hxxp://www[.]meetiqc[.]com

Analysis

max time kernel
762s
max time network
737s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.meetiqc.com

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
2520	Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe
2588	Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe
2768	Installer.exe
2968	Installer.exe
2132	Zoom.exe
1948	Zoom.exe
1568	Zoom.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	Zoom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	Zoom.exe

Loads dropped DLL 64 IoCs

pid	Process
2588	Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2588	Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}\Policy = "3"	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\zoommtg	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ProtocolExecute	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Low Rights	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}\AppName = "Zoom.exe"	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin"	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Zoom.exe = "11000"	Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\zoommtg\WarnOnOpen = "0"	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFDA28A5-1B5F-4635-9877-73DF0D710C9A}	Installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomPhoneCall	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\zoommtg\ = "URL:Zoom Launcher"	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\zoommtg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe\",1"	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\zoommtg\shell\open\command	Installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\MIME\Database	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomPhoneCall\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe\" --url=\"%l\""	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomPbx.zoomphonecall\ = "URL:ZoomPhoneCall Protocol"	Installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomLauncher\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe\" \"--url=%1\""	Installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomRecording\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\zTscoder.exe\" \"%1\""	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomPbx.zoomphonecall	Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\MIME\Database\Content Type\application/x-zoommtg-launcher\Extension = ".zoommtg"	Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\zoommtg\UseOriginalUrlEncoding = "1"	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomRecording\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe\",0"	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomPhoneCall\URL Protocol	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomPhoneCall\DefaultIcon	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomLauncher\shell\open	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\zoommtg\URL Protocol	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomRecording\ = "Zoom Recording File"	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomPbx.zoomphonecall\URL Protocol	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomPbx.zoomphonecall\shell\open	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomLauncher	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.zoom	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomPhoneCall\shell\open\command	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomRecording\shell	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomPbx.zoomphonecall\DefaultIcon	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\MIME\Database\Content Type\application/x-zoommtg-launcher	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\zoommtg	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomLauncher\ = "Zoom Launcher - 3.0.1"	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\zoommtg\shell\open	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomPbx.zoomphonecall\shell	Installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.zoommtg	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\zoommtg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe\" \"--url=%1\""	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomRecording\shell\open\command	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\zoommtg\shell	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomRecording\shell\open	Installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.zoommtg\ = "ZoomLauncher"	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomLauncher\shell	Installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\MIME\Database\Content Type	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ZoomPhoneCall\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe\",1"	Installer.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\Temp\zm643.tmp\:Zone.Identifier:$DATA	Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2520	Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe
2520	Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2768	Installer.exe
2968	Installer.exe
2132	Zoom.exe
2132	Zoom.exe
1948	Zoom.exe
1948	Zoom.exe
1568	Zoom.exe
1568	Zoom.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe
Token: SeDebugPrivilege	1744	firefox.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe
2132	Zoom.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
2132	Zoom.exe
1744	firefox.exe
1948	Zoom.exe
1568	Zoom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1744	1104	firefox.exe	27
PID 1104 wrote to memory of 1744	1104	firefox.exe	27
PID 1104 wrote to memory of 1744	1104	firefox.exe	27
PID 1104 wrote to memory of 1744	1104	firefox.exe	27
PID 1104 wrote to memory of 1744	1104	firefox.exe	27
PID 1104 wrote to memory of 1744	1104	firefox.exe	27
PID 1104 wrote to memory of 1744	1104	firefox.exe	27
PID 1104 wrote to memory of 1744	1104	firefox.exe	27
PID 1104 wrote to memory of 1744	1104	firefox.exe	27
PID 1104 wrote to memory of 1744	1104	firefox.exe	27
PID 1744 wrote to memory of 612	1744	firefox.exe	29
PID 1744 wrote to memory of 612	1744	firefox.exe	29
PID 1744 wrote to memory of 612	1744	firefox.exe	29
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 2040	1744	firefox.exe	30
PID 1744 wrote to memory of 1728	1744	firefox.exe	31
PID 1744 wrote to memory of 1728	1744	firefox.exe	31
PID 1744 wrote to memory of 1728	1744	firefox.exe	31
PID 1744 wrote to memory of 1728	1744	firefox.exe	31
PID 1744 wrote to memory of 1728	1744	firefox.exe	31
PID 1744 wrote to memory of 1728	1744	firefox.exe	31
PID 1744 wrote to memory of 1728	1744	firefox.exe	31

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.meetiqc.com
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.meetiqc.com
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.0.680785030\621709453" -parentBuildID 20200403170909 -prefsHandle 1200 -prefMapHandle 1192 -prefsLen 1 -prefMapSize 220106 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 1264 gpu
    3⤵
    PID:612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.3.166871452\776059336" -childID 1 -isForBrowser -prefsHandle 1576 -prefMapHandle 1800 -prefsLen 156 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 1772 tab
    3⤵
    PID:2040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1744.13.18138647\1984666887" -childID 2 -isForBrowser -prefsHandle 2600 -prefMapHandle 2596 -prefsLen 6938 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1744 "\\.\pipe\gecko-crash-server-pipe.1744" 2612 tab
    3⤵
    PID:1728

C:\Users\Admin\Downloads\Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe
"C:\Users\Admin\Downloads\Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2520
- C:\Users\Admin\Downloads\Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe
  "C:\Users\Admin\Downloads\Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe" /normal.priviledge
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - NTFS ADS
  PID:2588
- - C:\Users\Admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe
    "C:\Users\Admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe" ZInstaller --conf.mode=silent --ipc_wnd=65942
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2768
  - - C:\Users\Admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe
      "C:\Users\Admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe" /addfwexception --bin_home="C:\Users\Admin\AppData\Roaming\Zoom\bin"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2968
- - C:\Users\Admin\AppData\Roaming\Zoom\bin\Zoom.exe
    "C:\Users\Admin\AppData\Roaming\Zoom\bin\Zoom.exe" "--url=zoommtg://win.launch?h.domain=zoom.us&h.path=join&confid=dXNzPWstaUNabnMyTTdvcFBKeUhoYmd2Q0RUYlYyTTgzWExtWTBaVUs0aXhaLXcxXy1zY2JxSXRYY0NZcy12Rlk3OURPSlpSZmRjWlhFODRwcEJtLnRObE14WEFSVHhORG5ac3MmdGlkPWQwYjNlMDE3MmI5YjRmNzg4NDZhNGIxOGY2ZTA4NjVk&mcv=0.92.11227.0929&stype=0&zc=0&browser=firefox&action=join&confno=5218487285"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2132
  - - C:\Users\Admin\AppData\Roaming\Zoom\bin\Zoom.exe
      "C:\Users\Admin\AppData\Roaming\Zoom\bin\Zoom.exe" --action=join --runaszvideo=TRUE
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1948
  - - C:\Users\Admin\AppData\Roaming\Zoom\bin\Zoom.exe
      Zoom.exe --action=cleanTmpFile --data=data
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbf5c4ad7abaf3491f3859d9717f6e0a

SHA1
a912afd9b93fa80d0b20fe6d37f05a5dd0e7ea0e

SHA256
9fd717ea18241cafd106f2e4ec0909f9544faa4c9a97a3ccfccebe1324818568

SHA512
23cfb0c737b06937c1fbe9db1d6d0ce15ec3667ac7594d94428ee9616ca0d3556cc055e330135156aaab2cfdb5f147c5ec36967947446623f05a616d6af2b1d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0ab1c44e388dd46627982ea7ef42079

SHA1
bc56fff251603bc29785d4fcb9db89a4449a9bc4

SHA256
94aa0719403be04c444cadc0083bc85c661284567b73a334060fa1be12f88be9

SHA512
615f73d15b33d5e46ad5c21ef588af2696351ce540617fbfe696d3ff34bc622586c3f9eb667932014758714022b412c9f2437dd63ef68d4c49f23a47a0155edd

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe

Filesize
963KB

MD5
dd4ca82899d0afcb6845ed68d7686428

SHA1
75e25ca2368d50febaa5bbd3723e18fa612f6fff

SHA256
8aebaf864479fba2565804ebfd2a38ed593e8c9c15bcf45622ed3bb2d29bd6fa

SHA512
f693cf8f72aaff6bad2a841942d35a7f6a2f6f1ef901ea07c95a2c8f4025248c478b5422ef0b1f128cbd5152c451e289e9376b5a761558294adb65c90bd22e41

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe

Filesize
963KB

MD5
dd4ca82899d0afcb6845ed68d7686428

SHA1
75e25ca2368d50febaa5bbd3723e18fa612f6fff

SHA256
8aebaf864479fba2565804ebfd2a38ed593e8c9c15bcf45622ed3bb2d29bd6fa

SHA512
f693cf8f72aaff6bad2a841942d35a7f6a2f6f1ef901ea07c95a2c8f4025248c478b5422ef0b1f128cbd5152c451e289e9376b5a761558294adb65c90bd22e41

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe

Filesize
963KB

MD5
dd4ca82899d0afcb6845ed68d7686428

SHA1
75e25ca2368d50febaa5bbd3723e18fa612f6fff

SHA256
8aebaf864479fba2565804ebfd2a38ed593e8c9c15bcf45622ed3bb2d29bd6fa

SHA512
f693cf8f72aaff6bad2a841942d35a7f6a2f6f1ef901ea07c95a2c8f4025248c478b5422ef0b1f128cbd5152c451e289e9376b5a761558294adb65c90bd22e41

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\ZoomDownload\Zoom.msi

Filesize
28.2MB

MD5
b0fa23a7971349619431bad9862e460a

SHA1
5e36e0b7cdf8f70dbccc21166526eab386b27046

SHA256
3c37ca3cc647b62d3f0a19e00a1ffb53db0ed1271b243ca1fdcfbeddef428c3a

SHA512
440b979c257da7798998cd5e19720419af89e2fc9d8a192cade5eb64ae6811b47e08c725c5f5c409063702e72bbfe043f40dc1e89d0fa940303665728c19c629

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\bin\Cmmlib.dll

Filesize
1.9MB

MD5
b13bfc96acb62e33adf78a0411c3bfce

SHA1
a33d80f73c91fceb014046dc7f0640d609ee4695

SHA256
013b2a564dad1a2ccafde38f2293ccf2bdcc6e432bd40cf2443e8c282f4636b7

SHA512
1daac594f8feacef7273dd2b63557bcf6e7e0042018b87a36b548c893b1439eaf321a7a70dd4e4b0d83306fc578888ee27b19a1e96810ce0b1c1704d1bb73662

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\bin\VCRUNTIME140.dll

Filesize
91KB

MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\bin\Zoom.exe

Filesize
355KB

MD5
941798195266aa7605712af09180c605

SHA1
e8c13cf28e444a3bf19ecd77a292be94b324c603

SHA256
f61f45486c1a3ea5330a87522e6fa139c3ebf33addd2e3bd3dfd9b2881b06917

SHA512
a8d821ecfb8c64ebba9b550bc4c99c2c07b4a0fb6e1cd7b44cd13e848deb1711f3e1f22bfd550c6528f5414a51c0482615507299122b90e60d60cd1b4488cf7c

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\bin\Zoom.exe

Filesize
355KB

MD5
941798195266aa7605712af09180c605

SHA1
e8c13cf28e444a3bf19ecd77a292be94b324c603

SHA256
f61f45486c1a3ea5330a87522e6fa139c3ebf33addd2e3bd3dfd9b2881b06917

SHA512
a8d821ecfb8c64ebba9b550bc4c99c2c07b4a0fb6e1cd7b44cd13e848deb1711f3e1f22bfd550c6528f5414a51c0482615507299122b90e60d60cd1b4488cf7c

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
35bc1f1c6fbccec7eb8819178ef67664

SHA1
bbcad0148ff008e984a75937aaddf1ef6fda5e0c

SHA256
7a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7

SHA512
9ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
3bf4406de02aa148f460e5d709f4f67d

SHA1
89b28107c39bb216da00507ffd8adb7838d883f6

SHA256
349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e

SHA512
5ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
8acb83d102dabd9a5017a94239a2b0c6

SHA1
9b43a40a7b498e02f96107e1524fe2f4112d36ae

SHA256
059cb23fdcf4d80b92e3da29e9ef4c322edf6fba9a1837978fd983e9bdfc7413

SHA512
b7ecf60e20098ea509b76b1cc308a954a6ede8d836bf709790ce7d4bd1b85b84cf5f3aedf55af225d2d21fbd3065d01aa201dae6c131b8e1e3aa80ed6fc910a4

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
9c9b50b204fcb84265810ef1f3c5d70a

SHA1
0913ab720bd692abcdb18a2609df6a7f85d96db3

SHA256
25a99bdf8bf4d16077dc30dd9ffef7bb5a2ceaf9afcee7cf52ad408355239d40

SHA512
ea2d22234e587ad9fa255d9f57907cc14327ead917fdede8b0a38516e7c7a08c4172349c8a7479ec55d1976a37e520628006f5c362f6a3ec76ec87978c4469cd

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
d175430eff058838cee2e334951f6c9c

SHA1
7f17fbdcef12042d215828c1d6675e483a4c62b1

SHA256
1c72ac404781a9986d8edeb0ee5dd39d2c27ce505683ca3324c0eccd6193610a

SHA512
6076086082e3e824309ba2c178e95570a34ece6f2339be500b8b0a51f0f316b39a4c8d70898c4d50f89f3f43d65c5ebbec3094a47d91677399802f327287d43b

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
43e1ae2e432eb99aa4427bb68f8826bb

SHA1
eee1747b3ade5a9b985467512215caf7e0d4cb9b

SHA256
3d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c

SHA512
40ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
883120f9c25633b6c688577d024efd12

SHA1
e4fa6254623a2b4cdea61712cdfa9c91aa905f18

SHA256
4390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc

SHA512
f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\bin\libcrypto-1_1.dll

Filesize
3.4MB

MD5
57eaaacbec7578e11cef8020cef7139d

SHA1
f727142ed7b990ed2952959c32d555014d2c797a

SHA256
622cda45a38c494a10ba1f08f729f2d68f0b15a0d965b6c3cf1022efbe131e8f

SHA512
0e80c77beb916524ae276c6067467c378b1a9c02cf5b730848a659182bbaa546ff4e00705c3e1be93154f7a555b9fb9fa77115e632f8497abb851e55091ee389

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\bin\ucrtbase.DLL

Filesize
987KB

MD5
61eb0ad4c285b60732353a0cb5c9b2ab

SHA1
21a1bea01f6ca7e9828a522c696853706d0a457b

SHA256
10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd

SHA512
44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\bin\zCrashReport64.dll

Filesize
243KB

MD5
2ba7bb54ff2d5cd84ca33e2fba4ad021

SHA1
ba4d2626d71664bdd8fe2d87ef3973002114cb55

SHA256
765b122888ec594f42bf132987c30bf644855a29a1d282a4c4751cfb1fbb519b

SHA512
a504f654d6ad1318f2f6a35f22c3fb756457df2637ef1b504408ba16e744ef4ada1d6b4e1435d8a55800aa187bd7818bf57d90fc8fd8974dd49bd6580a726e64

Download Submit
C:\Users\Admin\AppData\Roaming\Zoom\installer.txt

Filesize
14KB

MD5
b2af02eb2e176e912c78f5fe43d8ca8d

SHA1
93f7982feec521b19caae52dc72bff2eea94d447

SHA256
71e5c3973e1863f3370d28a08134929a3975e5252153ad70309465cbfd5ca516

SHA512
328b8c099809c64285aa22b9b7ad2133f74f9d4ac6b2294901dae6d06f5a95cb9cb9174eb78d4db57e121f31256193ba4d8a2ae66f1f5bbb3c3668c1be5afe01

Download Submit
C:\Users\Admin\Downloads\Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe

Filesize
134KB

MD5
98533b90fa7909adf78ac17f78147572

SHA1
75f0a91b72adb12f1ca65d3516489d71705e2435

SHA256
75c3393e6b6be630faa40221894491b06a54ec24e1d9ae9f13235ad835c4df67

SHA512
afb720431c912c943b4cd0289092b06b0dff453eba71dca28ea2fa8c8afd44519449abb300ee4397937b02c0917d785531753267bb6d2afff188f1534e57b02f

Download Submit
C:\Users\Admin\Downloads\Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe

Filesize
134KB

MD5
98533b90fa7909adf78ac17f78147572

SHA1
75f0a91b72adb12f1ca65d3516489d71705e2435

SHA256
75c3393e6b6be630faa40221894491b06a54ec24e1d9ae9f13235ad835c4df67

SHA512
afb720431c912c943b4cd0289092b06b0dff453eba71dca28ea2fa8c8afd44519449abb300ee4397937b02c0917d785531753267bb6d2afff188f1534e57b02f

Download Submit
C:\Users\Admin\Downloads\Zoom_cm_ds_mNW6y-LJF0omgbOu7F3OJt2qBen0b2H3WKgs@dtLAYvh2Hl2N+4sZ_kdfd6ee71c322c428_.exe

Filesize
134KB

MD5
98533b90fa7909adf78ac17f78147572

SHA1
75f0a91b72adb12f1ca65d3516489d71705e2435

SHA256
75c3393e6b6be630faa40221894491b06a54ec24e1d9ae9f13235ad835c4df67

SHA512
afb720431c912c943b4cd0289092b06b0dff453eba71dca28ea2fa8c8afd44519449abb300ee4397937b02c0917d785531753267bb6d2afff188f1534e57b02f

Download Submit
\Users\Admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe

Filesize
963KB

MD5
dd4ca82899d0afcb6845ed68d7686428

SHA1
75e25ca2368d50febaa5bbd3723e18fa612f6fff

SHA256
8aebaf864479fba2565804ebfd2a38ed593e8c9c15bcf45622ed3bb2d29bd6fa

SHA512
f693cf8f72aaff6bad2a841942d35a7f6a2f6f1ef901ea07c95a2c8f4025248c478b5422ef0b1f128cbd5152c451e289e9376b5a761558294adb65c90bd22e41

Download Submit
\Users\Admin\AppData\Roaming\Zoom\ZoomDownload\Installer.exe

Filesize
963KB

MD5
dd4ca82899d0afcb6845ed68d7686428

SHA1
75e25ca2368d50febaa5bbd3723e18fa612f6fff

SHA256
8aebaf864479fba2565804ebfd2a38ed593e8c9c15bcf45622ed3bb2d29bd6fa

SHA512
f693cf8f72aaff6bad2a841942d35a7f6a2f6f1ef901ea07c95a2c8f4025248c478b5422ef0b1f128cbd5152c451e289e9376b5a761558294adb65c90bd22e41

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\Cmmlib.dll

Filesize
1.9MB

MD5
b13bfc96acb62e33adf78a0411c3bfce

SHA1
a33d80f73c91fceb014046dc7f0640d609ee4695

SHA256
013b2a564dad1a2ccafde38f2293ccf2bdcc6e432bd40cf2443e8c282f4636b7

SHA512
1daac594f8feacef7273dd2b63557bcf6e7e0042018b87a36b548c893b1439eaf321a7a70dd4e4b0d83306fc578888ee27b19a1e96810ce0b1c1704d1bb73662

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\CptShare.dll

Filesize
316KB

MD5
8127069bc1f4e61db3c42fb3fc5b7b62

SHA1
4dc5f43f664840113b294fc77518a6fbcad76090

SHA256
00e436596dca6ab4dbe983f31b3801a6825e251cde88ba1f35b97fabc83c443c

SHA512
6efe9eeae450b8d6f3762bdbd18ec89a1c47cec9c1d9375b08581602dfbfeb7e4acb96d8c72806f8f02ab16e3a5fc54512e62f9dc56fe0de1e1694e951c9b5b0

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\Zoom.exe

Filesize
355KB

MD5
941798195266aa7605712af09180c605

SHA1
e8c13cf28e444a3bf19ecd77a292be94b324c603

SHA256
f61f45486c1a3ea5330a87522e6fa139c3ebf33addd2e3bd3dfd9b2881b06917

SHA512
a8d821ecfb8c64ebba9b550bc4c99c2c07b4a0fb6e1cd7b44cd13e848deb1711f3e1f22bfd550c6528f5414a51c0482615507299122b90e60d60cd1b4488cf7c

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
35bc1f1c6fbccec7eb8819178ef67664

SHA1
bbcad0148ff008e984a75937aaddf1ef6fda5e0c

SHA256
7a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7

SHA512
9ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
35bc1f1c6fbccec7eb8819178ef67664

SHA1
bbcad0148ff008e984a75937aaddf1ef6fda5e0c

SHA256
7a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7

SHA512
9ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
3bf4406de02aa148f460e5d709f4f67d

SHA1
89b28107c39bb216da00507ffd8adb7838d883f6

SHA256
349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e

SHA512
5ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
3bf4406de02aa148f460e5d709f4f67d

SHA1
89b28107c39bb216da00507ffd8adb7838d883f6

SHA256
349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e

SHA512
5ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
8acb83d102dabd9a5017a94239a2b0c6

SHA1
9b43a40a7b498e02f96107e1524fe2f4112d36ae

SHA256
059cb23fdcf4d80b92e3da29e9ef4c322edf6fba9a1837978fd983e9bdfc7413

SHA512
b7ecf60e20098ea509b76b1cc308a954a6ede8d836bf709790ce7d4bd1b85b84cf5f3aedf55af225d2d21fbd3065d01aa201dae6c131b8e1e3aa80ed6fc910a4

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
8acb83d102dabd9a5017a94239a2b0c6

SHA1
9b43a40a7b498e02f96107e1524fe2f4112d36ae

SHA256
059cb23fdcf4d80b92e3da29e9ef4c322edf6fba9a1837978fd983e9bdfc7413

SHA512
b7ecf60e20098ea509b76b1cc308a954a6ede8d836bf709790ce7d4bd1b85b84cf5f3aedf55af225d2d21fbd3065d01aa201dae6c131b8e1e3aa80ed6fc910a4

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
9c9b50b204fcb84265810ef1f3c5d70a

SHA1
0913ab720bd692abcdb18a2609df6a7f85d96db3

SHA256
25a99bdf8bf4d16077dc30dd9ffef7bb5a2ceaf9afcee7cf52ad408355239d40

SHA512
ea2d22234e587ad9fa255d9f57907cc14327ead917fdede8b0a38516e7c7a08c4172349c8a7479ec55d1976a37e520628006f5c362f6a3ec76ec87978c4469cd

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
9c9b50b204fcb84265810ef1f3c5d70a

SHA1
0913ab720bd692abcdb18a2609df6a7f85d96db3

SHA256
25a99bdf8bf4d16077dc30dd9ffef7bb5a2ceaf9afcee7cf52ad408355239d40

SHA512
ea2d22234e587ad9fa255d9f57907cc14327ead917fdede8b0a38516e7c7a08c4172349c8a7479ec55d1976a37e520628006f5c362f6a3ec76ec87978c4469cd

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
43e1ae2e432eb99aa4427bb68f8826bb

SHA1
eee1747b3ade5a9b985467512215caf7e0d4cb9b

SHA256
3d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c

SHA512
40ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
43e1ae2e432eb99aa4427bb68f8826bb

SHA1
eee1747b3ade5a9b985467512215caf7e0d4cb9b

SHA256
3d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c

SHA512
40ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
285dcd72d73559678cfd3ed39f81ddad

SHA1
df22928e43ea6a9a41c1b2b5bfcab5ba58d2a83a

SHA256
6c008be766c44bf968c9e91cddc5b472110beffee3106a99532e68c605c78d44

SHA512
84ef0a843798fd6bd6246e1d40924be42550d3ef239dab6db4d423b142fa8f691c6f0603687901f1c52898554bf4f48d18d3aebd47de935560cde4906798c39a

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
5cce7a5ed4c2ebaf9243b324f6618c0e

SHA1
fdb5954ee91583a5a4cbb0054fb8b3bf6235eed3

SHA256
aa3e3e99964d7f9b89f288dbe30ff18cbc960ee5add533ec1b8326fe63787aa3

SHA512
fc85a3be23621145b8dc067290bd66416b6b1566001a799975bf99f0f526935e41a2c8861625e7cfb8539ca0621ed9f46343c04b6c41db812f58412be9c8a0de

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
41fbbb054af69f0141e8fc7480d7f122

SHA1
3613a572b462845d6478a92a94769885da0843af

SHA256
974af1f1a38c02869073b4e7ec4b2a47a6ce8339fa62c549da6b20668de6798c

SHA512
97fb0a19227887d55905c2d622fbf5451921567f145be7855f72909eb3027f48a57d8c4d76e98305121b1b0cc1f5f2667ef6109c59a83ea1b3e266934b2eb33c

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
212d58cefb2347bd694b214a27828c83

SHA1
f0e98e2d594054e8a836bd9c6f68c3fe5048f870

SHA256
8166321f14d5804ce76f172f290a6f39ce81373257887d9897a6cf3925d47989

SHA512
637c215ed3e781f824ae93a0e04a7b6c0a6b1694d489e9058203630dcfc0b8152f2eb452177ea9fd2872a8a1f29c539f85a2f2824cf50b1d7496fa3febe27dfe

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
242829c7be4190564becee51c7a43a7e

SHA1
663154c1437acf66480518068fbc756f5cabb72f

SHA256
edc1699e9995f98826df06d2c45beb9e02aa7817bae3e61373096ae7f6fa06e0

SHA512
3529fde428affc3663c5c69baee60367a083841b49583080f0c4c7e72eaa63cabbf8b9da8ccfc473b3c552a0453405a4a68fcd7888d143529d53e5eec9a91a34

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
fb79420ec05aa715fe76d9b89111f3e2

SHA1
15c6d65837c9979af7ec143e034923884c3b0dbd

SHA256
f6a93fe6b57a54aac46229f2ed14a0a979bf60416adb2b2cfc672386ccb2b42e

SHA512
c40884c80f7921addced37b1bf282bb5cb47608e53d4f4127ef1c6ce7e6bb9a4adc7401389bc8504bf24751c402342693b11cef8d06862677a63159a04da544e

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
883120f9c25633b6c688577d024efd12

SHA1
e4fa6254623a2b4cdea61712cdfa9c91aa905f18

SHA256
4390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc

SHA512
f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
883120f9c25633b6c688577d024efd12

SHA1
e4fa6254623a2b4cdea61712cdfa9c91aa905f18

SHA256
4390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc

SHA512
f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
29680d7b1105171116a137450c8bb452

SHA1
492bb8c231aae9d5f5af565abb208a706fb2b130

SHA256
6f6f6e857b347f70ecc669b4df73c32e42199b834fe009641d7b41a0b1c210af

SHA512
87dcf131e21041b06ed84c3a510fe360048de46f1975155b4b12e4bbf120f2dd0cb74ccd2e8691a39eee0da7f82ad39bc65c81f530fc0572a726f0a6661524f5

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
f816666e3fc087cd24828943cb15f260

SHA1
eae814c9c41e3d333f43890ed7dafa3575e4c50e

SHA256
45e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a

SHA512
6860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
143a735134cd8c889ec7d7b85298705b

SHA1
906ac1f3a933dd57798ae826bbefa3096c20d424

SHA256
b48310b0837027f756d62c37ea91af988baa403cbcbd01cb26b6fdae21ea96a2

SHA512
c9abe209508afae2d1776391f73b658c9a25628876724344023e0fc8a790ecb7dbce75fddae267158d08a8237f83336b1d2bd5b5ce0a8eed7dd41cbe0c031d48

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
6f1a1dfb2761228ccc7d07b8b190054c

SHA1
117d66360c84a0088626e22d8b3b4b685cb70d56

SHA256
c81c4bba4e5f205359ad145963f6fbd074879047c66569f52b6d66711108e1ed

SHA512
480b4f9179d5da56010fa90e1937fe3a232f2f8682596c16eeaed08f57cf8cffeaa506060429501764f695cb6c5b3e56b0037de948c4d0e3933f022a0b4103d2

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\libcrypto-1_1.dll

Filesize
3.4MB

MD5
57eaaacbec7578e11cef8020cef7139d

SHA1
f727142ed7b990ed2952959c32d555014d2c797a

SHA256
622cda45a38c494a10ba1f08f729f2d68f0b15a0d965b6c3cf1022efbe131e8f

SHA512
0e80c77beb916524ae276c6067467c378b1a9c02cf5b730848a659182bbaa546ff4e00705c3e1be93154f7a555b9fb9fa77115e632f8497abb851e55091ee389

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\msvcp140.dll

Filesize
571KB

MD5
5cde3aed10412762e83b7fe43694a22b

SHA1
4ffcdf063eafc901105836c27a634530ea614755

SHA256
10ddff48d704c6007e4c2d53fb4856b5e5e79479503366236246a323aaa76e9d

SHA512
fcd7bc262e7bbcbbac9258e31b8d62efb2e601ac1fffac4c86819c8f2aed26fc19403d992a57d48ec92752b2a0a8b04e8204423d6077c7800ea4015f016faa23

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\ucrtbase.dll

Filesize
987KB

MD5
61eb0ad4c285b60732353a0cb5c9b2ab

SHA1
21a1bea01f6ca7e9828a522c696853706d0a457b

SHA256
10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd

SHA512
44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\ucrtbase.dll

Filesize
987KB

MD5
61eb0ad4c285b60732353a0cb5c9b2ab

SHA1
21a1bea01f6ca7e9828a522c696853706d0a457b

SHA256
10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd

SHA512
44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\vcruntime140.dll

Filesize
91KB

MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\vcruntime140.dll

Filesize
91KB

MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\vcruntime140_1.dll

Filesize
35KB

MD5
ab03551e4ef279abed2d8c4b25f35bb8

SHA1
09bc7e4e1a8d79ee23c0c9c26b1ea39de12a550e

SHA256
f8bc270449ca6bb6345e88be3632d465c0a7595197c7954357dc5066ed50ae44

SHA512
0e7533b8d7e5019ffd1e73937c1627213711725e88c6d7321588f7fffe9e1b4ef5c38311548adbd2c0ee9b407135646593bf1498cbee92275f4e0a22ace78909

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\zCrashReport64.dll

Filesize
243KB

MD5
2ba7bb54ff2d5cd84ca33e2fba4ad021

SHA1
ba4d2626d71664bdd8fe2d87ef3973002114cb55

SHA256
765b122888ec594f42bf132987c30bf644855a29a1d282a4c4751cfb1fbb519b

SHA512
a504f654d6ad1318f2f6a35f22c3fb756457df2637ef1b504408ba16e744ef4ada1d6b4e1435d8a55800aa187bd7818bf57d90fc8fd8974dd49bd6580a726e64

Download Submit
\Users\Admin\AppData\Roaming\Zoom\bin\zCrashReport64.dll

Filesize
243KB

MD5
2ba7bb54ff2d5cd84ca33e2fba4ad021

SHA1
ba4d2626d71664bdd8fe2d87ef3973002114cb55

SHA256
765b122888ec594f42bf132987c30bf644855a29a1d282a4c4751cfb1fbb519b

SHA512
a504f654d6ad1318f2f6a35f22c3fb756457df2637ef1b504408ba16e744ef4ada1d6b4e1435d8a55800aa187bd7818bf57d90fc8fd8974dd49bd6580a726e64

Download Submit
\Users\Admin\AppData\Roaming\Zoom\uninstall\Installer.exe

Filesize
963KB

MD5
dd4ca82899d0afcb6845ed68d7686428

SHA1
75e25ca2368d50febaa5bbd3723e18fa612f6fff

SHA256
8aebaf864479fba2565804ebfd2a38ed593e8c9c15bcf45622ed3bb2d29bd6fa

SHA512
f693cf8f72aaff6bad2a841942d35a7f6a2f6f1ef901ea07c95a2c8f4025248c478b5422ef0b1f128cbd5152c451e289e9376b5a761558294adb65c90bd22e41

Download Submit
memory/1948-144-0x0000000002200000-0x000000000220A000-memory.dmp

Filesize
40KB

Download
memory/1948-136-0x000000000D0E0000-0x000000000D0EA000-memory.dmp

Filesize
40KB

Download
memory/1948-156-0x000000000E8C0000-0x000000000E8CA000-memory.dmp

Filesize
40KB

Download
memory/1948-155-0x000000000E8C0000-0x000000000E8CA000-memory.dmp

Filesize
40KB

Download
memory/1948-154-0x000000000E8C0000-0x000000000E8CA000-memory.dmp

Filesize
40KB

Download
memory/1948-153-0x000000000E8C0000-0x000000000E8CA000-memory.dmp

Filesize
40KB

Download
memory/1948-152-0x000000000E390000-0x000000000E39A000-memory.dmp

Filesize
40KB

Download
memory/1948-151-0x000000000E390000-0x000000000E39A000-memory.dmp

Filesize
40KB

Download
memory/1948-130-0x000007FEE5500000-0x000007FEE5E04000-memory.dmp

Filesize
9.0MB

Download
memory/1948-132-0x0000000002200000-0x000000000220A000-memory.dmp

Filesize
40KB

Download
memory/1948-131-0x0000000002200000-0x000000000220A000-memory.dmp

Filesize
40KB

Download
memory/1948-142-0x000000000E8C0000-0x000000000E8CA000-memory.dmp

Filesize
40KB

Download
memory/1948-141-0x000000000E8C0000-0x000000000E8CA000-memory.dmp

Filesize
40KB

Download
memory/1948-143-0x000000000E8C0000-0x000000000E8CA000-memory.dmp

Filesize
40KB

Download
memory/1948-140-0x000000000E390000-0x000000000E39A000-memory.dmp

Filesize
40KB

Download
memory/1948-139-0x000000000E390000-0x000000000E39A000-memory.dmp

Filesize
40KB

Download
memory/1948-138-0x000000000E390000-0x000000000E39A000-memory.dmp

Filesize
40KB

Download
memory/1948-137-0x000000000D0E0000-0x000000000D0EA000-memory.dmp

Filesize
40KB

Download
memory/1948-150-0x000000000E390000-0x000000000E39A000-memory.dmp

Filesize
40KB

Download
memory/1948-135-0x000000000D0E0000-0x000000000D0EA000-memory.dmp

Filesize
40KB

Download
memory/1948-149-0x000000000D0E0000-0x000000000D0EA000-memory.dmp

Filesize
40KB

Download
memory/1948-148-0x000000000D0E0000-0x000000000D0EA000-memory.dmp

Filesize
40KB

Download
memory/1948-145-0x0000000002200000-0x000000000220A000-memory.dmp

Filesize
40KB

Download
memory/1948-147-0x000000000D0E0000-0x000000000D0EA000-memory.dmp

Filesize
40KB

Download
memory/1948-146-0x000000000D0E0000-0x000000000D0EA000-memory.dmp

Filesize
40KB

Download
memory/2132-133-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/2132-134-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/2132-126-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/2132-125-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/2132-124-0x000007FEEED80000-0x000007FEEF711000-memory.dmp

Filesize
9.6MB

Download
memory/2132-123-0x000007FEE80B0000-0x000007FEE8785000-memory.dmp

Filesize
6.8MB

Download
memory/2520-55-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/2768-62-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download