bd965b3c1b2b3c146cb12767a44646bbd17ee72257aafbcf37c58a398c2e084f

Analysis

max time kernel
300s
max time network
294s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup (1).exe
Size

6.0MB
MD5

a5fc5fd1952675abf206368eecfdda4a
SHA1

6166035f3c373fc6ba2e0333d8c6b8e4f78b4229
SHA256

bd965b3c1b2b3c146cb12767a44646bbd17ee72257aafbcf37c58a398c2e084f
SHA512

0cb1f9f868818e7ca44c79eae7854d20a502108eb723a8f43b2846496ea7be0555723a9f4460f9225f77f90da1f87bde7cb5289232429471c20b3465748a9894
SSDEEP

196608:nC6R4R3+frg3N9vXxxLHtCwCX5Jxk89Yn0rUF:nK+Dg3zfxhH4jXHxkAxrUF

Score

8^/10

discovery persistence

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
35	1200	rundll32.exe
70	1200	rundll32.exe
78	1200	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Setup (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Teams.exe

Executes dropped EXE 10 IoCs

pid	Process
1168	MSTeamsSetup_c_l_.exe
3880	Update.exe
2176	Squirrel.exe
3944	Teams.exe
2548	Teams.exe
3532	Teams.exe
3988	Teams.exe
3516	Teams.exe
2700	Teams.exe
6040	Teams.exe

Loads dropped DLL 32 IoCs

pid	Process
1200	rundll32.exe
3944	Teams.exe
3944	Teams.exe
3944	Teams.exe
3944	Teams.exe
2548	Teams.exe
2548	Teams.exe
2548	Teams.exe
2548	Teams.exe
2548	Teams.exe
3532	Teams.exe
3988	Teams.exe
5848	regsvr32.exe
5892	regsvr32.exe
5892	regsvr32.exe
5892	regsvr32.exe
5892	regsvr32.exe
5936	regsvr32.exe
5936	regsvr32.exe
5936	regsvr32.exe
5936	regsvr32.exe
3988	Teams.exe
3988	Teams.exe
3988	Teams.exe
3516	Teams.exe
3516	Teams.exe
3516	Teams.exe
3516	Teams.exe
3516	Teams.exe
2700	Teams.exe
6040	Teams.exe
6040	Teams.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\1.0.24054.1\\x64\\Microsoft.Teams.AddinLoader.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\1.0.24054.1\\x86\\Microsoft.Teams.AddinLoader.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Teams.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Teams.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Teams.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Teams.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4708	1200	WerFault.exe	84

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Teams.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{9397FF55-EE06-4F02-8F2A-BE3AE249D4BB}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{24738605-334C-4C04-8A58-7AC7CAD76497}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{9AB20314-B258-48F8-B659-AD250DFA20F5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{2F8C3E58-436B-42DB-8924-6C394B37DCA2}\ = "IConferenceAccessInformation"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{F4BEB62B-8A4E-4212-9030-B1B115E4C2F1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{4AA93AA8-898C-45EE-8E5C-1A86739B3F96}\ProxyStubClsid32	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{F423726D-0E9B-4B55-9569-E79865210F69}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{7C7F2D56-2396-4477-AA38-74B53717A253}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{36CDC166-4F21-46AD-A60E-8551F26C1D41}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{AC10D6E9-4A8C-4484-B8F4-CA1E36347AAE}\ = "IApplicationSharingModality"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{D9D04B55-D820-4D5B-A690-658A49368478}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{A58F54D2-9786-4309-964D-96549AEC7611}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{EFEC2816-F16D-48D8-9306-26C810F0EA55}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{06437ABB-C419-4B11-A474-1A2B02FBD646}\ProxyStubClsid32	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{420A24E2-5C31-4262-9BD5-058682300ED6}\ProxyStubClsid32	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{76428270-36FA-4236-8BDF-AADB39FD1371}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{3C8210C8-8578-47C6-87A9-FA1AD2BA9873}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{4E8DC7E0-04B8-470B-BDFA-F520099B975F}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{81C9D13F-A4F9-4E13-92D3-BB271E8DF3D2}\ProxyStubClsid32	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{57CC2235-96C5-49FA-B92B-350486C6CF52}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{9404FD57-1425-4421-A65E-F29FE3E11306}\TypeLib	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{25D64AEA-0E65-49CB-8D6D-65DB0AC1AF65}	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{7356D7BB-FD71-4554-84A1-3BBE28726551}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{5418E2AB-EB9A-4659-B4DC-28DE633B2B8F}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{232F1CAB-5351-4E48-8A87-2185445F712D}	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{E66CA1CC-9DB0-467E-9C60-6A832ACD6780}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{4438E968-BCA1-4352-AE19-8516114962CF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{663C61F4-A9DA-4A6F-A606-F142F665DF61}\ProxyStubClsid32	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{B335AE5E-E4EA-49D3-B03B-646A96FE66D3}\ProxyStubClsid32	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{5E7AB04C-E4B8-49FB-85FF-9E2BCA2899D3}\ProxyStubClsid32	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{86225E5C-7595-4D1C-985D-8A0458D714C0}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\1.0.24054.1\\x86\\Microsoft.Teams.AddinLoader.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{8057F99D-292C-4371-926B-5312E61A3A40}	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{F97BED54-E434-4020-A197-F15AEA9D9C95}\TypeLib	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{FD9000B3-479F-4B16-9D63-70A49E078946}\ProxyStubClsid32	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{C7ACB102-B692-49CC-92DA-5824822C7B96}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{AA186C92-181E-417F-B150-FCA0F367E0FC}\ = "_IFrequentContactsEvents"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{DF414A68-5051-4465-AAE2-4F301315734E}\ = "IPreviousConversation"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{4438E968-BCA1-4352-AE19-8516114962CF}\TypeLib	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{9E0F8FCA-D9C9-47CD-87F4-5554217DFFCC}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{0678C83E-F580-4D99-902F-930699B28BE8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{340C54A6-35CF-4971-B540-72D7F040AC24}\ = "IDistributionGroup"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{9AB20314-B258-48F8-B659-AD250DFA20F5}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{7CFE77CD-731D-48B2-82B1-ECA3414D62E3}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{8665FD95-7720-4F9E-B605-6ABCBD7EDFF4}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{00E22CBB-3170-453A-AE62-EAFBC75A9F8D}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{7452BD0F-65CB-4A5E-AC37-E2BEA1F43DD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{663C61F4-A9DA-4A6F-A606-F142F665DF61}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{38E5EC21-81A1-45A7-94D6-B812976231A4}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{36CDC166-4F21-46AD-A60E-8551F26C1D41}\ = "_IParticipant2Callback"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{5E7AB04C-E4B8-49FB-85FF-9E2BCA2899D3}\ProxyStubClsid32	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{A4E1D1E4-7839-473B-95FA-5D33DDC0D2DD}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{9E0F8FCA-D9C9-47CD-87F4-5554217DFFCC}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{81C9D13F-A4F9-4E13-92D3-BB271E8DF3D2}\ = "IPreviousConversationCollection"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{D46E9D77-3356-4823-8072-9595D54D335C}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{B03614AE-8D68-4386-9E1C-939CABCF1232}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{CA62E6F3-3E6D-451B-AEAA-6A1B7AACF8D4}\ProxyStubClsid32	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{082EE280-726E-417F-99CB-81A0CCBFF883}\ProxyStubClsid32	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{62074904-8D06-43FE-A531-E63DF7FDC2E7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{D992371E-5161-453B-97E6-6E7C67BC075E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{B8FD4A53-E7E6-4995-A5B5-1306C7584964}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{806D3227-4CB8-47C4-9864-7D4DF4F44069}\TypeLib\Version = "1.0"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Programmable	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{5FA92EA7-6E6E-4A82-8F0D-107FEAF5A75D}\ProxyStubClsid32	Update.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Teams.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Teams.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Teams.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1200	rundll32.exe
1200	rundll32.exe
6040	Teams.exe
6040	Teams.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3880	Update.exe
Token: SeShutdownPrivilege	3944	Teams.exe
Token: SeCreatePagefilePrivilege	3944	Teams.exe
Token: SeShutdownPrivilege	3944	Teams.exe
Token: SeCreatePagefilePrivilege	3944	Teams.exe
Token: SeShutdownPrivilege	3944	Teams.exe
Token: SeCreatePagefilePrivilege	3944	Teams.exe
Token: SeShutdownPrivilege	3944	Teams.exe
Token: SeCreatePagefilePrivilege	3944	Teams.exe
Token: SeShutdownPrivilege	3944	Teams.exe
Token: SeCreatePagefilePrivilege	3944	Teams.exe
Token: SeShutdownPrivilege	3944	Teams.exe
Token: SeCreatePagefilePrivilege	3944	Teams.exe
Token: SeShutdownPrivilege	3944	Teams.exe
Token: SeCreatePagefilePrivilege	3944	Teams.exe
Token: SeShutdownPrivilege	3944	Teams.exe
Token: SeCreatePagefilePrivilege	3944	Teams.exe
Token: SeShutdownPrivilege	3944	Teams.exe
Token: SeCreatePagefilePrivilege	3944	Teams.exe
Token: SeShutdownPrivilege	3944	Teams.exe
Token: SeCreatePagefilePrivilege	3944	Teams.exe
Token: SeShutdownPrivilege	3944	Teams.exe
Token: SeCreatePagefilePrivilege	3944	Teams.exe
Token: SeShutdownPrivilege	3944	Teams.exe
Token: SeCreatePagefilePrivilege	3944	Teams.exe
Token: SeShutdownPrivilege	3944	Teams.exe
Token: SeCreatePagefilePrivilege	3944	Teams.exe
Token: SeShutdownPrivilege	3944	Teams.exe
Token: SeCreatePagefilePrivilege	3944	Teams.exe
Token: SeShutdownPrivilege	3944	Teams.exe
Token: SeCreatePagefilePrivilege	3944	Teams.exe
Token: SeShutdownPrivilege	3944	Teams.exe
Token: SeCreatePagefilePrivilege	3944	Teams.exe
Token: SeShutdownPrivilege	3988	Teams.exe
Token: SeCreatePagefilePrivilege	3988	Teams.exe
Token: SeShutdownPrivilege	3988	Teams.exe
Token: SeCreatePagefilePrivilege	3988	Teams.exe
Token: SeShutdownPrivilege	3988	Teams.exe
Token: SeCreatePagefilePrivilege	3988	Teams.exe
Token: SeShutdownPrivilege	3988	Teams.exe
Token: SeCreatePagefilePrivilege	3988	Teams.exe
Token: SeShutdownPrivilege	3988	Teams.exe
Token: SeCreatePagefilePrivilege	3988	Teams.exe
Token: SeShutdownPrivilege	3988	Teams.exe
Token: SeCreatePagefilePrivilege	3988	Teams.exe
Token: SeShutdownPrivilege	3988	Teams.exe
Token: SeCreatePagefilePrivilege	3988	Teams.exe
Token: SeShutdownPrivilege	3988	Teams.exe
Token: SeCreatePagefilePrivilege	3988	Teams.exe
Token: SeShutdownPrivilege	3988	Teams.exe
Token: SeCreatePagefilePrivilege	3988	Teams.exe
Token: SeShutdownPrivilege	3988	Teams.exe
Token: SeCreatePagefilePrivilege	3988	Teams.exe
Token: SeShutdownPrivilege	3988	Teams.exe
Token: SeCreatePagefilePrivilege	3988	Teams.exe
Token: SeShutdownPrivilege	3988	Teams.exe
Token: SeCreatePagefilePrivilege	3988	Teams.exe
Token: SeShutdownPrivilege	3988	Teams.exe
Token: SeCreatePagefilePrivilege	3988	Teams.exe
Token: SeShutdownPrivilege	3988	Teams.exe
Token: SeCreatePagefilePrivilege	3988	Teams.exe
Token: SeShutdownPrivilege	3988	Teams.exe
Token: SeCreatePagefilePrivilege	3988	Teams.exe
Token: SeShutdownPrivilege	3988	Teams.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3880	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 916	3012	Setup (1).exe	83
PID 3012 wrote to memory of 916	3012	Setup (1).exe	83
PID 916 wrote to memory of 1200	916	rundll32.exe	84
PID 916 wrote to memory of 1200	916	rundll32.exe	84
PID 916 wrote to memory of 1200	916	rundll32.exe	84
PID 3012 wrote to memory of 1168	3012	Setup (1).exe	87
PID 3012 wrote to memory of 1168	3012	Setup (1).exe	87
PID 3012 wrote to memory of 1168	3012	Setup (1).exe	87
PID 1168 wrote to memory of 3880	1168	MSTeamsSetup_c_l_.exe	88
PID 1168 wrote to memory of 3880	1168	MSTeamsSetup_c_l_.exe	88
PID 1168 wrote to memory of 3880	1168	MSTeamsSetup_c_l_.exe	88
PID 3880 wrote to memory of 2176	3880	Update.exe	97
PID 3880 wrote to memory of 2176	3880	Update.exe	97
PID 3880 wrote to memory of 2176	3880	Update.exe	97
PID 3880 wrote to memory of 3944	3880	Update.exe	98
PID 3880 wrote to memory of 3944	3880	Update.exe	98
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 2548	3944	Teams.exe	99
PID 3944 wrote to memory of 3532	3944	Teams.exe	100
PID 3944 wrote to memory of 3532	3944	Teams.exe	100
PID 3880 wrote to memory of 3988	3880	Update.exe	103
PID 3880 wrote to memory of 3988	3880	Update.exe	103
PID 3880 wrote to memory of 5848	3880	Update.exe	104
PID 3880 wrote to memory of 5848	3880	Update.exe	104

C:\Users\Admin\AppData\Local\Temp\Setup (1).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (1).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\CleanUp23.dll,Test
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\CleanUp23.dll,Test
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 816
      4⤵
      Program crash
      PID:4708
- C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup_c_l_.exe
  "C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup_c_l_.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=MSTeamsSetup_c_l_.exe --bootstrapperMode
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      4⤵
      Executes dropped EXE
      PID:2176
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-install 1.7.00.10152
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      Checks processor information in registry
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3944
    - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1944,i,534519494461434567,11072972225384132374,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2548
    - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2184 --field-trial-handle=1944,i,534519494461434567,11072972225384132374,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3532
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-firstrun
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:3988
    - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1920,i,578209664517790552,14799882363165349998,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3516
    - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2124 --field-trial-handle=1920,i,578209664517790552,14799882363165349998,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2700
    - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1920,i,578209664517790552,14799882363165349998,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:6040
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24054.1\x64\Microsoft.Teams.AddinLoader.dll"
      4⤵
      Loads dropped DLL
      PID:5848
    - - C:\Windows\system32\regsvr32.exe
        
        /s /n /i:user "C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24054.1\x64\Microsoft.Teams.AddinLoader.dll"
        5⤵
        Loads dropped DLL
        Registers COM server for autorun
        
        PID:5892
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\SysWOW64\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24054.1\x86\Microsoft.Teams.AddinLoader.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:5936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1200 -ip 1200
1⤵
PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24054.1\x64\Microsoft.Teams.AddinLoader.dll

Filesize
242KB

MD5
28b2a0b7fe6c58b37ee21df52f7e651d

SHA1
da4e2c9d6b5556896dfd0a88fe4008f8ea0c822f

SHA256
31239e51356d4418793724c907d89046f7d3255837df3601b6395500f080490f

SHA512
9cfd6ea99ac0cf97827aca632bdb3668fe962d992ab51d67735c6005bc8ea740fddc4867ff4c2fe5469b47e2b7495c8428a03464e5bbd8c42a47ff20a3b2151c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24054.1\x64\msvcp140.dll

Filesize
561KB

MD5
6016c528efa2947dfd50f9d5d8174970

SHA1
dc29c1fc6e426067da0c2fe4b6c2009efa7a5866

SHA256
54566ec70b5624aaaeb5a860b71cc2d1676cf4a2eb1d90513971d7ff637b2b59

SHA512
e38aed8cd260e2100b5e8dd2b7a139aee53ff04eef50d6bdcacb1dd430c0391bd6257895d70fd229a79c8f87fb34bcb174752246152dbd9c8d2620a566fab6cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24054.1\x64\vcruntime140.dll

Filesize
104KB

MD5
5eb5ba5682217e3776e40081f98b9f27

SHA1
6f3fdbe13c6808f8174c2870a2d1331b74b498f8

SHA256
13eca233809febcffaced1978abcbb5537b5eb701dcdb8883589719835968d95

SHA512
2d3205ad5b0c8c8c2ccf14ab412008ea661e2a4dceabf12a2a81bc19582517f229e765cec9e4613fe6e9d0804e564f35f6895af7f6d50fe5a0415e791fab0504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24054.1\x64\vcruntime140_1.dll

Filesize
46KB

MD5
1d3a9a5995b6594ff2091fc7f3d62e96

SHA1
203b5c2aaabe344a2f25c9420cd7139f48401525

SHA256
1b6faf079d825b44dcc950bd06eee3c53dc962d18954d6c8573a3fa734de3d79

SHA512
098dd642a8ab1a8883290af995db396ef49a057ed478000535169132ea5aca1a3f65fd9172e5b4ea97daa6b7e2d1618ceb29e970c4d339c99831ffda19412db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24054.1\x86\Microsoft.Teams.AddinLoader.dll

Filesize
246KB

MD5
ac5fb735eb9ea58d7441bad8a87d729d

SHA1
c8e0cd074ff7280b6f1285979a9902d7ee2aa1d9

SHA256
29244842ab6b230a06994731e1356089f118ee529f305695977b55d7a6891409

SHA512
f9a024e368c05e06da965fc775c439043d1413c48ef9fd0354569a1a106317c77115f2318deccc7c73e7a1b6322733fc7edb43cb63c185470e42f90a6cf704a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24054.1\x86\msvcp140.dll

Filesize
436KB

MD5
f3255c4b4e3c2fb4e19080b3617a4344

SHA1
6406a71f96db2d3dd62fef59ed33bb2ba4ef5b68

SHA256
5db1e719850bc2850471c68f92d139dccb8b6f8b5c17beb79283c4838c5d6661

SHA512
088fafe61a63acca4d720a08f5fb49d858aa3646fa1ffa8d932fca6594d9b8331f6525cbdffc9c087ef29f4f028f797ba9cb54a5d8d6033e3f6634d8dd99311e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24054.1\x86\vcruntime140.dll

Filesize
84KB

MD5
e809c18906b0ae83f27e97c482a5857e

SHA1
92149e66ed8fb4b599705c8eb2af48f0737649fd

SHA256
6e2914efd286e81bcb27f953b74ce5f487c9504c7de95903e36d0ac6b1c3851a

SHA512
75e9457808c8bcc37ffa36b5e7eb574ee66e12a143293f1158cfae7ab79f28cd419415651db21e9f2b03141ed6349a9422fc0ca9c6d60af0fe98a63c836b9217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\meeting-addin-install-logs.txt

Filesize
1KB

MD5
af1c0e41fef449decdc0f7368897c787

SHA1
a99f8868450669fb488fe577aff71491102d0085

SHA256
3e762ac852fdc27cf2e240969e2b73c7c4a95bf8ddd82aa75ba60e6b89ba005d

SHA512
86250a44843b53c140a4cff319c6602ab238a4e551ed3c1cc26da83df437512f052dd4327c73839d74854d57c4194420d1f9bc56e7300ad8646f1881bb495ec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsPresenceAddin\Uc.tlb

Filesize
445KB

MD5
e3c8b42670ebb0530ee81f427671aaa1

SHA1
f8c75abc800c7326e6e814947390c14575d691cb

SHA256
1b31630cd15bfdc663b9630790b968aee407730dc94f48bb96fbedac9ecb1002

SHA512
4cca913dd1890dbfa72195eff3cb5856ac6c01a4a910df719376ea13264e129823d3788eb874c222534aee1e1cf7b3ace71900002252449a872bb3c9447f3b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsPresenceAddin\Uc.win32.tlb

Filesize
445KB

MD5
2eb6c328ace10bee32eecb6609578aab

SHA1
3fde2f845cf62ff557fd49e46fa6f761cff4c7ea

SHA256
40f438a5f0d0e9ff5bbcab29d51bc7b6cba03548c5db021a05426665a2f98a69

SHA512
e4ff466ceba47c71046985ab1e62877bfc57d5a98f0e966c46f64fb23710c85cc2aa3bd2f4b0abc134d18a501d7a01ffe881110fc57a8b5ddb07c89dcd4f3514

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\app.ico

Filesize
168KB

MD5
247d14144a313421d8d84aa0ea54d249

SHA1
83befdd6eba57faa3d3074aa08a28a4e8d75076a

SHA256
2d5aa67b8ace13a94fd09316787e3c9aba2adac767b6e2ab769a2265a2ad20f0

SHA512
f2d79a2a75148efaf90a4a92980e781b1f94a4a1034383ffe5749983085ef7eafa29d4804094296b212795501b4b4a126bc47c24a91b60c24104bc4b24d99565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\D3DCompiler_47.dll

Filesize
4.7MB

MD5
4f970a0001b32224db5e32219415180b

SHA1
f16c69a2b13ff6c4bb9092058478fd7012a32986

SHA256
d1450cf146607f242a86cafcd0b26e5666d838d71eb7c47705e7cfe81906bfba

SHA512
053a5ef3b9ee627d7d1af05d37078f267d25569a952eb2ed8e715897bf09f15fdc728c0981613754ba79d944871df175396dec029c26521c3448f84a4ddb7d36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe

Filesize
2.5MB

MD5
7f1207b0bc33dc758bfebf6f60310e6d

SHA1
59cb208ab1a0685f8d8c81ac4873a66283039a5d

SHA256
b868f818d98bf6392a6d3770207e30e9a7e7618d1460278b025bfc0eb24553a8

SHA512
a5e843db125f7da3b642d1fbc338fe076954b6a837efffbf7fe5d28d1bc09c27575fc68f9b92b4be641a5bb30b64ab1a296de675d0d1cba654852cede60195f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\chrome_100_percent.pak

Filesize
125KB

MD5
0cf9de69dcfd8227665e08c644b9499c

SHA1
a27941acce0101627304e06533ba24f13e650e43

SHA256
d2c299095dbbd3a3cb2b4639e5b3bd389c691397ffd1a681e586f2cfe0e2ab88

SHA512
bb5d340009cef2bcb604ef38fdd7171fed0423c2dc6a01e590f8d15c4f6bc860606547550218db41fba554609e8395c9e3c3508dfa2d8b202e5059e7646bdcef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\chrome_200_percent.pak

Filesize
174KB

MD5
d88936315a5bd83c1550e5b8093eb1e6

SHA1
6445d97ceb89635f6459bc2fb237324d66e6a4ee

SHA256
f49abd81e93a05c1e53c1201a5d3a12f2724f52b6971806c8306b512bf66aa25

SHA512
75142f03df6187fb75f887e4c8b9d5162902ba6aac86351186c85e5f0a2d3825ca312a36cf9f4bd656cdfc23a20cd38d4580ca1b41560d23ebaa0d41e4cf1dd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\ffmpeg.dll

Filesize
2.7MB

MD5
ffa11b9dca69124ed30cc901f3845045

SHA1
49a0471c22b6d7a6ad7d27e16eb72eaee58f1b38

SHA256
7831c209a8e9e24add80219a969550ada7087e7a1df3e646e9252a21b1793e9d

SHA512
77accb0b4987c0a7f9a26480639ec85e6bb59d33d93c8d572130e1fe393722d6981b6d9b05fad1d16e4e239da710ee3d176a678ec1b44f3780d51f352801f250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\icudtl.dat

Filesize
9.9MB

MD5
112b22cb7beec2b39dc0ad32fce6e28c

SHA1
7f1e3d30e01a8a0c2edd805f6a455fb2412772b4

SHA256
973ce575c7e1e9822caaeab90687ca655c4aed36cdf9579d2a1d4ad12259db25

SHA512
6b2a9cf628fe8f41456e96d13540c3ab0bd3cb69e88634c05808293fa46cde6cc637172ad3a36a1d2a31900ded7dcee014e04e8d78b2f02655a4331668d1e85a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\libEGL.dll

Filesize
489KB

MD5
29ba21e724e1da119a3aa84f98c1ff3f

SHA1
ba3ea135d75883fc146e7b410d95f792c630fc3c

SHA256
7d039bf9ba0e96f592c60efc9cf6246c6d4b7220bb42217b2c0b6e74f85a989d

SHA512
ea126d60fe40ab8602dd0cf50f9740f989cdc9437988294e7f56cc656bc7134c987deaef20a2756b2d09bc2474f1e3deadaf41eccf47d9f059ba4739480d9ef8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\libGLESv2.dll

Filesize
6.9MB

MD5
a376e9ee66902d8610a3df358321edb6

SHA1
05795c9c2aa9757426d82d6b85d60b13a8c08695

SHA256
237c100c72cc2300dd339944c2033d9d4b48b54dd861481896050418070e2a7d

SHA512
06db50d82536648ace84a800f3fa7dfd95d98595397d811b4ddb00f0c1b777ca202dc956e40bc9f19d91be46ac8d3131fbf7075d64e4ed34a915419b96de2e6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\locales\en-US.pak

Filesize
115KB

MD5
f982582f05ea5adf95d9258aa99c2aa5

SHA1
2f3168b09d812c6b9b6defc54390b7a833009abf

SHA256
4221cf9bae4ebea0edc1b0872c24ec708492d4fe13f051d1f806a77fe84ca94d

SHA512
75636f4d6aa1bcf0a573a061a55077106fbde059e293d095557cddfe73522aa5f55fe55a48158bf2cfc74e9edb74cae776369a8ac9123dc6f1f6afa805d0cc78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources.pak

Filesize
4.9MB

MD5
ec39e11f63dc76f4e0333158f6479269

SHA1
90b92e03e2c299d241f6e392573ec7643f688197

SHA256
5066ceab1b4a8ed5bd24726dd85a1a21debb866800a946267ad6a009451c0f0d

SHA512
68e8a2e1f2e62e71660d9d8c77c3da86044f79ac24af0472752bbf13447ec6439dad938d08cec1cc5504a15a72b9aaaa1828039656890ccda7e10f91daf77d4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar

Filesize
25.5MB

MD5
e08041c396b62e4d66569150ce5ff3a1

SHA1
002ef144b32d2cc96a0d93387fcc5c651573fd0f

SHA256
8c73bee16367e5e80526ba5f3bee411929c98c91c5f308dc5d51ce84edf3092e

SHA512
ac64ebee68c5a9d70afd014947957ba3bac268a36b7b6a007433100372749a057948c52e0fbe1e187865c32060f466ce72aa7958f01eab6ae6b1f18919c5e779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\keytar4\build\Release\keytar.node

Filesize
207KB

MD5
065085af0abad19597f88713d8687ff9

SHA1
6053da65d016eba65100b2aaf93682bc244c9340

SHA256
cfa18d17416794d6aedf2db0537ad854d4da6acf1ef6a03fbec081a7e102e651

SHA512
f8584bca9cbe128246e9c0937a585f1d35077a397cefad0e56e8b903056c7e9e90d3e973402e0e1c358b8aa3b0e5c73ed5f4167e5f512c2ed7955229ffe0c26b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\native-utils\build\Release\native-utils.node

Filesize
233KB

MD5
547c695f992471cc298759fff9d6d6b9

SHA1
30bed74b9fe281f1523bc2d97f115cc217a34c6d

SHA256
e5e57c05f08d460690a99c550307cd4e646d698bf7f9a7e3f5283b64b6852f0c

SHA512
af2d353a7112ce0f4e6df3788e665e5e1c06a90c46c1210dfc97be4c442d466e3537e6d29f349afa8a149cf17895c7d9d7dc1bc160724901394647539858ae6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\registry-utils\build\Release\registry-utils.node

Filesize
203KB

MD5
d1956c330d6892b2e4d158802420b158

SHA1
b563322b4da7b72091b8049972d51fae50e90595

SHA256
e57817e412e71576ed71dcf9b456e8faea0075d7e7eb1e94245623a794861b99

SHA512
53a7628e4d547c3620d66bd80886cc75854ffc6655fcdc3f30b9c8e42b7db11f2d671da39e9d5b12cdaf0eb60dca05f3d1ece5973415546193d158798a11a3be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\AddinInstaller.dll

Filesize
32KB

MD5
8fc02b9db22d321858ab70084a068ed6

SHA1
8b116c7178e0214f86175a748804a0c72121e151

SHA256
21f43b6d8fb1d6055d89e995962441d76f45548daed5ea17bd4de4253527bdbc

SHA512
a1006fc50b2aa7f4a58428ab8679caaa721572cba5e82e228710acdaa69abc6f526e6bc81dc582d783fa4fa1a15d32baf6d57f4e700664b811f0a4bcc49108f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\Assets\NewMeeting_Large_120.png

Filesize
1016B

MD5
e3b1ba3900bffae493b4463f9a6fbc48

SHA1
0bddcab7f9537f01900cb7a7ab0fbb1042e460e7

SHA256
8fde3d7378d0e9148068c3a9406d5bd754e93c9810ff5d2b8535fc2b65e0830e

SHA512
8ca0a6304bd871b1f2beccf6af9cbb2ec97d05b233b9388cfc760b262509b8bf6f9b50b837d21018fca6e8627fa11ae67f6af49440a837701b4c9ae920585246

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\Assets\NewMeeting_Large_144.png

Filesize
1KB

MD5
6974cfc337bf190d728c6824ef94afb6

SHA1
741daba13f01c19518e2e1e72a93df2c96227934

SHA256
115340c0940669c7a55670f03737492fb86d5e34e0390e5664eea3f9b4147b0c

SHA512
679afa5d417748680624314a6e5ff63cbf37d11bf5e95fd2d2114076f1dcd75196849eb39b1d456a8a5db0019ef2c4c2fd61ea70651daf158b87a69d8b017faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\Assets\NewMeeting_Large_192.png

Filesize
1KB

MD5
177094a528723cef49fa2ffdfab57cf5

SHA1
cbae150edcd83f2e9bb87a0bb86cf076eebc41c2

SHA256
66cd5e3cfc69af5087d33c570cfe424b50935b01c27e618ca11822ac7ae6d1e6

SHA512
ad9394116d2e132eb2bff48f1ae4ab7aec5b372ffd2b7b41e29cd8bf26c87725bb48d0c3ad85f7c3c94b4556872a06876d1e95f4ad8a0cf63dd949dbe350d8e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\Assets\NewMeeting_Large_96.png

Filesize
821B

MD5
fafba571265b20e0ec4423fead972e1b

SHA1
b686d74ff48e3b990f0e312bb0f3af4e8f53069a

SHA256
1fb3b4832e92b1e2f998cd2ff4a872000822cbb897d869194195e5c4f8d43cd0

SHA512
d0523ccc27436a80c5a14094ad244349efe68fb5a813f97539c3025fcc1f05d6cec9b8ffd04883e35bcd787a36901246687162b4b86717e81e747b2cf035dd2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\Assets\NewMeeting_Small_120.png

Filesize
574B

MD5
503e86e4628933d17b5b41b4918d6c9f

SHA1
f884f45cf4ef5b435e554ea30f654f076e50bdf5

SHA256
1c80cc98643e1d060b9443c98e9afe663125398f7bb99e5bab2c0eb952c9c111

SHA512
22d115a09597f7a8cb0c5bcd0e0bba55798d3a431b28ec27e9ddaa356bf0af674bdb78e6d9a3911e2750354d42a8ad628ebd0a7716410360f6d1160258e12c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\Assets\NewMeeting_Small_144.png

Filesize
627B

MD5
75713d844925ac3404d59c5d56dd996a

SHA1
88f0f5b5450772a85fd61fb5fd54c3a6f7e48585

SHA256
d4746496079e9c334715958852fa8fb59e54dbdead19d83001fa15c1793d27b2

SHA512
b60e132bd5251084b2c7a22591d72dfdfebb7a24987adb8e78ca345694f6043c1f3c7a9205b6052cf3846fcf33179506bff88c1d1bc8093a7563cf150ec5d30a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\Assets\NewMeeting_Small_192.png

Filesize
875B

MD5
f323d73771349b6374462b8a4b708d83

SHA1
39f8860aec7ac9ff8df80c770a23f3ac8c3be4a1

SHA256
ea0327cd2d987cf069747f70a317e552c0304170177101aa578f04d2ebe9ffb6

SHA512
5377fd3886fcdef87b61f1cc825655e6b977e370563b2c2f7b3bb675b8adcce621a47f056945a9c0a41f9c10bf4df6694167e62a310b146587f898d39e753eb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\Assets\NewMeeting_Small_96.png

Filesize
483B

MD5
a2761de768472d09d1e02c92ebd144b5

SHA1
60ba18f0ff47b9e9c3e23b5ae9e95e3d319b5c5d

SHA256
ac7fe3232888bf96c520d586c723149cd3127e1ce7cc65bc35ba1984cc27bbca

SHA512
f330db55b79e561d2dac1cd051421f91d6981a489a004eb0eae3ae090b1386ddf46efb675a9b6f75a0bb83f741b5da12e4dfb872ee41782773bfaec9014ca667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\Microsoft.IdentityModel.JsonWebTokens.dll

Filesize
76KB

MD5
bef7222e7c7a4bbe98fe5b410cd32ebb

SHA1
0d8a684b7e2d39e6fa20ab574ae406bef9699cd0

SHA256
1b0e10dd79c1b6ba4e72ea4e77c2a1884092c64aa8b1e1b1d26762e32b0401cd

SHA512
7c06a3e2d33556c3b295e47c9cfd70f0b4d00c6b58fe54db3250f2b7f9b3fbebb054464cfff008580077a8ad5279d3bf1bd948efd1f989becd79e0f8b678d455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\Microsoft.IdentityModel.Logging.dll

Filesize
39KB

MD5
307d7c7010add6ce51995c9b497a2bd9

SHA1
9fea5d0f7c9274efbeed1a1f8740f72702d0d49d

SHA256
0f87b0741b61f29182d157a6e2046e727e1e8acbe1dfdfdeaf38ee108c6a792a

SHA512
a32c73f40faf92530b11a6040985ab43d2234b383c4ec2d7b80390b56aa7f20f5a669e64fa56baafd59a25b5ceb131a343c722848aefb74849a1b97ddf6dccac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\Microsoft.IdentityModel.Tokens.dll

Filesize
915KB

MD5
ed06947afa2ec91f140a1e74db2534d5

SHA1
8d6066a79653f55961961ce9d1c3ddfdc428dcc0

SHA256
dfb7209ee044ed1e23552b654caffe8608cab2ec532d6bad071ce402585a3882

SHA512
92a6517488769edee01c857ad33711103b3df4cdaf34535db34f21b3775ef30bae1a1e8711d70607611de10722460903e67e0f8bda8588b6cb85042db0cc3933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\Microsoft.Teams.MeetingAddin.dll.config

Filesize
515B

MD5
ed080ed5825cf4893ca4f7d1395b9957

SHA1
3905e190109e5df90676f4716a69c815a6e52b44

SHA256
29f368def465f1ae30df31ebca4a976f180dbcf3718605b4acb0d6da95a30855

SHA512
73041863b7916b21a56d5c61933d9922d24b15548d7356dfee42c3ab617f72a04aa8080f3c5eb3f21d968ffb38c7244d4484e78540bf6bb8fc93600a017e43d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\Microsoft.Web.WebView2.Core.dll

Filesize
287KB

MD5
1272c99e9f3fdea7930655dbd2ae5a31

SHA1
59e734ade29b0dfd2501afbe29ab2e2aad288851

SHA256
a4167be61129e0ea101bddd56cfec436883ae7a24d838e291b5ef7e3a4727239

SHA512
dc12a1b238495715dd43aad2b0664aa577db155d91a27f234db34348e3f96b8c12d76893a4d8e84e7ef79734820cd91ddad49dcb873cee60d2aee92b04b79f0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\Microsoft.Web.WebView2.WinForms.dll

Filesize
43KB

MD5
f6d012560dc63e1a2683d0f8496c8cda

SHA1
b6426fc61e15b021cf1d58386e6e2383134af103

SHA256
816941c3f83494d878db88ad56a03af03ec992b4103e9043d0136503a1b6d691

SHA512
0ad0b418e41bf12500a7887c28071aee6c3d644b7eed2be564a3177d07e42d1ff660dec0c40d7b9525398848e6a15fa7abf435405f9bc3a27b723eb2fce2fc90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\Microsoft.Web.WebView2.Wpf.dll

Filesize
49KB

MD5
9f30eaef4ec66d23df0f04a7d92e43cc

SHA1
0522fcb4509966e08ab65c86c90a1894d9cbdb31

SHA256
f55a8a26d7d34c75e61153aed37c39228da9eb723ecfa64ab4a48906533bd28b

SHA512
f8d86641b995ff74729a82b9d00107c28575350ed3f1e5f9a889675b42840f02cd955b5dc65fc83c389b381c9a8515d26865b70870b4d8cbcadcb5d97065bc6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\Newtonsoft.Json.dll

Filesize
697KB

MD5
1e2eea975b2b3d275fd9236ce079acba

SHA1
54c5db4f8ae5d74cb307e46a12f39c0dce1e5926

SHA256
2d804f8cc9f1f1e0c57b19dca1dd88854dc8668222aac47b209b6e869cd38f30

SHA512
e5ee4162c56a752843db8ff81fa9d9011327241c363eb9308ba9bbb2042ff1a27ecc4608d04c660e8e82a6da737aa623d80c1ee187c2412bc5c9b53bac4eae1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\System.IdentityModel.Tokens.Jwt.dll

Filesize
91KB

MD5
7151585386ed393cfe8a4d4d34fd8c7c

SHA1
35ebd6783ae42807c33b4c005c51eddf5356f45f

SHA256
66c28b6fe7899c73750715a94cc14b3e07e85f6c13fadcdc8c62ab0962b02cae

SHA512
916fea7f5826a1de5918fe89c97e7e562682080efcebc045d3a966cdd82c2bbf7eb0d57e4ecfb07d35566c8b6192e74ac95662a690f139368d667d508e9d2308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24054.1\x64\System.Net.Http.Formatting.dll

Filesize
184KB

MD5
ecd5af2c2a1948ac0b865b425f597c5d

SHA1
eb3db6777f847683dbbd4d8d3cfe8975a9f582bd

SHA256
5747d766693a785ac99ca4328b0302fe65888ed01de94f0d925cba7236af8286

SHA512
c882b3c16f9e4cc864864220dc397e6124f8114d28a295c30274587eedb4846ca6137594ce38eaab6f01d1867eff41e73655df81e3fb051dc5300db16aef4510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\v8_context_snapshot.bin

Filesize
713KB

MD5
067b049cf02325f2ba017887051bee31

SHA1
afc4fd114d6a34891fb23f043aa99afac6dd8e63

SHA256
b604041f85fb693f130bf0ae60ce83ebfca56371cec261085620e56ae93ab591

SHA512
f9948e9f65ba6d86ae4fe6ec407fb393a05cb28c100a7638127572ab1c18be2b4333f619472c3a19eb19337739c10a79ba04325a555442ab35cff0b6e8847904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\vk_swiftshader.dll

Filesize
4.6MB

MD5
846e2efd03fe5a2516e554bb50225668

SHA1
e2997a72914886f8ce94cd5d98b42d3975374883

SHA256
c2b87c3050680387d76deaed09ce9c13e773950dfda2d66aa48c17e3af4179c2

SHA512
d750fb9b63be62c84a03007594bb4a462551c5314e40b409a90ca8a410572dfd1bc2d444b4569fbe68ec4d17c2b091064a4b4f09cacc1abf2ec97388ec62ae45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\packages\RELEASES

Filesize
83B

MD5
47e7747470af9606bcc2211e6b4bba27

SHA1
7fc6f8940042d3bf2cab5fd4894b0c1664bcee13

SHA256
cd26e61644bd3107c2386fe3eace29ffd9d77532de722cf4b4562755d939893d

SHA512
90cdbe250b99afe0cdea1ad60b98b08a2f42d29950d020903847c7b92d54f62dc4abea982219c50902268e206403e3cdcf64a25535c013a991ecdf6e7bc469d4

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
8f0e958d7ef57d727adcda1c67c24c2b

SHA1
da68956f5e16c2d76e87367487c2a82a6b8025cd

SHA256
4955cc6e58049ef1e274f340c8425cc55b324278199c92ac0de87df05bfad35d

SHA512
bbc325e94390053aa6d667d1fe3869772e788370f5cea9298fbfc8cfab73392db719f943c7e757693cb2ab80174b3fbeb40ed9b487b9ccf5cc748bcc6ad85558

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
8KB

MD5
ff1f29dca0451246c3ca6cb7b023434f

SHA1
b26bea187f072d9a401b7fd06661492418b893ec

SHA256
753d7d351e427246e2b6cc86c45e21f952939e306c3eb2fdb1bd7d67842c64b8

SHA512
ad3d2bac2ada88cba32567a5c2dc67c7b4e3a0d0834c262e577dd77bf3b38cd60b35df72407cbea256343ced449d9c7c01d0a6ee58eb8d1188695359f47e15f2

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\downloading.gif

Filesize
8KB

MD5
3488a1749b859e969c01ba981036fab6

SHA1
a65b72461fa14c89fce0d025e43454830a1f7972

SHA256
c3fa333fdbce95d504aee31912993dc17ab31324428f557ac774f7e98b049b99

SHA512
7363003422bdaabb7943439ee1e846867f0f3d0baed3456424544a81989bd2d142a411cf982d90e4158314d410cd1a1a4ee33d8707219b4274cd2841705bcecc

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\endpoint.json

Filesize
344B

MD5
677cab9a8b50ad026cfa7625a35dd2d7

SHA1
236780c5fbf2d5607f7cb165549584c9153112a2

SHA256
07890dda20815e1e57dca9553f5dfcff1b85f4a4369685d4991599e2618978f0

SHA512
d1863063926b405a6bade3327cfde25983d94e626d568abbdbdff9ae95e00061ed9ca80cc03a826c2144e4469a2734ea887a6c56ae0ed0caf70ce0077d219162

Download Submit
C:\Users\Admin\AppData\Local\Temp\CleanUp23.dll

Filesize
4.4MB

MD5
eb76163bfbc33bb12e35b802499c437d

SHA1
4569de8158cf2e49b7acbf4fe006c79e4794d2be

SHA256
63d53bba3e0614961d7e36c34b6f6b98a016afa08dfe97c3a5706c0d3cdfa696

SHA512
b34c75520a23c254c9205729039ccf960e5077ec6f1cd1e21d85bfccba7456ddce02603da7eaa18914c45467b18af78a1448cc7a88b064fcd5a1c9f78cf8e1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup_c_l_.exe

Filesize
1.4MB

MD5
cf0e0f57b68a11d099ec944200a6069d

SHA1
1ddc31265d8dddba4f82fe34a66a1bc4000f93ad

SHA256
73354811e3109e265821124a18b1b7d9fd3dd1207bb46c18937d250c6ab46dec

SHA512
d0f7cc46f8c1fffee67528c57a91a693b574386bb86ec85c8fe0684fc305a6a5121965df4470950e36d2e1025c6ef435c58534d1885ad0c7cfb07759b2ee5c0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Teams\SquirrelTelemetry.log

Filesize
5KB

MD5
bafddf785b1b9017df7a497e34175ec6

SHA1
02eedf5bb9e1515e90c6bcff14df5907b8092cbc

SHA256
9a5f8b937cc73e34c0c7235fe604bfe382dfb5188ce3f2c604fba88f328ff307

SHA512
4c7670ab4d44eb1ff9fdf52ad72013c398b197a27440b0a7972c46430f389bb684807c717f92a29fb69d25f39fd7eb6485aebd5f3939b6ae2448af0ccbd068e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Teams\SquirrelTelemetry.log

Filesize
6KB

MD5
38e4a4c68dbe443d46ec7a0f184fbcc8

SHA1
223f0c38594b4e926a7dce565c372a5a1a2dec19

SHA256
72627403c8d37c69db50200be354e71d1e105aece969e63d91309ce824a1f931

SHA512
ba219b5b9e74909464d81035d6b1bc7bf7de97de61c1e388edfd1b18839edfe0283537d0f114ce313c3aaf719c0f3cf39ee2615a68eafbe104f1c4f36911ec38

Download Submit
memory/1200-1117-0x0000000075400000-0x000000007586A000-memory.dmp

Filesize
4.4MB

Download
memory/1200-1095-0x0000000075400000-0x000000007586A000-memory.dmp

Filesize
4.4MB

Download
memory/1200-3-0x0000000075400000-0x000000007586A000-memory.dmp

Filesize
4.4MB

Download
memory/1200-49-0x0000000075400000-0x000000007586A000-memory.dmp

Filesize
4.4MB

Download
memory/1200-27-0x0000000010000000-0x0000000010079000-memory.dmp

Filesize
484KB

Download
memory/2176-517-0x0000000000F20000-0x0000000001198000-memory.dmp

Filesize
2.5MB

Download
memory/2548-545-0x00007FFD1C2D0000-0x00007FFD1C2D1000-memory.dmp

Filesize
4KB

Download
memory/3012-15-0x00007FF68F410000-0x00007FF68FA18000-memory.dmp

Filesize
6.0MB

Download
memory/3880-26-0x0000000005DD0000-0x0000000005E36000-memory.dmp

Filesize
408KB

Download
memory/3880-23-0x0000000000980000-0x0000000000BF8000-memory.dmp

Filesize
2.5MB

Download
memory/3880-24-0x0000000005540000-0x000000000554A000-memory.dmp

Filesize
40KB

Download
memory/3880-25-0x0000000005610000-0x000000000562E000-memory.dmp

Filesize
120KB

Download
memory/3880-32-0x0000000006570000-0x0000000006A9C000-memory.dmp

Filesize
5.2MB

Download
memory/3880-1065-0x00000000070D0000-0x0000000007162000-memory.dmp

Filesize
584KB

Download
memory/3880-46-0x00000000085F0000-0x0000000008628000-memory.dmp

Filesize
224KB

Download
memory/3880-562-0x0000000006E80000-0x0000000006EA0000-memory.dmp

Filesize
128KB

Download
memory/3880-47-0x00000000085C0000-0x00000000085CE000-memory.dmp

Filesize
56KB

Download
memory/6040-1100-0x000002852C810000-0x000002852C811000-memory.dmp

Filesize
4KB

Download
memory/6040-1099-0x000002852C810000-0x000002852C811000-memory.dmp

Filesize
4KB

Download
memory/6040-1104-0x000002852C810000-0x000002852C811000-memory.dmp

Filesize
4KB

Download
memory/6040-1106-0x000002852C810000-0x000002852C811000-memory.dmp

Filesize
4KB

Download
memory/6040-1110-0x000002852C810000-0x000002852C811000-memory.dmp

Filesize
4KB

Download
memory/6040-1109-0x000002852C810000-0x000002852C811000-memory.dmp

Filesize
4KB

Download
memory/6040-1108-0x000002852C810000-0x000002852C811000-memory.dmp

Filesize
4KB

Download
memory/6040-1107-0x000002852C810000-0x000002852C811000-memory.dmp

Filesize
4KB

Download
memory/6040-1105-0x000002852C810000-0x000002852C811000-memory.dmp

Filesize
4KB

Download
memory/6040-1098-0x000002852C810000-0x000002852C811000-memory.dmp

Filesize
4KB

Download