58cc13489685181fbf21fd9ab5eda377d3b4b7f17434928c5bd65cc48e0cb9ec

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-es
resource tags

arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
03/02/2023, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TeamsSetup_c_w_.exe
Size

1.4MB
MD5

54cff67f28596b80ad0167724918bd98
SHA1

cd2d1469482f5e421b1bf08a4b0e0a2081fd6078
SHA256

58cc13489685181fbf21fd9ab5eda377d3b4b7f17434928c5bd65cc48e0cb9ec
SHA512

0a21d26ccfe81f2dfd3793341297fd3521b8fa4f60bcce2d51b4857445cb6b6492b9cdab3d19b4b4e9cfebc42b121ac6b506e0ff2ca2688c5e8ff73eef1abb47
SSDEEP

24576:hNYuPOTryV7OXRnwa4bo5cOHxTrckA+K+K6zR6ZIV5jqzZVyHRe4Li7Z3ibs:TOX674wM5HHx8WKF6zR7YZoHRe4LWZ3J

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Teams.exe

Executes dropped EXE 34 IoCs

pid	Process
2328	Update.exe
1716	Squirrel.exe
736	Teams.exe
4656	Update.exe
3184	Teams.exe
4076	Teams.exe
3600	Teams.exe
1280	Teams.exe
476	Teams.exe
3660	Teams.exe
4016	Teams.exe
2928	Teams.exe
4924	Teams.exe
4704	Teams.exe
4460	Teams.exe
3932	Teams.exe
4204	Teams.exe
1192	Teams.exe
4492	Teams.exe
4300	Teams.exe
4180	Teams.exe
60	Teams.exe
2724	Teams.exe
3472	Teams.exe
2956	Teams.exe
3852	Teams.exe
4756	Teams.exe
1652	Teams.exe
792	Teams.exe
1752	Teams.exe
4892	Teams.exe
3680	Teams.exe
2264	Teams.exe
1832	Teams.exe

Loads dropped DLL 64 IoCs

pid	Process
736	Teams.exe
736	Teams.exe
736	Teams.exe
736	Teams.exe
3184	Teams.exe
3184	Teams.exe
3184	Teams.exe
3184	Teams.exe
3184	Teams.exe
3184	Teams.exe
4076	Teams.exe
3600	Teams.exe
2924	regsvr32.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
4472	regsvr32.exe
4472	regsvr32.exe
4472	regsvr32.exe
4472	regsvr32.exe
1640	regsvr32.exe
1640	regsvr32.exe
1640	regsvr32.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
1280	Teams.exe
1280	Teams.exe
1280	Teams.exe
1280	Teams.exe
1280	Teams.exe
1280	Teams.exe
476	Teams.exe
3660	Teams.exe
4016	Teams.exe
3600	Teams.exe
2928	Teams.exe
4924	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
4704	Teams.exe
4704	Teams.exe
4704	Teams.exe
4460	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
4204	Teams.exe
1192	Teams.exe
4204	Teams.exe
4204	Teams.exe
4204	Teams.exe
4204	Teams.exe
4204	Teams.exe
4492	Teams.exe
4300	Teams.exe
4180	Teams.exe
60	Teams.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\1.0.22321.3\\x86\\Microsoft.Teams.AddinLoader.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\1.0.22321.3\\x64\\Microsoft.Teams.AddinLoader.dll"	regsvr32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com.squirrel.Teams.Teams = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Teams\\Update.exe --processStart \"Teams.exe\" --process-start-args \"--system-initiated\""	Teams.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Teams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com.squirrel.Teams.Teams = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Teams\\Update.exe --processStart \"Teams.exe\" --process-start-args \"--system-initiated\""	Teams.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Teams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com.squirrel.Teams.Teams = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Teams\\Update.exe --processStart \"Teams.exe\" --process-start-args \"--system-initiated\""	Teams.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Teams.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Teams.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{92D7E7A8-48D8-4166-8911-630AE02B2B93}	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{BE026CD2-7E82-4F7C-8762-F6B02F496174}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{61CE9972-C619-4A88-A5D1-D2DFBCD4D2A1}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{330639F2-E399-48CB-863F-56A50A27A138}\TypeLib	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{C31FB52D-9E9E-45AD-A102-5218E1685B78}\ProxyStubClsid32	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{3C8D7146-35EA-4133-B2F6-C1FC2401A091}\TypeLib	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{F97BED54-E434-4020-A197-F15AEA9D9C95}\ProxyStubClsid32	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{88C688B0-3908-4C56-A2E8-F90AB705C536}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{56A868B4-0AD4-11CE-B03A-0020AF0BA770}\TypeLib	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{9244D573-914F-4C1F-93F6-31609A95CBED}\TypeLib	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{E6B3F5FA-4208-4C37-AE07-F6435B68D693}\ProxyStubClsid32	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{C14A2DE1-2C90-49E6-B871-46D338A88FF5}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{C7ACB102-B692-49CC-92DA-5824822C7B96}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{F423726D-0E9B-4B55-9569-E79865210F69}\TypeLib\Version = "1.0"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{B00F2520-029C-47D0-B4E8-8FBEF47CAA7E}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{6B551C9E-DE81-41DF-A0AE-39F0AF11D508}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-teams\URL Protocol	Teams.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{25025B1B-0084-44D1-B383-9FFC9A99ABCD}\ProxyStubClsid32	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{89C7EB8E-42BC-4C9F-BB34-88CDE83CCB37}	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{C14A2DE1-2C90-49E6-B871-46D338A88FF5}	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{56F7DEC0-59CA-47C6-9F35-D5066A702B39}\ProxyStubClsid32	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{806D3227-4CB8-47C4-9864-7D4DF4F44069}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{953AE732-F53A-4116-AC1B-0321B3FB3DBA}\ = "_ILyncClientEvents"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{283C2089-B760-4D65-9199-716627174F7A}	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{87665417-C861-4E1D-ACE8-3F566EE986A2}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{086F0E9D-A416-40F9-877C-F1C82DC1A6AD}\ = "IVideoViewInformationChangedEventData"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{DCDEA425-B5F2-4719-A3B4-69FFB9770BE6}\ProxyStubClsid32	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{300E56A3-CE08-4EB3-9F48-505AA162C9DA}	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{E2E49A1A-8E53-46A6-8A78-AB9B2F0B6987}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{8C9B6953-33CC-4A04-9DA4-F71AE79DA0C0}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{BE6086A1-D436-4834-89EE-3CA4F8596A58}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{9274DBDC-43CE-45AA-A817-414A4494AD28}\ProxyStubClsid32	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{603E2454-725A-4679-A6A8-363B21633CB2}\ = "IRoomMessageDictionary"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{B00F2520-029C-47D0-B4E8-8FBEF47CAA7E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{B335AE5E-E4EA-49D3-B03B-646A96FE66D3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{25025B1B-0084-44D1-B383-9FFC9A99ABCD}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{18BA13C7-A64E-4301-BA51-D1BFB3C1C9D5}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{D60B1701-766D-401E-8586-83E0C9106BE0}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{4FE44049-4E44-4109-B234-4E4EFC135A86}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{3F60CFF7-BE3F-4404-8395-C02D0CDD318E}\ = "_IModalityCallback"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{7BF20B14-58D1-494B-B301-9B16BACC9610}\ = "IRoomPropertyDictionary"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{7452BD0F-65CB-4A5E-AC37-E2BEA1F43DD9}\ = "IRoomParticipantsEventData"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{1A8A9402-E89F-40AE-88A8-B328391684B6}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{56F7DEC0-59CA-47C6-9F35-D5066A702B39}\ = "IConversationStateChangePropertyDictionary"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{CA7EEB7A-7DC3-4FFE-A174-23DB5A003C04}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\TypeLib\{B9AA1F11-F480-4054-A84E-B5D9277E40A8}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsPresenceAddin\\Uc.tlb"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{FD9000B3-479F-4B16-9D63-70A49E078946}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{7BF20B14-58D1-494B-B301-9B16BACC9610}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{7BF20B14-58D1-494B-B301-9B16BACC9610}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{B8FD4A53-E7E6-4995-A5B5-1306C7584964}\ = "IUnreadMessageCountChangedEventData"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{1B889699-5867-4D32-9C9C-5B7AE21B9838}\ = "IPropertyDictionary"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{87084018-7E74-4F92-AB39-1CF03188580E}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{EFEC2816-F16D-48D8-9306-26C810F0EA55}	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{0BDB9057-28AE-4BF0-AFF0-12A148E51637}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{4BACB4B8-1236-42B8-BDA1-D1533148780D}\TypeLib\Version = "1.0"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{24738605-334C-4C04-8A58-7AC7CAD76497}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{C0034194-F7B6-43EB-B0E0-7852FC8E7BFA}\ = "IPhonesChangedEventData"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{AE3A7C39-9C30-4E0F-BAE4-D8344EF377EA}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{48B3099D-841D-4CAA-9202-5787596E2BD2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\msteams\shell\open	Teams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{80EDBF3A-812E-42B5-A67F-6CC6D9A19A6C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Interface\{995F992C-9DEF-47B9-BF11-81813C0C0E28}\ = "ISearchProviderStateChangedEventData"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\Interface\{53D014C1-54DB-42B3-9DFD-8E231EF2C356}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4076	Teams.exe
4076	Teams.exe
476	Teams.exe
476	Teams.exe
4704	Teams.exe
4704	Teams.exe
1192	Teams.exe
1192	Teams.exe
2956	Teams.exe
2956	Teams.exe
792	Teams.exe
792	Teams.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	Update.exe
Token: 33	3744	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3744	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
2328	Update.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
4756	Teams.exe
4756	Teams.exe
4756	Teams.exe
4756	Teams.exe
4756	Teams.exe
4756	Teams.exe
4756	Teams.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3600	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
3932	Teams.exe
4756	Teams.exe
4756	Teams.exe
4756	Teams.exe
4756	Teams.exe
4756	Teams.exe
4756	Teams.exe
4756	Teams.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 2328	3240	TeamsSetup_c_w_.exe	79
PID 3240 wrote to memory of 2328	3240	TeamsSetup_c_w_.exe	79
PID 3240 wrote to memory of 2328	3240	TeamsSetup_c_w_.exe	79
PID 2328 wrote to memory of 1716	2328	Update.exe	88
PID 2328 wrote to memory of 1716	2328	Update.exe	88
PID 2328 wrote to memory of 1716	2328	Update.exe	88
PID 2328 wrote to memory of 736	2328	Update.exe	89
PID 2328 wrote to memory of 736	2328	Update.exe	89
PID 736 wrote to memory of 4656	736	Teams.exe	92
PID 736 wrote to memory of 4656	736	Teams.exe	92
PID 736 wrote to memory of 4656	736	Teams.exe	92
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 3184	736	Teams.exe	93
PID 736 wrote to memory of 4076	736	Teams.exe	94
PID 736 wrote to memory of 4076	736	Teams.exe	94
PID 2328 wrote to memory of 3600	2328	Update.exe	96
PID 2328 wrote to memory of 3600	2328	Update.exe	96
PID 2328 wrote to memory of 2924	2328	Update.exe	97
PID 2328 wrote to memory of 2924	2328	Update.exe	97
PID 2328 wrote to memory of 2924	2328	Update.exe	97

C:\Users\Admin\AppData\Local\Temp\TeamsSetup_c_w_.exe
"C:\Users\Admin\AppData\Local\Temp\TeamsSetup_c_w_.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=TeamsSetup_c_w_.exe --bootstrapperMode
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:1716
- - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-install 1.6.00.376
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\Update.exe
      C:\Users\Admin\AppData\Local\Microsoft\Teams\Update.exe --createShortcut=Teams.exe -l=StartMenu
      4⤵
      Executes dropped EXE
      PID:4656
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --field-trial-handle=1708,16568867583337936077,15889340323480924712,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3184
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1708,16568867583337936077,15889340323480924712,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=es --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2060 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:4076
- - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-firstrun
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3600
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --field-trial-handle=1628,10811946257488784848,1827276910778343348,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1280
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,10811946257488784848,1827276910778343348,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=es --service-sandbox-type=none --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2120 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:476
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1628,10811946257488784848,1827276910778343348,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2496 --msteams-process-type=loadingWindow /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:3660
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1628,10811946257488784848,1827276910778343348,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=3056 --msteams-process-type=notificationsManager /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:4016
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --ms-allow-videorenderer --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1628,10811946257488784848,1827276910778343348,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2468 --msteams-process-type=mainWindow /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:2928
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1628,10811946257488784848,1827276910778343348,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=es --service-sandbox-type=audio --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=4088 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4924
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1628,10811946257488784848,1827276910778343348,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --mojo-platform-channel-handle=2584 --msteams-process-type=pluginHost /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:4704
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=relauncher --no-sandbox --- "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4460
    - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3932
      - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --field-trial-handle=1676,8244050753188457888,6297749510171085466,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4204
      - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1676,8244050753188457888,6297749510171085466,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=es --service-sandbox-type=none --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2112 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1192
      - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1676,8244050753188457888,6297749510171085466,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2428 --msteams-process-type=loadingWindow /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4492
      - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1676,8244050753188457888,6297749510171085466,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=3040 --msteams-process-type=notificationsManager /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4300
      - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1676,8244050753188457888,6297749510171085466,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=3912 --msteams-process-type=accountSelectWindow /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4180
      - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1676,8244050753188457888,6297749510171085466,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=es --service-sandbox-type=audio --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=4076 /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:60
      - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1676,8244050753188457888,6297749510171085466,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --mojo-platform-channel-handle=4292 --msteams-process-type=accountSelectWindow /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2724
      - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --ms-allow-videorenderer --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1676,8244050753188457888,6297749510171085466,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2932 --msteams-process-type=mainWindow /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3472
      - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1676,8244050753188457888,6297749510171085466,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=3920 --msteams-process-type=pluginHost /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
      - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=relauncher --no-sandbox --- "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe"
        6⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks processor information in registry
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --field-trial-handle=1724,15007491886532436794,7241785920624156797,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 /prefetch:2
        8⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,15007491886532436794,7241785920624156797,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=es --service-sandbox-type=none --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2088 /prefetch:8
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1724,15007491886532436794,7241785920624156797,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2356 --msteams-process-type=loadingWindow /prefetch:1
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1724,15007491886532436794,7241785920624156797,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=2980 --msteams-process-type=notificationsManager /prefetch:1
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1724,15007491886532436794,7241785920624156797,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=3888 --msteams-process-type=accountSelectWindow /prefetch:1
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1724,15007491886532436794,7241785920624156797,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=es --service-sandbox-type=audio --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=3920 /prefetch:8
        8⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --field-trial-handle=1724,15007491886532436794,7241785920624156797,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,MediaFoundationAsyncH264Encoding,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=es --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --mojo-platform-channel-handle=4252 --msteams-process-type=accountSelectWindow /prefetch:1
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1832
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.22321.3\x64\Microsoft.Teams.AddinLoader.dll"
    3⤵
    - Loads dropped DLL
    PID:2924
  - - C:\Windows\system32\regsvr32.exe
      /s /n /i:user "C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.22321.3\x64\Microsoft.Teams.AddinLoader.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      PID:4472
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\SysWOW64\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.22321.3\x86\Microsoft.Teams.AddinLoader.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:1640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4808

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b8 0x3b8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.22321.3\x64\MSVCP140.dll

Filesize
561KB

MD5
df99ca951311e094dcc3144d8698e945

SHA1
40e37e68e52ab0fd8b38ee399dca27554dc600ac

SHA256
97f9d3ccea7d2717915587d04d3adca516824ae91c157afa023a48fa61b9041e

SHA512
27203d1aaa254a1a107ab2147837116649a9768ae105117557632a2226cef6681ae60b342c3f6cda5cb35830ebdee77fcb8ac4986b06f9cf94399951ba2df014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.22321.3\x64\Microsoft.Teams.AddinLoader.dll

Filesize
231KB

MD5
ff0e9e6d09f7dcb40efac485e10a64c3

SHA1
4e313f3f69cef063c1167e579460ef1cc9345606

SHA256
90108b5d5895cdfe418c6a0ab695898666a3f015094ea535a7cfb955e47afd1a

SHA512
01ec9079ee4dc7a12728dcfac65ad2a040ee9b2a3037bcc89ae82ad6d2517737d07ca3624afe25ebccbe65b849fa31fa0cf88bfa415d9c865a88dd5abeb76fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.22321.3\x64\Microsoft.Teams.AddinLoader.dll

Filesize
231KB

MD5
ff0e9e6d09f7dcb40efac485e10a64c3

SHA1
4e313f3f69cef063c1167e579460ef1cc9345606

SHA256
90108b5d5895cdfe418c6a0ab695898666a3f015094ea535a7cfb955e47afd1a

SHA512
01ec9079ee4dc7a12728dcfac65ad2a040ee9b2a3037bcc89ae82ad6d2517737d07ca3624afe25ebccbe65b849fa31fa0cf88bfa415d9c865a88dd5abeb76fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.22321.3\x64\Microsoft.Teams.AddinLoader.dll

Filesize
231KB

MD5
ff0e9e6d09f7dcb40efac485e10a64c3

SHA1
4e313f3f69cef063c1167e579460ef1cc9345606

SHA256
90108b5d5895cdfe418c6a0ab695898666a3f015094ea535a7cfb955e47afd1a

SHA512
01ec9079ee4dc7a12728dcfac65ad2a040ee9b2a3037bcc89ae82ad6d2517737d07ca3624afe25ebccbe65b849fa31fa0cf88bfa415d9c865a88dd5abeb76fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.22321.3\x64\VCRUNTIME140.dll

Filesize
104KB

MD5
f529d483050c15a851c33931de3257a4

SHA1
d8c55da276477b04e823077269414be6d6d8cd6d

SHA256
bf589cf495dd7f5154601d5b44791e644679d984164e8204641e3f923879409f

SHA512
93517adf27013faecc7e525b54f52e6bdb6095beb52a61efc50108a3c0a9bb74192b299a7bdef4673e0f39edcc6aa6475b7c11c5e5c941e2d2666396d0c6eb59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.22321.3\x64\VCRUNTIME140_1.dll

Filesize
46KB

MD5
89be8c3393ce468c9ac30d29741147e0

SHA1
ea3a486d15952e6eee79330f6f50d46e781656d4

SHA256
4e84d1e16a0629996468415a7fa0b037f8d0c496219d220cd17c0440bd35663b

SHA512
52bc8db3d3cd01902b1a62af580504ad6b81a5dacc3b28b4b32f9f6ccc6cd9afc4a1cd072b939eef7832c3d55f256d04ed60075e25aafdaf1be1d4a97a67fe52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.22321.3\x64\msvcp140.dll

Filesize
561KB

MD5
df99ca951311e094dcc3144d8698e945

SHA1
40e37e68e52ab0fd8b38ee399dca27554dc600ac

SHA256
97f9d3ccea7d2717915587d04d3adca516824ae91c157afa023a48fa61b9041e

SHA512
27203d1aaa254a1a107ab2147837116649a9768ae105117557632a2226cef6681ae60b342c3f6cda5cb35830ebdee77fcb8ac4986b06f9cf94399951ba2df014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.22321.3\x64\vcruntime140.dll

Filesize
104KB

MD5
f529d483050c15a851c33931de3257a4

SHA1
d8c55da276477b04e823077269414be6d6d8cd6d

SHA256
bf589cf495dd7f5154601d5b44791e644679d984164e8204641e3f923879409f

SHA512
93517adf27013faecc7e525b54f52e6bdb6095beb52a61efc50108a3c0a9bb74192b299a7bdef4673e0f39edcc6aa6475b7c11c5e5c941e2d2666396d0c6eb59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.22321.3\x64\vcruntime140_1.dll

Filesize
46KB

MD5
89be8c3393ce468c9ac30d29741147e0

SHA1
ea3a486d15952e6eee79330f6f50d46e781656d4

SHA256
4e84d1e16a0629996468415a7fa0b037f8d0c496219d220cd17c0440bd35663b

SHA512
52bc8db3d3cd01902b1a62af580504ad6b81a5dacc3b28b4b32f9f6ccc6cd9afc4a1cd072b939eef7832c3d55f256d04ed60075e25aafdaf1be1d4a97a67fe52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\Update.exe

Filesize
2.5MB

MD5
51df27f1e4386ade475e958dd8f6b955

SHA1
25045c75fecdce5348da601b43e05eaad4de19f9

SHA256
a212f8d6e2b6d7fb4991c35b5458d4be251ffa1467bb3355055324da948cf4f1

SHA512
219192ebbc64ae5b2c6d78774ecbba7e3f6c503dd70a4bf61b261094b2e1a4b6efba004e9ae52f60615fa4f073d7717186c2b0ba5fac389aae485f1c9063ecbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\D3DCompiler_47.dll

Filesize
4.7MB

MD5
22f429f40d50c3d350cecc8027c60b35

SHA1
f4a878295eb93986af16893de24b9aa245717783

SHA256
81bce53e3bc4c519efadbf25b607304cde7ea08aeb20d080892ff6ae206412d3

SHA512
62b215a50217a2f5ea07eae00c0670de17bf8ec31702604f39ef01c40cc09a40c123567324f3b073a888533443b89fb04c59c78a9144af66f1f5b850beb8b662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe

Filesize
2.5MB

MD5
503a967f2b298d2cdaabce364b337f94

SHA1
85ae024813db785cba8d98beb928db0d0bbc7324

SHA256
56e53b52fea786ca46c2c1d9cccaf83624fdc9d040d2d5445b9b77632136eaa1

SHA512
fe7196b267191ec18a9d2e6f187aece244ff2ab01d58f623b5f1ce387a92e212ac844dd701428847955657724abe7a73bd960eb1c4dce484133451cc9e9ec150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe

Filesize
2.5MB

MD5
503a967f2b298d2cdaabce364b337f94

SHA1
85ae024813db785cba8d98beb928db0d0bbc7324

SHA256
56e53b52fea786ca46c2c1d9cccaf83624fdc9d040d2d5445b9b77632136eaa1

SHA512
fe7196b267191ec18a9d2e6f187aece244ff2ab01d58f623b5f1ce387a92e212ac844dd701428847955657724abe7a73bd960eb1c4dce484133451cc9e9ec150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe

Filesize
133.6MB

MD5
e6f2fcb59a50185dae41146226a41ee7

SHA1
6d302ee78a2291e2fb56e110336e284a608bdaa6

SHA256
d5a5a3afabbe26175ecf94d8f121eb73014e1f181aaf734b1ac7d286c09997a4

SHA512
685369a9a7e792598cffbef0e81ddf3d1c2a76d7a1c5527ce4fd80385ab22bf0cf99c8daf4f8a9e9c8601098e3acdb13b7d9a488c4e855da8e1f7f54ee72128b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe

Filesize
133.6MB

MD5
e6f2fcb59a50185dae41146226a41ee7

SHA1
6d302ee78a2291e2fb56e110336e284a608bdaa6

SHA256
d5a5a3afabbe26175ecf94d8f121eb73014e1f181aaf734b1ac7d286c09997a4

SHA512
685369a9a7e792598cffbef0e81ddf3d1c2a76d7a1c5527ce4fd80385ab22bf0cf99c8daf4f8a9e9c8601098e3acdb13b7d9a488c4e855da8e1f7f54ee72128b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe

Filesize
133.6MB

MD5
e6f2fcb59a50185dae41146226a41ee7

SHA1
6d302ee78a2291e2fb56e110336e284a608bdaa6

SHA256
d5a5a3afabbe26175ecf94d8f121eb73014e1f181aaf734b1ac7d286c09997a4

SHA512
685369a9a7e792598cffbef0e81ddf3d1c2a76d7a1c5527ce4fd80385ab22bf0cf99c8daf4f8a9e9c8601098e3acdb13b7d9a488c4e855da8e1f7f54ee72128b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe

Filesize
133.6MB

MD5
e6f2fcb59a50185dae41146226a41ee7

SHA1
6d302ee78a2291e2fb56e110336e284a608bdaa6

SHA256
d5a5a3afabbe26175ecf94d8f121eb73014e1f181aaf734b1ac7d286c09997a4

SHA512
685369a9a7e792598cffbef0e81ddf3d1c2a76d7a1c5527ce4fd80385ab22bf0cf99c8daf4f8a9e9c8601098e3acdb13b7d9a488c4e855da8e1f7f54ee72128b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe

Filesize
133.6MB

MD5
e6f2fcb59a50185dae41146226a41ee7

SHA1
6d302ee78a2291e2fb56e110336e284a608bdaa6

SHA256
d5a5a3afabbe26175ecf94d8f121eb73014e1f181aaf734b1ac7d286c09997a4

SHA512
685369a9a7e792598cffbef0e81ddf3d1c2a76d7a1c5527ce4fd80385ab22bf0cf99c8daf4f8a9e9c8601098e3acdb13b7d9a488c4e855da8e1f7f54ee72128b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\chrome_100_percent.pak

Filesize
138KB

MD5
4f7cf265db503b21845d2df4dc903022

SHA1
970b35882db6670c81bd745bdeed11f011c609da

SHA256
c48e6d360aee16159d4be43f9144f77d3275a87b3f77eae548e357601c55fc16

SHA512
5645d2c226697c7ac69ce73e9124630696516fc18286a5579823588f93a936da71084a3850f1f9a7b34c624f4c502957107f5957ffba5e6c1e4da6d8da7d3348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\chrome_200_percent.pak

Filesize
202KB

MD5
6a7a9dee6b4d47317b4478dba3b2076c

SHA1
e9167673a3d25ad37e2d83e04af92bfda48f0c86

SHA256
b820d19a7a8ce9d12a26837f967f983e45b07550b49e7b9a25e57b417c5f6fd9

SHA512
67466e21a13ca449b014b511fb49bfc51df841eb5776f93b4bda2e0023da96d368ac5c65de051ed9de1899275b9f33839af2c387be903688cdb48bf08993791e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\d3dcompiler_47.dll

Filesize
4.7MB

MD5
22f429f40d50c3d350cecc8027c60b35

SHA1
f4a878295eb93986af16893de24b9aa245717783

SHA256
81bce53e3bc4c519efadbf25b607304cde7ea08aeb20d080892ff6ae206412d3

SHA512
62b215a50217a2f5ea07eae00c0670de17bf8ec31702604f39ef01c40cc09a40c123567324f3b073a888533443b89fb04c59c78a9144af66f1f5b850beb8b662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\ffmpeg.dll

Filesize
2.6MB

MD5
592ff5a0c2c53c3a54876c7b87252d9d

SHA1
08b6b1006e5b1f6a1d122f96bb0519ae04faa83c

SHA256
965a0b788bc7d23564f41966ebb585c362bb7dcd6b57b1042112689981326638

SHA512
f3fb48c77ee435f122bbf06b54e3ea644719081da0875dcdeaf58417f79efadabf11b871150a478554cbfd10d76b4f2f2c8ed082d23340189ee6e5a04787bd36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\ffmpeg.dll

Filesize
2.6MB

MD5
592ff5a0c2c53c3a54876c7b87252d9d

SHA1
08b6b1006e5b1f6a1d122f96bb0519ae04faa83c

SHA256
965a0b788bc7d23564f41966ebb585c362bb7dcd6b57b1042112689981326638

SHA512
f3fb48c77ee435f122bbf06b54e3ea644719081da0875dcdeaf58417f79efadabf11b871150a478554cbfd10d76b4f2f2c8ed082d23340189ee6e5a04787bd36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\ffmpeg.dll

Filesize
2.6MB

MD5
592ff5a0c2c53c3a54876c7b87252d9d

SHA1
08b6b1006e5b1f6a1d122f96bb0519ae04faa83c

SHA256
965a0b788bc7d23564f41966ebb585c362bb7dcd6b57b1042112689981326638

SHA512
f3fb48c77ee435f122bbf06b54e3ea644719081da0875dcdeaf58417f79efadabf11b871150a478554cbfd10d76b4f2f2c8ed082d23340189ee6e5a04787bd36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\ffmpeg.dll

Filesize
2.6MB

MD5
592ff5a0c2c53c3a54876c7b87252d9d

SHA1
08b6b1006e5b1f6a1d122f96bb0519ae04faa83c

SHA256
965a0b788bc7d23564f41966ebb585c362bb7dcd6b57b1042112689981326638

SHA512
f3fb48c77ee435f122bbf06b54e3ea644719081da0875dcdeaf58417f79efadabf11b871150a478554cbfd10d76b4f2f2c8ed082d23340189ee6e5a04787bd36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\ffmpeg.dll

Filesize
2.6MB

MD5
592ff5a0c2c53c3a54876c7b87252d9d

SHA1
08b6b1006e5b1f6a1d122f96bb0519ae04faa83c

SHA256
965a0b788bc7d23564f41966ebb585c362bb7dcd6b57b1042112689981326638

SHA512
f3fb48c77ee435f122bbf06b54e3ea644719081da0875dcdeaf58417f79efadabf11b871150a478554cbfd10d76b4f2f2c8ed082d23340189ee6e5a04787bd36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\icudtl.dat

Filesize
9.7MB

MD5
0647e9749a8858d880ab29d58bf6858c

SHA1
5d3daf3541ef56d6452986ad047d7609e310991f

SHA256
c9472290778a5e08237ee32b9fca25a35217955dc5932e7ab5a33e3940de6468

SHA512
036d5c6952c2ba62700f30767b38551ac90f670ae061a9912e076b13a93c8cc30305cdf3474d1bb5ff4677d343967615dadab712fafb51167331df6c900ce73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\libEGL.dll

Filesize
456KB

MD5
174632b57d1a0ddf2593862e68f439f9

SHA1
ffc82dc8a947e85118e6aa65b17d6d4a580cd37f

SHA256
cdfd5d04c251464a337dcba8c50f014eafcd5c1f98f6da4bcc0d050e0db5b8ee

SHA512
d5bbc130987f67e627a7135abfef205b7af1d6751055eeacb98aebeb7b2dc96c4dfaaa83f207648fd7fdfa4e1d20c134a910731bfca41c03a977c2b6b66bc2de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\libGLESv2.dll

Filesize
7.7MB

MD5
b18abf66de1eba7ab1e57f0eb834dab7

SHA1
fbb29c1ea0e117ee3f37dc1a56b4780546c7cd2a

SHA256
b5888b4ff50335d7d6d8688ca2fd2ed9e7bc8afd40ce18939ddbbce6b2c2b817

SHA512
d1c88d98d45257446494004c027277106dc91aaaaeab8710c2f67f512d894580cac241cdd3ba7050bb240936ddbe933e17ea0ac6a4d9f2bc1523a3ca311c81f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\libegl.dll

Filesize
456KB

MD5
174632b57d1a0ddf2593862e68f439f9

SHA1
ffc82dc8a947e85118e6aa65b17d6d4a580cd37f

SHA256
cdfd5d04c251464a337dcba8c50f014eafcd5c1f98f6da4bcc0d050e0db5b8ee

SHA512
d5bbc130987f67e627a7135abfef205b7af1d6751055eeacb98aebeb7b2dc96c4dfaaa83f207648fd7fdfa4e1d20c134a910731bfca41c03a977c2b6b66bc2de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\libglesv2.dll

Filesize
7.7MB

MD5
b18abf66de1eba7ab1e57f0eb834dab7

SHA1
fbb29c1ea0e117ee3f37dc1a56b4780546c7cd2a

SHA256
b5888b4ff50335d7d6d8688ca2fd2ed9e7bc8afd40ce18939ddbbce6b2c2b817

SHA512
d1c88d98d45257446494004c027277106dc91aaaaeab8710c2f67f512d894580cac241cdd3ba7050bb240936ddbe933e17ea0ac6a4d9f2bc1523a3ca311c81f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\locales\es.pak

Filesize
125KB

MD5
39288ea031009bb9db582cbd93c7d534

SHA1
467f76d33e39526a4d8cb6068eaf8e2791b3a9ee

SHA256
6cd39669df96b4b5b9047f7689338d3beb9ad7f8be2fddc595ef1ecbc47481c2

SHA512
4a635e969cf2b09aab5f8723a3380c5e226bf0546019506d18de65c1e4a599d268b9ee2e03a65b245075f899a09697b7b535f1055c19344a411100c8f29d93b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources.pak

Filesize
4.9MB

MD5
e6155cfcc92b993c3ff3f8191cbc74dd

SHA1
47f38b1e58bd98d2a6b59a22aea52e43a2c54fdf

SHA256
4131954474e5af32150d5f3360982a08b518c0ec756764bbb818af2b291931d5

SHA512
33bab35a73688727da8c61451fc99197ac8f5ae49ce4187c666c1e8b5fbc9b57679b367876064797a6baef4eeef0807d609ed021e55dcff50f232ac254258bc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\Resources.pri

Filesize
44KB

MD5
a54e95f05882b842ff38d0dfe56c608f

SHA1
9228f20811ae38b90f2d4df777cb48b97425b0ac

SHA256
eac4cf6a1bab2e28d028703b470b03bb55d171aec6ac197e88458ef73986beec

SHA512
6cff012e0f0df8d214d343e378f30a304f0539b492caf33103a0fe0bf64783726d7b1b8205382ca27c7fc7362c94d77056ed21285c3ad7bca268a5813621f032

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\ThirdPartyNotice.txt

Filesize
466KB

MD5
6574701d36310a6c787dcc1711d19d50

SHA1
bc69ac3773d4fca22d96ae8ea5272a2aa46264ec

SHA256
09f3a037b1bb99fe058423a8b65880ff0ec2619b95f98038766b4c83eaea8431

SHA512
af3afd3eefb7418505965f2380323cdee2f1b6ce635670c10ca189cf0e28c966048e049cf8a788c51928717f22862e1bdf4016a371b79486a7e77b831454bec8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\Update.VisualElementsManifest.xml

Filesize
441B

MD5
4a061850dc8b7f1187b8f6ca479b8fab

SHA1
a6a8cdc9a81a3a054e30770c5359a1dae007e630

SHA256
556d794a47d829e38dbf430ecd97ac1c9fb778a3294ba252bbb99c9f48fc290e

SHA512
337f2d53eb31678585534e9e192a777bb812307909165d936ef3cff8acb4dfb2294a77781e85d7d61ae17be0cd8f2703938c9a7023bdf308bbf3613d0d6d050d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar

Filesize
24.3MB

MD5
db10ddd8eb8f244fd67f1b8935fffe37

SHA1
51aea8f2cd8ac1a4c7b3fefa9e1df8ac1dd55c8f

SHA256
dcc6db6b1448d0e1ab5aa8d1dfbe0e286b2b458f8c428414507318a30bf211c5

SHA512
6935fac7213f65638390b80ae7d664b57aac8547373cc302dc7561615c4eefe7593a80055c164d059b38ee1a8309145c92e8353d49dab4cb56a547041bdce72b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\keytar4\build\Release\keytar.node

Filesize
203KB

MD5
3939e8a168e86339461f3162cd8b4f84

SHA1
76617f3c432bf3f6dc33fd1f9a6a0517843ce5fb

SHA256
bf6a1e4b1ed349002dab960e646fa89797fed1b1892a72fec7826decf8c7c427

SHA512
e4be313f25febbdb985e732d8f23c029ee82983099d908fd5adfc285aaa351aa157508692c974f115e44bbeff27f830531baa1ec90b77d696cd3c0c78ab2b826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\keytar4\build\Release\keytar.node

Filesize
203KB

MD5
3939e8a168e86339461f3162cd8b4f84

SHA1
76617f3c432bf3f6dc33fd1f9a6a0517843ce5fb

SHA256
bf6a1e4b1ed349002dab960e646fa89797fed1b1892a72fec7826decf8c7c427

SHA512
e4be313f25febbdb985e732d8f23c029ee82983099d908fd5adfc285aaa351aa157508692c974f115e44bbeff27f830531baa1ec90b77d696cd3c0c78ab2b826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\keytar4\build\Release\keytar.node

Filesize
203KB

MD5
3939e8a168e86339461f3162cd8b4f84

SHA1
76617f3c432bf3f6dc33fd1f9a6a0517843ce5fb

SHA256
bf6a1e4b1ed349002dab960e646fa89797fed1b1892a72fec7826decf8c7c427

SHA512
e4be313f25febbdb985e732d8f23c029ee82983099d908fd5adfc285aaa351aa157508692c974f115e44bbeff27f830531baa1ec90b77d696cd3c0c78ab2b826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\native-utils\build\Release\native-utils.node

Filesize
227KB

MD5
fa1cc1e332ee00c19563dc28192d7c5d

SHA1
e476874f905cfb046331bc2952586a11a5c2173c

SHA256
68eca8c81021be05bf7bfac34214f2c2070bef8b8c50d14cd99256d3be46f839

SHA512
8dd57555720840af5ea1cd353ee0f748384d6ef6db81ea7d330b0cf443b0dd17dbd202dcd416607959a7727eb5808943b44c01bd2e1caaa7dc6a2500d2cb099f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\native-utils\build\Release\native-utils.node

Filesize
227KB

MD5
fa1cc1e332ee00c19563dc28192d7c5d

SHA1
e476874f905cfb046331bc2952586a11a5c2173c

SHA256
68eca8c81021be05bf7bfac34214f2c2070bef8b8c50d14cd99256d3be46f839

SHA512
8dd57555720840af5ea1cd353ee0f748384d6ef6db81ea7d330b0cf443b0dd17dbd202dcd416607959a7727eb5808943b44c01bd2e1caaa7dc6a2500d2cb099f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\native-utils\build\Release\native-utils.node

Filesize
227KB

MD5
fa1cc1e332ee00c19563dc28192d7c5d

SHA1
e476874f905cfb046331bc2952586a11a5c2173c

SHA256
68eca8c81021be05bf7bfac34214f2c2070bef8b8c50d14cd99256d3be46f839

SHA512
8dd57555720840af5ea1cd353ee0f748384d6ef6db81ea7d330b0cf443b0dd17dbd202dcd416607959a7727eb5808943b44c01bd2e1caaa7dc6a2500d2cb099f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\registry-utils\build\Release\registry-utils.node

Filesize
180KB

MD5
b1b66658dc99ed688b1f7bdb2818bd66

SHA1
12d4c1c9093422aa7739f5b9aeccf3a7ae7fea7a

SHA256
4fda48cacaa727f4333e0a0e19ed1aa423e5d667ad0af5a5d8515ef10b338fe4

SHA512
15e0c03deb9d64567e84af1b521ee945da973c53b8c45702763cacd434d62ca4146a11e6ad2b2309c28cabcdb337c77a9cde10220aa3e662d88af23bda9e37d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\registry-utils\build\Release\registry-utils.node

Filesize
180KB

MD5
b1b66658dc99ed688b1f7bdb2818bd66

SHA1
12d4c1c9093422aa7739f5b9aeccf3a7ae7fea7a

SHA256
4fda48cacaa727f4333e0a0e19ed1aa423e5d667ad0af5a5d8515ef10b338fe4

SHA512
15e0c03deb9d64567e84af1b521ee945da973c53b8c45702763cacd434d62ca4146a11e6ad2b2309c28cabcdb337c77a9cde10220aa3e662d88af23bda9e37d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\registry-utils\build\Release\registry-utils.node

Filesize
180KB

MD5
b1b66658dc99ed688b1f7bdb2818bd66

SHA1
12d4c1c9093422aa7739f5b9aeccf3a7ae7fea7a

SHA256
4fda48cacaa727f4333e0a0e19ed1aa423e5d667ad0af5a5d8515ef10b338fe4

SHA512
15e0c03deb9d64567e84af1b521ee945da973c53b8c45702763cacd434d62ca4146a11e6ad2b2309c28cabcdb337c77a9cde10220aa3e662d88af23bda9e37d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\v8_context_snapshot.bin

Filesize
160KB

MD5
e59b7dea16e42e868103decf39a57211

SHA1
7ddbdc1949d3e27ee63d122d33a89eae18dd3a83

SHA256
6d5223b259e14b5b1bf8f9444e2e23c966dbbfd6696097d5a779b47cde7a3a7d

SHA512
48ad2f73e038c228d2f2161ee68791be1e94ad13d6e17acd21477304e0fc5ae800295fa5266fef4ae483920cb2ec122be0e691e1bf07d62d10b76563ba0103b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\vk_swiftshader.dll

Filesize
4.3MB

MD5
0bbf7efa4c57d3d907efcd7574b77573

SHA1
70c8144ff793cd18e5499c87d7487f657103e70c

SHA256
07fc8869bf3a91906ed61c8ca8c54ea2af7f11ac55a8b917ce44d30a1a263d72

SHA512
c9bb8db924cfb4abd30aea84987b6f0f1228d8e2e458581feef49f72bf9b6767f74177fae3f89f59297fe06bd7b7dced8eaf53750948c4614b6a7ec3b4e9622d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\vk_swiftshader.dll

Filesize
4.3MB

MD5
0bbf7efa4c57d3d907efcd7574b77573

SHA1
70c8144ff793cd18e5499c87d7487f657103e70c

SHA256
07fc8869bf3a91906ed61c8ca8c54ea2af7f11ac55a8b917ce44d30a1a263d72

SHA512
c9bb8db924cfb4abd30aea84987b6f0f1228d8e2e458581feef49f72bf9b6767f74177fae3f89f59297fe06bd7b7dced8eaf53750948c4614b6a7ec3b4e9622d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\vulkan-1.dll

Filesize
730KB

MD5
2368f2dc8ac4d14332fd7b4da3798d08

SHA1
5be09c558dd58195c6accb0c0f84eda72819f47a

SHA256
b09d2ab31d116739db4826246261c6537e04c3d30ebea849d9f022e8c3413269

SHA512
ef871c618b7aa83ca86205da94b25c14e4973a3418d3cc6d7a519c032727260e39d48b37ddc77003a9a797b0f130a3da81256b1335c2a942cb04d55aa311d207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\vulkan-1.dll

Filesize
730KB

MD5
2368f2dc8ac4d14332fd7b4da3798d08

SHA1
5be09c558dd58195c6accb0c0f84eda72819f47a

SHA256
b09d2ab31d116739db4826246261c6537e04c3d30ebea849d9f022e8c3413269

SHA512
ef871c618b7aa83ca86205da94b25c14e4973a3418d3cc6d7a519c032727260e39d48b37ddc77003a9a797b0f130a3da81256b1335c2a942cb04d55aa311d207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\packages\RELEASES

Filesize
81B

MD5
ab8d7e1d2ef21c45c7157010c5ccbd6f

SHA1
ac27a5fe59b7667d119411223a76f1448b1c3f7f

SHA256
56eb24d1dbbc5dda0acfa95dff558b43ca2944dfaed2fb47a02643796e5b5269

SHA512
972ba56d4e1fc8fa7778ede21de289a872f09510bde1952e71ce839b920b4b7ffb4bb51139de32f65495bbee48d4fb28e961e794aae2845c1c646af75fcdbcaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\packages\Teams-1.6.00.376-full.nupkg

Filesize
131.0MB

MD5
9f3044c558619281b92b3e1d633de26b

SHA1
520ee78478a8224c9c474696f1a03df5a646ea60

SHA256
7ac78e52a4330d5645e7cf42977ec1572d298be482db5cdfc4460ac52aa87393

SHA512
abf6ebfb933617f36312caaa108504e7663fd4213037e02a1b3a72fcd7ed7c82098bb2e5a3b4ed3b85ed09dc4ddd96d62c026b6a33b8df59598b4a173f1954e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\update.exe

Filesize
2.5MB

MD5
51df27f1e4386ade475e958dd8f6b955

SHA1
25045c75fecdce5348da601b43e05eaad4de19f9

SHA256
a212f8d6e2b6d7fb4991c35b5458d4be251ffa1467bb3355055324da948cf4f1

SHA512
219192ebbc64ae5b2c6d78774ecbba7e3f6c503dd70a4bf61b261094b2e1a4b6efba004e9ae52f60615fa4f073d7717186c2b0ba5fac389aae485f1c9063ecbe

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
51df27f1e4386ade475e958dd8f6b955

SHA1
25045c75fecdce5348da601b43e05eaad4de19f9

SHA256
a212f8d6e2b6d7fb4991c35b5458d4be251ffa1467bb3355055324da948cf4f1

SHA512
219192ebbc64ae5b2c6d78774ecbba7e3f6c503dd70a4bf61b261094b2e1a4b6efba004e9ae52f60615fa4f073d7717186c2b0ba5fac389aae485f1c9063ecbe

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
51df27f1e4386ade475e958dd8f6b955

SHA1
25045c75fecdce5348da601b43e05eaad4de19f9

SHA256
a212f8d6e2b6d7fb4991c35b5458d4be251ffa1467bb3355055324da948cf4f1

SHA512
219192ebbc64ae5b2c6d78774ecbba7e3f6c503dd70a4bf61b261094b2e1a4b6efba004e9ae52f60615fa4f073d7717186c2b0ba5fac389aae485f1c9063ecbe

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
8KB

MD5
ff1f29dca0451246c3ca6cb7b023434f

SHA1
b26bea187f072d9a401b7fd06661492418b893ec

SHA256
753d7d351e427246e2b6cc86c45e21f952939e306c3eb2fdb1bd7d67842c64b8

SHA512
ad3d2bac2ada88cba32567a5c2dc67c7b4e3a0d0834c262e577dd77bf3b38cd60b35df72407cbea256343ced449d9c7c01d0a6ee58eb8d1188695359f47e15f2

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\downloading.gif

Filesize
8KB

MD5
3488a1749b859e969c01ba981036fab6

SHA1
a65b72461fa14c89fce0d025e43454830a1f7972

SHA256
c3fa333fdbce95d504aee31912993dc17ab31324428f557ac774f7e98b049b99

SHA512
7363003422bdaabb7943439ee1e846867f0f3d0baed3456424544a81989bd2d142a411cf982d90e4158314d410cd1a1a4ee33d8707219b4274cd2841705bcecc

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\endpoint.json

Filesize
80B

MD5
1afcc3a53b2154f10e73bb2e766f4e05

SHA1
feede5eb677d8659ef7824c3d78e32c1c3cdb9c7

SHA256
00d7742ca8257126b875ed941a04fd500111ec0ad557984d825619f09e93972e

SHA512
846ccad1e382f163af2aacfa7f428bc5c0e794bba734207a0875fdd94c3f383c0f7eb6093eeb289f251b84d35bfd0efb1819b9d61b0d1f34daf5b3911748787c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Teams\SquirrelTelemetry.log

Filesize
6KB

MD5
d34ab60c5928af4957c741319347436b

SHA1
ba94aac987a2f84d2ec7e7ff7acbffd5adf27fe9

SHA256
0a1dca714a8fe6feea58615836ab8c44bb9540abc2a322d4fe7cbec317b7b4b9

SHA512
6969f450c2f0f1d5a7b3696a9be01801f0604c0135fc55c82a8250917f394c6a31c16503af63a98173532ba4c3af24c3faca72c1078f773a2ea5bfda5ce8b9f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Teams\SquirrelTelemetry.log

Filesize
6KB

MD5
bd3f7eb4f1c6bce39f690ef5a17601d3

SHA1
219491b64a3ef62e749178d3a1b2c67d49ac4b87

SHA256
151869a220a5094c33e3509260e9062d992cb1c4099901ce46f3138ce8495914

SHA512
87b6cc56e25f385d21affa5361c431f0ec90048c9094c90b9de2d21d358a45a700b729c045334caca3743797e116b5e791e8b3ef898bcf92f204dab761c61d79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Teams\SquirrelTelemetry.log

Filesize
8KB

MD5
6b59fa11908428dea7a7b43f537ed549

SHA1
d4c4ed22cd7a9c83b5e98ff34c578906b32d48a4

SHA256
eea14a4b59d7b11eeaf6c2b628c2008b6a45c5bdb620b72e331b59f25dbd64cb

SHA512
bd544ca4b42b915a392ba70ca8774f6c598b92546e3813b16d4a4d75714171f512f7c6415bba3e1bad3ebae5c67d94dc6253988bb8f6b2cb897a92381470de8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Teams\settings.json

Filesize
62KB

MD5
26b9bd72c1e7529992c648b9a81bb738

SHA1
b24e87355a978c11904e8dc7570f0ecc9047620e

SHA256
00790d19d1d8cee7997e3cfd69d769ff1d6061c0b2ed89febf3fb5a225e2651a

SHA512
3b9bba670b1d7dcdceca22e795ff8b24f249fdc3b59de85433b1ed65c873a912e9b8ea3a8eb900f6e8b2fdafc162cbd673b80773dacc19d1e4a0cdf9f5fa4fd4

Download Submit
memory/1716-148-0x00000000004D0000-0x0000000000746000-memory.dmp

Filesize
2.5MB

Download
memory/2328-137-0x00000000056D0000-0x00000000056EE000-memory.dmp

Filesize
120KB

Download
memory/2328-221-0x0000000006CA0000-0x0000000006D32000-memory.dmp

Filesize
584KB

Download
memory/2328-136-0x0000000005610000-0x000000000561A000-memory.dmp

Filesize
40KB

Download
memory/2328-135-0x0000000000A90000-0x0000000000D06000-memory.dmp

Filesize
2.5MB

Download
memory/2328-138-0x0000000006340000-0x0000000006442000-memory.dmp

Filesize
1.0MB

Download
memory/2328-139-0x00000000062D0000-0x0000000006336000-memory.dmp

Filesize
408KB

Download
memory/2328-142-0x000000000BC30000-0x000000000BC68000-memory.dmp

Filesize
224KB

Download
memory/2328-143-0x000000000BC10000-0x000000000BC1E000-memory.dmp

Filesize
56KB

Download
memory/4656-194-0x0000000005350000-0x0000000005370000-memory.dmp

Filesize
128KB

Download