087f1a009a9d289c868c98e61be49259157f5161feccf9f572fd306b460e6

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
18KB

MD5
887995a73bc7dde7b764afabce57efe7

SHA1
363fd4e7ad4a57224e8410154697df5e8629f526

SHA256
f94210b39cdc812beb7342a47e68673ea2116d0ad9266fcf8d7cedaa9561fc38

SHA512
d088eb1c6958774e20f0e2884136b4e2b978efd16f557dbc55e64011abbce0768054f7e6d881c110182824143a39101fdae273ed614738aa7ba5c727b27f6677

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-timezone-l1-1-0.dll

Filesize
18KB

MD5
c9a55de62e53d747c5a7fddedef874f9

SHA1
c5c5a7a873a4d686bfe8e3da6dc70f724ce41bad

SHA256
b5c725bbb475b5c06cc6cb2a2c3c70008f229659f88fba25ccd5d5c698d06a4b

SHA512
adca0360a1297e80a8d3c2e07f5fbc06d2848f572f551342ad4c9884e4ab4bd1d3b3d9919b4f2b929e2848c1a88a4e844dd38c86067cace9685f9640db100efb

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-util-l1-1-0.dll

Filesize
17KB

MD5
29e1922b32e5312a948e6d8b1b34e2d9

SHA1
912f54be8438f45e1562a47294091d522cd89356

SHA256
34c5dee6d566252c0ceb7d9a21e24d5f297af2b26c32e0c7808bbd088aa9a6a9

SHA512
837cd03ee0195dc94bab0662ff3b8cd1be2dedd8a3254318d25dfea6e88d07211186fa367f41ab864560e10a22220deb3ed05ccf82d60ac80c71dfed08afbea3

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-core-version-l1-1-0.dll

Filesize
11KB

MD5
48f8f75890f3e1f8baa821ab456cbdd9

SHA1
07afcca5bd1e4228fc0c85872670a4f1848c4b4e

SHA256
441e6e6bd3b29849cf7b65389ffee08a6400b46a95cddafa303b43ac05227503

SHA512
e00d99cea6b4a0b56477b31d379a293acc20345deef80652665e1d8f124cea3e5e9e2e95918fce7198ef44817523a5d003f8ebb40258bfb83ec9cf2695fdafee

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-crt-conio-l1-1-0.dll

Filesize
18KB

MD5
a668c5ee307457729203ae00edebb6b3

SHA1
2114d84cf3ec576785ebbe6b2184b0d634b86d71

SHA256
a95b1af74623d6d5d892760166b9bfac8926929571301921f1e62458e6d1a503

SHA512
73dc1a1c2ceb98ca6d9ddc7611fc44753184be00cfba07c4947d675f0b154a09e6013e1ef54ac7576e661fc51b4bc54fdd96a0c046ab4ee58282e711b1854730

Download Submit
C:\Program Files (x86)\Tencent\WeMeet\3.7.9.426\api-ms-win-crt-convert-l1-1-0.dll

Filesize
21KB

MD5
9ddea3cc96e0fdd3443cc60d649931b3

SHA1
af3cb7036318a8427f20b8561079e279119dca0e

SHA256
b7c3ebc36c84630a52d23d1c0e79d61012dfa44cdebdf039af31ec9e322845a5

SHA512
1427193b31b64715f5712db9c431593bdc56ef512fe353147ddb7544c1c39ded4371cd72055d82818e965aff0441b7cbe0b811d828efb0ece28471716659e162

Download Submit
\Users\Admin\AppData\Local\Temp\nso283B.tmp\LangDLL.dll

Filesize
7KB

MD5
98c67ac7f1b9f37ba19db3c1dc10cf0f

SHA1
28292ac34775e4c33f9ee980b314637f22872bae

SHA256
fc934575d04b2c8b09b3cf21a87621be87c573b788ea9dff66c9be785e040443

SHA512
d496cc8595ceb285ba32868a8901b3abd276157cea375e7b31ace875c726cc63684761b373119a723399e661fc9fe55de69a6dcf9f2cd61523d96fb497c4b785

Download Submit
\Users\Admin\AppData\Local\Temp\nso283B.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
\Users\Admin\AppData\Local\Temp\nso283B.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nso283B.tmp\WeMeetHelper.dll

Filesize
1.4MB

MD5
09eae0df409a270b22e13fddec3bf625

SHA1
8bdce7a044fb7bf375098bdb49110c8ca5c07a71

SHA256
be71e8343c655587d99219404b2e54c5be494fae0f23ca6d675071409f2c5064

SHA512
421bba1f158adca534413ac1f1dad98494aed2490896e57493ede16985256aa926f6de6d1d5938c5a07583fcf5a57752e465706af55b8b5821aa2c52cc7d280f

Download Submit
\Users\Admin\AppData\Local\Temp\nso283B.tmp\locate.dll

Filesize
17KB

MD5
7d3317f57c1a368480ace3c0ca804eeb

SHA1
d4c7e185bc64aac82339f51ba6c21cf0713c9f1a

SHA256
d88a04c1e39db583eaad727fd390fe599ab10198ee040bfbdd22daefadbd2372

SHA512
5598c2e6caa2f66edd48f8c8305e054d4b0740b5f2b7ed92cf197a13ac66ba99a32013d34b3c2e28d007ab7979eb90a50681324eb736b1410e7df1902e4ec32a

Download Submit
memory/540-127-0x0000000000000000-mapping.dmp

Download
memory/760-124-0x0000000000000000-mapping.dmp

Download
memory/904-63-0x0000000000000000-mapping.dmp

Download
memory/940-62-0x0000000000000000-mapping.dmp

Download
memory/1264-214-0x0000000000000000-mapping.dmp

Download
memory/1412-154-0x0000000000000000-mapping.dmp

Download
memory/1412-182-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-170-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-168-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-166-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-164-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-212-0x0000000002E50000-0x0000000002E60000-memory.dmp

Filesize
64KB

Download
memory/1412-194-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-192-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-190-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-188-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-186-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-184-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-172-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-180-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-178-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-176-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-174-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-162-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-156-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-158-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1412-160-0x0000000000566000-0x000000000056B000-memory.dmp

Filesize
20KB

Download
memory/1592-213-0x0000000000000000-mapping.dmp

Download
memory/1644-125-0x0000000000000000-mapping.dmp

Download
memory/1680-64-0x0000000000000000-mapping.dmp

Download
memory/1736-126-0x0000000000000000-mapping.dmp

Download
memory/1808-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1976-60-0x0000000000000000-mapping.dmp

Download
memory/2008-133-0x0000000000AD9000-0x0000000000B1A000-memory.dmp

Filesize
260KB

Download
memory/2008-150-0x0000000000AD9000-0x0000000000B1A000-memory.dmp

Filesize
260KB

Download
memory/2008-146-0x0000000000AD9000-0x0000000000B1A000-memory.dmp

Filesize
260KB

Download
memory/2008-148-0x0000000000AD9000-0x0000000000B1A000-memory.dmp

Filesize
260KB

Download
memory/2008-144-0x0000000000AD9000-0x0000000000B1A000-memory.dmp

Filesize
260KB

Download
memory/2008-142-0x0000000000AD9000-0x0000000000B1A000-memory.dmp

Filesize
260KB

Download
memory/2008-136-0x0000000000AD9000-0x0000000000B1A000-memory.dmp

Filesize
260KB

Download
memory/2008-140-0x0000000000AD9000-0x0000000000B1A000-memory.dmp

Filesize
260KB

Download
memory/2008-138-0x0000000000AD9000-0x0000000000B1A000-memory.dmp

Filesize
260KB

Download
memory/2008-131-0x0000000000000000-mapping.dmp

Download
memory/2008-152-0x0000000000AD9000-0x0000000000B1A000-memory.dmp

Filesize
260KB

Download
memory/2024-61-0x0000000000000000-mapping.dmp

Download
memory/2024-130-0x0000000000000000-mapping.dmp

Download
memory/2032-129-0x0000000000000000-mapping.dmp

Download
memory/2080-225-0x0000000000000000-mapping.dmp

Download
memory/2140-227-0x0000000000000000-mapping.dmp

Download
memory/2248-249-0x0000000000000000-mapping.dmp

Download
memory/2476-287-0x0000000000000000-mapping.dmp

Download
memory/2504-289-0x0000000000000000-mapping.dmp

Download
memory/2548-291-0x0000000000000000-mapping.dmp

Download
memory/2712-293-0x0000000000000000-mapping.dmp

Download
memory/2756-295-0x0000000000000000-mapping.dmp

Download
memory/2788-296-0x0000000000000000-mapping.dmp

Download
memory/2824-297-0x0000000000000000-mapping.dmp

Download
memory/2840-298-0x0000000000000000-mapping.dmp

Download
memory/2884-300-0x0000000000000000-mapping.dmp

Download