c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0

Resubmissions

18/11/2024, 18:16

241118-wwktsssjgw 6

18/11/2024, 18:08

241118-wqy48ssfjm 6

Analysis

max time kernel
299s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2024, 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSTeamsSetup.exe
Size

1.4MB
MD5

7ee6219d0f497752aa7f1c129ca50bc1
SHA1

68bec1b6c594b6bdaf74b4062e4b3c477aa6a1ad
SHA256

c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0
SHA512

a91760aeb550d5683ce0222f40addb3507b79ccf10199c6c5a4773d3b3fc0bcf874360202bfcdca0871da5efe94b94b24fecb72dd5ebeca02939928c5a534094
SSDEEP

24576:E9Yu8GgnSf7uw7J8qyKD0OIqKT//pIgl6A5H2TuDWkd3WZZ7SuW42C7Z32o3:zGMo7NSK/Iqwp/6A5Wgz501SuWYZ3V

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e582323.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e582323.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI267F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e582327.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2575.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A7AB73A3-CB10-4AA5-9D38-6AEFFBDE4C91}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2B72.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3FF5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42F4.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2768	Update.exe

Loads dropped DLL 6 IoCs

pid	Process
4676	MsiExec.exe
4676	MsiExec.exe
4676	MsiExec.exe
4676	MsiExec.exe
4676	MsiExec.exe
4676	MsiExec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSTeamsSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teamsupdate.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\Bios	ms-teams.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\msteams\WarnOnOpen = "0"	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\msteams	ms-teams.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect\CurVer\ = "TeamsAddin.FastConnect.1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\msteams\shell	ms-teams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect\CurVer\FriendlyName = "Microsoft Teams Meeting Add-in for Microsoft Office"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x64\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect\ = "FastConnect Class"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect\CurVer\Description = "Microsoft Teams Meeting Add-in for Microsoft Office"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x86\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\ = "AddinLoaderLib"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\msteams_8wekyb3d8bbwe\Internet Settings	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect.1	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib\ = "{C0529B10-073A-4754-9BB0-72325D80D122}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x64\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect.1	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib\ = "{C0529B10-073A-4754-9BB0-72325D80D122}"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect\ = "Connect Class"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\msteams\shell\open	ms-teams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version\ = "1.0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x86\\"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x64\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect.1\ = "Connect Class"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\msteams_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect\CurVer	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect.1\CLSID\ = "{19A6E644-14E6-4A60-B8D7-DD20610A871D}"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID\ = "TeamsAddin.FastConnect.1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\msteams\shell\open\command	ms-teams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect.1\ = "FastConnect Class"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID\ = "TeamsAddin.FastConnect"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x64\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version\ = "1.0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect\CurVer\ = "TeamsAddin.Connect.1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect\CurVer	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\ = "AddinLoaderLib"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}	msiexec.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
684	ms-teams.exe
684	ms-teams.exe
684	ms-teams.exe
684	ms-teams.exe
4424	msiexec.exe
4424	msiexec.exe
208	msedge.exe
208	msedge.exe
2556	msedge.exe
2556	msedge.exe
4992	identity_helper.exe
4992	identity_helper.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe
5920	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	Update.exe
Token: SeBackupPrivilege	684	ms-teams.exe
Token: SeSecurityPrivilege	684	ms-teams.exe
Token: SeSecurityPrivilege	684	ms-teams.exe
Token: SeSecurityPrivilege	684	ms-teams.exe
Token: SeSecurityPrivilege	684	ms-teams.exe
Token: SeSecurityPrivilege	684	ms-teams.exe
Token: SeSecurityPrivilege	684	ms-teams.exe
Token: SeSecurityPrivilege	684	ms-teams.exe
Token: SeSecurityPrivilege	684	ms-teams.exe
Token: SeShutdownPrivilege	4508	ms-teamsupdate.exe
Token: SeIncreaseQuotaPrivilege	4508	ms-teamsupdate.exe
Token: SeSecurityPrivilege	4424	msiexec.exe
Token: SeCreateTokenPrivilege	4508	ms-teamsupdate.exe
Token: SeAssignPrimaryTokenPrivilege	4508	ms-teamsupdate.exe
Token: SeLockMemoryPrivilege	4508	ms-teamsupdate.exe
Token: SeIncreaseQuotaPrivilege	4508	ms-teamsupdate.exe
Token: SeMachineAccountPrivilege	4508	ms-teamsupdate.exe
Token: SeTcbPrivilege	4508	ms-teamsupdate.exe
Token: SeSecurityPrivilege	4508	ms-teamsupdate.exe
Token: SeTakeOwnershipPrivilege	4508	ms-teamsupdate.exe
Token: SeLoadDriverPrivilege	4508	ms-teamsupdate.exe
Token: SeSystemProfilePrivilege	4508	ms-teamsupdate.exe
Token: SeSystemtimePrivilege	4508	ms-teamsupdate.exe
Token: SeProfSingleProcessPrivilege	4508	ms-teamsupdate.exe
Token: SeIncBasePriorityPrivilege	4508	ms-teamsupdate.exe
Token: SeCreatePagefilePrivilege	4508	ms-teamsupdate.exe
Token: SeCreatePermanentPrivilege	4508	ms-teamsupdate.exe
Token: SeBackupPrivilege	4508	ms-teamsupdate.exe
Token: SeRestorePrivilege	4508	ms-teamsupdate.exe
Token: SeShutdownPrivilege	4508	ms-teamsupdate.exe
Token: SeDebugPrivilege	4508	ms-teamsupdate.exe
Token: SeAuditPrivilege	4508	ms-teamsupdate.exe
Token: SeSystemEnvironmentPrivilege	4508	ms-teamsupdate.exe
Token: SeChangeNotifyPrivilege	4508	ms-teamsupdate.exe
Token: SeRemoteShutdownPrivilege	4508	ms-teamsupdate.exe
Token: SeUndockPrivilege	4508	ms-teamsupdate.exe
Token: SeSyncAgentPrivilege	4508	ms-teamsupdate.exe
Token: SeEnableDelegationPrivilege	4508	ms-teamsupdate.exe
Token: SeManageVolumePrivilege	4508	ms-teamsupdate.exe
Token: SeImpersonatePrivilege	4508	ms-teamsupdate.exe
Token: SeCreateGlobalPrivilege	4508	ms-teamsupdate.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2768	Update.exe
684	ms-teams.exe
684	ms-teams.exe
684	ms-teams.exe
684	ms-teams.exe
684	ms-teams.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
684	ms-teams.exe
684	ms-teams.exe
684	ms-teams.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 2768	3084	MSTeamsSetup.exe	83
PID 3084 wrote to memory of 2768	3084	MSTeamsSetup.exe	83
PID 3084 wrote to memory of 2768	3084	MSTeamsSetup.exe	83
PID 4424 wrote to memory of 4676	4424	msiexec.exe	106
PID 4424 wrote to memory of 4676	4424	msiexec.exe	106
PID 4424 wrote to memory of 4676	4424	msiexec.exe	106
PID 684 wrote to memory of 2556	684	ms-teams.exe	108
PID 684 wrote to memory of 2556	684	ms-teams.exe	108
PID 2556 wrote to memory of 1036	2556	msedge.exe	110
PID 2556 wrote to memory of 1036	2556	msedge.exe	110
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 1148	2556	msedge.exe	113
PID 2556 wrote to memory of 208	2556	msedge.exe	114
PID 2556 wrote to memory of 208	2556	msedge.exe	114
PID 2556 wrote to memory of 3848	2556	msedge.exe	115
PID 2556 wrote to memory of 3848	2556	msedge.exe	115
PID 2556 wrote to memory of 3848	2556	msedge.exe	115
PID 2556 wrote to memory of 3848	2556	msedge.exe	115
PID 2556 wrote to memory of 3848	2556	msedge.exe	115
PID 2556 wrote to memory of 3848	2556	msedge.exe	115
PID 2556 wrote to memory of 3848	2556	msedge.exe	115
PID 2556 wrote to memory of 3848	2556	msedge.exe	115
PID 2556 wrote to memory of 3848	2556	msedge.exe	115
PID 2556 wrote to memory of 3848	2556	msedge.exe	115
PID 2556 wrote to memory of 3848	2556	msedge.exe	115
PID 2556 wrote to memory of 3848	2556	msedge.exe	115

C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=MSTeamsSetup.exe --bootstrapperMode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2768
- - C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teams.exe
    "C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teams.exe" msteams:?instVersion=3.4.0.0&instExecTime=1731953473610&launchSrc=t2installer
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe
      "C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe" -CheckUpdate -AppSessionGUID 1a0e18b1-0a75-48ab-8ab3-b8b7b48bbf8d
      4⤵
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4508
  - - C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe
      "C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe" -CheckUpdate -AppSessionGUID 1a0e18b1-0a75-48ab-8ab3-b8b7b48bbf8d
      4⤵
      Checks processor information in registry
      PID:4344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2192112
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff79c946f8,0x7fff79c94708,0x7fff79c94718
        5⤵
        
        PID:1036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
        5⤵
        
        PID:1148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
        5⤵
        
        PID:3848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        5⤵
        
        PID:2820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
        5⤵
        
        PID:2772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
        5⤵
        
        PID:3960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
        5⤵
        
        PID:428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
        5⤵
        
        PID:916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
        5⤵
        
        PID:3444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
        5⤵
        
        PID:4972
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
        5⤵
        
        PID:2608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
        5⤵
        
        PID:3320
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
        5⤵
        
        PID:3016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:1
        5⤵
        
        PID:2884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
        5⤵
        
        PID:5016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1864 /prefetch:1
        5⤵
        
        PID:4672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
        5⤵
        
        PID:2980
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1148 /prefetch:8
        5⤵
        
        PID:5072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
        5⤵
        
        PID:184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
        5⤵
        
        PID:3444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
        5⤵
        
        PID:1868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
        5⤵
        
        PID:2092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
        5⤵
        
        PID:3064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
        5⤵
        
        PID:5232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
        5⤵
        
        PID:5560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,8805537642946654732,1568033831873157744,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4668 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5920

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 67AE2F0F89ED030006A41C6468B7C23A
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:856

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x364 0x3d8
1⤵
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582326.rbs

Filesize
350KB

MD5
4a8956c9e22643c2322167579809d548

SHA1
2a7fb8c850f5881e3f25ce14a5e37c67cbab96e7

SHA256
c7c1bb2c1e30b96e901bf3a6833abc58f689e83bafb49fcfa07c43a60d6e6c9d

SHA512
40b7e6506e5a95d5b041b79b9e3b8addaa84d15062cf8aff23b58233a83a9dece159a11278249efb5a40ff8fe9253c460247b4ffb2ca44af4b25bb485a880f8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
9d0cd5e87696103f2f54a104937b6d25

SHA1
ee37b3aaef78a9cd68dfa6d8fc4cc731c56966d0

SHA256
1f3e06d5348cc8e5de491c4fd926c118298a7f689d38fa5f387bfddd722d1274

SHA512
0d48b45297e5caaef378ece31c6fa36acfe4881b7ab99b4467276dc3f71d0308016ea0fae878e706c63f543ca77d5b10ad41db4b06b28d798686403a093ad266

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
724bc5b1af379436e35dab5d9263098a

SHA1
9ca9ae26596d7bffaece559898e2ba28c0880833

SHA256
6ee2c24e8f0eeda61d1a5b5a7b8f4ca91ce283d614e1f4d5d3df21719d0023cf

SHA512
3c447ee0e65ef68a2dd0e031b2a96e1cfc5c38a555905f1c4821b6ba0b5d6d8d08dd29ebbb50a160d8c88bbf0b165742cb94bf20438eb796d6f3e928b6c11684

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
704b331f0f685cbc6e5f7ccd0936192d

SHA1
6325f393deb51e955e4207781b33a9e51e8837f7

SHA256
c2d38df1dace3fb8a3c300fb6c2dd3c875a13fd81e82c7e3a695b528bd9f5733

SHA512
5087f3a83cfb5a1fd7b09776df7f7496bf40b679b6d16d23d5e6368f7e4a099f219853dda241b9f118fb69b8a9df17e02045da3f0379a01cfc5b11feb910b473

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
4d2f5a4667b7f96f573a58a248d7bc2a

SHA1
bcd2da581e8acc560c6cd93a6ac36e310c4c953d

SHA256
ab0f0b8e007b0e687bb6c48e516e1ac9c0e0efe226ecc6d0b25bdd7ed7843c52

SHA512
917127ec13bff9761005be25b69326dc589c0f5cc63021dc3699d3dce4b0e38405cb1b45a1a9cfe93770b19a2287b133dd474f78efb05292a701e36775a6c88e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
b81cec6e487ff704a962d04b093cdbc3

SHA1
5c42c845227d77f9dadf79d4cfa2d7a456d752dc

SHA256
972b0179074f563a37957f64b40844e5a2c46d3c956c837cc2228eb51ce13e91

SHA512
ebf7f42f32b490c4d730e2de16238c714a0052db08cc1c1e1516ebadc82bcdb0e4af75341147663d973c07864c980c16a899f49a8870b1a59059386d57ab9196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f36f07e5b80f66e86314884bf5c1382d

SHA1
b244af89c28b5cd22592497b3c90026e79873248

SHA256
a39694e987e585aaa2d5743ad083c4521d6924875d20d20e428c397d25a2b7e1

SHA512
a98a73b905aaad80e1ce2b8118df3693c4212353da83a6962d48872ecf45a7385b1a5b9440bf78d39688145f156d42511f3b7d55ce44b7b5cb3185392845133b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
934B

MD5
d947e9181c01577067fdac4c10dadfe0

SHA1
22022008bbfee53e9fb391246fc40a3e298c87a3

SHA256
62d2106b2fdff62214df9a9bd794e8a45386aa56045edfdf012559321648c7fe

SHA512
e49f99495bafa9fa019211fd203387b9b66164546f1cdb2a3f3d29443a728bdedff70b03dfe51c2c852bbee5d3ff9eaaca5d4491892657627312af22943e7422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8d0680529f848cb94bb57d0cb4ae8cbe

SHA1
b7bddc952ce4e086b90b129b1f64e7bac15be7ec

SHA256
ded7c82e83ac13a901bf09c7bbbd33f899f5411e06abcc828be4aabd8edde419

SHA512
0a7f841fd2d7e00b0250c49e801c73fe939ab8295e9bab0d4e548e9a46a8a7a5e1c343e8b64920eeabca2fb9d86a4c2d7513c588033825db13a42218b7a42c97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3b3ce11a2218d3e54c88fbfd598a8f3e

SHA1
3873585764862f92ebd3585b956cb5f7b98856c0

SHA256
b9803366ee46ea3a9bbac5fd04db5e0e8e73b14fc2c06501f4e528dc46132e10

SHA512
6e4c6417336c5ee738b90ee4b814c90b16c1b94de6a7e313ea47ab6a394fa0dcac0b11349b6c462ce0ca1f88fe90a760a5f173c09c8d7b8ec1a4d0443074fadb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af9c743642637a9fd58c675e19fd8648

SHA1
aa76b43132258b35b348f8f493204003b4baa014

SHA256
1c6ffdc7ea42d82e010c1a60d96569e52aee85fbe9f6e22e901651bd5047c029

SHA512
cc7d74373d8b13f92d864fa1e93cde7ce51103e1fc499646ef421752ab26e0fb8f74b1eb91d39d94f1f6fbdadf4df95723f72f870b48d4e3e87106d6780e627e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c5aae59a520a2ab2c355067e868ff930

SHA1
ea44d8bcfa35a29ca47e583fe177e86cbea9f6d1

SHA256
ebe637e35dab7772bf0760da88e86947b7f30a32b8af8c32219fd238172655ae

SHA512
aca996dc5f464aa8f3598264f24f924783019c0fceddad3a2bc26a67c422a641b364e494e45092505f6f1fe76798e7e9d1924153648eef68ed00353abefaf2a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
32ed06d51e3aa99fa038712ebbaccd49

SHA1
da19bc97d0785e1694b2dd97592923df36dcbf01

SHA256
571b68b2f443d2f20fddb1651b7a7b618da6a932dd4a0d3ff40d48d223636c12

SHA512
4dc71ab0fd4a6126ae5ab67a90d35d7edc1ccbccf5d02fa967fafc38157833e0e940284db9965ad82818738a14e9c06e70284e8abe339cd82b37ea79178610c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9f956a6cccddb60db3d07f1e14da45c7

SHA1
5b263b3e99a2937f05a5921de91ec1cb3525bdd1

SHA256
a08769d76c20ac8e4e655fccc381b17b31d81e23b7dfa4c6feac7a4cf1d1376d

SHA512
fc344d85b66a1089b121a33add3db59b842d79d16d98efdfd0b9dd2418bb0a322e371df3a281b702098798b95737f3a45054b1d0c814638285688eae263ee4d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2b5c392d2730c0910fd56433cc5e73e510d0f2b4\1d0465d9-ea50-4637-8e68-2b1923c121ec\index-dir\the-real-index

Filesize
96B

MD5
1cf21882176a465d7c6ad611899c9a6f

SHA1
8e14c3c18b94920e772e002c013aac851e35150f

SHA256
0e3ae0980a4fff4ae89f8b7000cca6490289991cc05059370dcd8ff99bf6a0b8

SHA512
2effb3c709d9a926749468c73613c93480753c922d8c51572ab2121e8d90eeed731173ffb99eeda36bb569c21a2159ea76fd158c6972a0d20434dc0bbe4933ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2b5c392d2730c0910fd56433cc5e73e510d0f2b4\1d0465d9-ea50-4637-8e68-2b1923c121ec\index-dir\the-real-index~RFe59e2a6.TMP

Filesize
48B

MD5
ec1f30e9bb79d1d8c1ceb8896288f160

SHA1
858dcdb59874ae85528f5c99850657e6f4c5a734

SHA256
3d2e3f5560da083e55dbbebd5cc77a85c6c170c3412da152cf5d3225e7f0a6d5

SHA512
ceaf82b33862304370b9b7fa510702d8e547cc5bc166456c8797cd2835b46a0e37aa3e6442371859f8ec18446daeeb09352a8adf85ddd2f45eff3b8f91113f26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2b5c392d2730c0910fd56433cc5e73e510d0f2b4\b52a4a47-1e07-493a-86a8-1ba341c6acb6\index-dir\the-real-index

Filesize
96B

MD5
dcade28bb26d496d4208dbcd8891b2bf

SHA1
295d3b0b1cac492dd927bc3d93bdd6f253ef0d43

SHA256
bdd4dfb79ddf21aca828ad19c1cc550c9c6b625cf9c8cf4763485ee50ee329bb

SHA512
6b1348bfadd269fd25ab7cedfb889d5fe80f08833f95c1bc918d90b04c9375d3a4d3ff8552d41e1623d2209f682860beb9a98b1e3a11d4882916e31f13fb295f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2b5c392d2730c0910fd56433cc5e73e510d0f2b4\b52a4a47-1e07-493a-86a8-1ba341c6acb6\index-dir\the-real-index~RFe59e2a6.TMP

Filesize
48B

MD5
d671c239f3c16cc05f391e6303d05291

SHA1
3958765a57bafb385ada212eb4e8f0bb53f7c2bd

SHA256
bc33749a1d471cc06b567559ac632496d6aecdc65e27dcf67a90638ec9d746ba

SHA512
4ac445f4a626a86859a2e275d14c8e096e1cd84a76b9679defe0938d1103b75c80299f9bfe7acf8d313186232f23eac074e38d31c9ae72160946b7f8dbca3f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2b5c392d2730c0910fd56433cc5e73e510d0f2b4\index.txt

Filesize
107B

MD5
443e2be0963a950feaf393eaee06c4df

SHA1
86aa731f25e4ce4c90660e0a1f464e818829cd22

SHA256
fa5123f9473dec5adaa4b1810c5734386798369cefc9f6753d2c1b72338a380a

SHA512
f4d71916824d81eba8381628b3c966b1ec5e55147a38ccf90f42c257a56b7b37cd227b642205d857c79695d1574d1676210b9c4964b1430c5c9d982143b4c445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2b5c392d2730c0910fd56433cc5e73e510d0f2b4\index.txt

Filesize
181B

MD5
2a470938c39ef7309e450ccba0e281d2

SHA1
a9817f820a143624055431f3d029f6a561d96a18

SHA256
0d9930900847f49276531715afab2f41bb0c36358466f4935500b4757196cbf0

SHA512
af3f212d5be075608af196ea24fa9689d1eb6b7ed9ac67053d0f9625ed642fa78de02422a28db0dd501ddebda2f53669904fbfefa02465893a27c4c74e080e3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2b5c392d2730c0910fd56433cc5e73e510d0f2b4\index.txt

Filesize
175B

MD5
7dbfa8fdfab168d11e65df94c6c2b31a

SHA1
2ad0f6d2b36dceb4e30b1d13c1eb4793c0932daf

SHA256
622227990c059b9c01188a66d58c79e67ec7564ad744926228b165c85331d097

SHA512
57ce754bb0a562fbd051327dd3ce74c8f60ca45d13a21ec59f8e8dc88f8d481c864435094ed8eb718bfee16ad16c17c5417613e326f0beaf45aa1b3253d70881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
239130b62cafe5a33e24d5b944b52447

SHA1
58ef98ccea4d84f3d7f7f0ac1d5a3ab2503a6517

SHA256
25bc94d35afca9aca1de39d3ddd0b0cae700995cc2d5d9c862a0b68ec59a05a6

SHA512
af6b8c508e91cf352959d3ca7f6d9247687b3dc077bda2faf0ecdc3fd8ecb723f7cbc49b1247678f4d1ad39c65c3c117312ce466a33ab01e352a894d89b4cfcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
34d19d4e7e526279764620c559f6dfe4

SHA1
979013892324ddeb98cf5e2fef531ea87c693045

SHA256
a953d414730ec105399172e81fb8efbae000432d4b5498a09fa0b7dd0f0698f1

SHA512
28f47fb16aaf70c7e616422477d9e1995f82596c908ae4dea31bc423e47828db467f6f01d1bcd1a2dca6164d52151d1b51e200dd1c410c42e866c9b881172782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
75a274824a8c852da7f5614b3bc7737c

SHA1
82730940524b9e6e430089451a50120f143471a7

SHA256
9491459d83f3443995d4c34eb4c70b970692a2ebd9f374e8b9206c27ca1b7923

SHA512
69695680bb0c497f9c76dd9d0cefc536c4e433cb0cec5c53975dc4eb79d49f01c37e374ab6daee57a324b1218d6ad2b484bb0c0744074d600fba37c6e6aaefef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a8526efedcb44da97c450d744b480f59

SHA1
07e052b2d12c40ce6806ffd9d85f55805bcfed85

SHA256
4d54e73a1e40b9d1c1f810bf0bd4ca9a6a3aea30f4d995f1a69fec8e6d120613

SHA512
8570d81ab27b23958ca3925b89fdcc628f9e93bd46379040f1b8b8fafeec008ea2439ff4779e5f8377ead958de295ca9b687b4705e2b0d6c20ea6ef9ad6c2be1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59967a.TMP

Filesize
370B

MD5
e6b886b4ce48192b983b76f95e73c3ac

SHA1
c8156012efdeef7ab24d13972548a9815ae583a4

SHA256
8862ba594a86bb53c92d1dea8cc7dc4e6832f9eb525250d4231a8340e4879bc8

SHA512
9e1a6421016e070bac8d98d33ec806424f04706351957e8e7f2d772686c1c2a0738f965e0f05b2e12cba745ac75c7c0f53dc6ff4e2139e2c0ca63d93fe444459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
218d981c2f4db9154b5597cd5405809a

SHA1
dd92c947ac5f13bccd1a7795b0c0b8caa85e2ddb

SHA256
d0075f3ea6e3e4e3961b649254e1a74b5b29bb62785b3f2caf819d69343a3716

SHA512
d5d8e7e6cda0fee653d66107d8aae12859d94e0288b2c0189714a5bdb22c449c95e1ab38ca8f9dd4603463a68f2132eba28576bee232c0fd9568fe73698c47e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.25702\AddinInstaller.dll

Filesize
34KB

MD5
74c8e73ac9df19ffae99f833d78b58ab

SHA1
f576f7eaa7f10aa8a062c3a8745f5905b796fc79

SHA256
cfd58977a316a67e3f3587703d3ba104dd9a04e88aec44fca06687143ac263c0

SHA512
da66eb6fb1c6423ed25bc8de4b7102e287e34510a10089eca6501c27243b03c9377dc9b14fb741e86198e3bfda5656e20073234f2dd62b41b20e084b4e34f180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.25702\x64\Microsoft.IdentityModel.JsonWebTokens.dll

Filesize
66KB

MD5
622623a04c985eeaa82d2a1f15d508cf

SHA1
f6e6bcc42d1e1bf0dc7d635beb4a1f063a4f2b66

SHA256
041946c132c0561ce8d0a1b0f74eb979d69660deda241bef4a0570f1cd1d9289

SHA512
46027876fd165c8399e3896ab6bcba034bb69cc5e67c68fadb40101db05eb81882b12f86bfb75845155bb94d08c9c7d1c97461f1677b0cbe6b71e3a8358a6f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.25702\x64\System.IdentityModel.Tokens.Jwt.dll

Filesize
81KB

MD5
ef26e784474ef5ee4c86225829784bd6

SHA1
db058e83d7b6cde77821d9da640f7b169fd80e07

SHA256
15aa3a16426b1281f0a4cecafc2a054bb29b7f3d09b3048f048ebf67c4f53e1a

SHA512
7621855326125262ffa2de6577d79fbc20f60f0aad3aa6fd42006ab806438cf262e18cabb802eacb1337b7de424fa32c543b8315436d05e519a29458405ef706

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs\tma_addin_msi.log

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\app_settings.json

Filesize
985B

MD5
5995d7d0c7088db15b5c906d5910bb19

SHA1
f1aa2e752edc1c20a317f022613e582e32057d18

SHA256
4d7a73de9bb2d173fe4cfbc2415e40081c110bfa0c8bb8ee15c965a5741badb5

SHA512
267a1056d3a4c164afad6cb88fdb21596716cff7eb4f7b18fd4b6eb6c5aaa2a85ec5d1083231619f4600a87ded42e7744362017e46a589baf0151ff396129ae4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\ecs_settings.dat64

Filesize
2.0MB

MD5
3af01f51547c5a46d3cf79fc04f66c50

SHA1
44b6a0d314b932a93365f256154592e11ace2bc3

SHA256
263346f35e4c0643b75caf9b88ad956fe49cc6e86f99967a2d4ceed343dfc487

SHA512
4c427df29670478622e0c22d16e55ae2c2e49a5e81740c8cade7497509a123e08013d3bf2c3294f32ca37862e2c7169eedb14c8df2295d52c1ce2cd10f9853ca

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\ecs_settings.dat64

Filesize
2.0MB

MD5
86ba41e9a8c725d28d3d3faa84679e2b

SHA1
20667568cbf6693e7238240072bb8b4e17088528

SHA256
ef63cdd8cd9d8c1b95dda319b2f35eace6a17be6b9d8c3d6ff6d287435f1d1f4

SHA512
db31c4b2e526019997cc435da69fad0a7fff6088cb3c148acc974309a14815639848c4dbf6324c0dcdc497a7662f158bedcb36a4d635a47c8b5ebcb883c04e68

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
7KB

MD5
58d9edbdfa9a701c69d770bd1500b538

SHA1
73c9509c22fb2a1e3822d710ce85d007d4d34dd5

SHA256
22f19ca977d410f0a0e6971d6f80a60ccc13a874a5701a3ccd55409a7959a8f2

SHA512
f61cb612bf298beea24c955ad6df11ac12e8ee46f1ab20a1cf239478df459abd1a7c57ecf6d31a1a665e481b685fc74815e112579eb2458ff13882daf85e0be8

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
143B

MD5
edd0a41e01de5bd15e4052cb08cf4138

SHA1
01391380f6e1dab8c17519aa1208f6ec94859c41

SHA256
671b7b1eee7e24513b100b252ad7905d376380837148fcce717017e688e5e56d

SHA512
a0f68b19ab04f1f2c828e67934bb029ccf18cd7e667b8ec3891a7eb4c18c8ffbdcd6ca524e0d065ca05776aa6a07987967a32c48226aa57502dee6838ec8cf26

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
361B

MD5
c52d62eb89d5bbb3f21834da58f858f8

SHA1
1680c6487b981c56c35ec9a6a5983e0933c43411

SHA256
c5d15abd660e5e9211f8ad9c40007a96f89f4857f4c7b9fd8cf23f6d8d6f3015

SHA512
2f8cb2f05a78d72c109f82c6971d175a280c0aab22f1e940c183d45d97cf7b9972277c3cf9aef1db817634e1c6f6b35d7cd7ab45964fc0e3655c1ec520211428

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
7KB

MD5
f62020f21a6fee446ef0417eba474225

SHA1
2b85edf1be7dcfade952db2c033c4465c7f756ea

SHA256
bc9aa2455ace65a505173496fb1675a435b403339e4421758a569e2561677d2b

SHA512
46ded8ae006a3c129e5356ba15710d7abfa0d27ce1f8501282fe57d4c4085c3b1a2652080aee2fc0e99e389cd225204ea31e024f2f78f22df31161bff003ffe6

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json~RFe582035.TMP

Filesize
124B

MD5
98d8595a47c9f70033706bb441d55a86

SHA1
162943310d516c7f44341af615241bbcd08f5c87

SHA256
d651df9b25e7b36f5492d15050c5281f0519042cbc4b40742332d10fe220d90c

SHA512
c7c81b6d80d0a868eaff3193e53f24c0eeeb25d7cf8d4df1b0d0aec14a4ef5f402e290ff5c9640cc3687462f8a9ccd4957715e823e9a50f38d635b7a7dc44e1b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
b690b2420b21107e633b4e325768c1d0

SHA1
8f3faaab9eb83af7eb1c9963230e5980642c1dfb

SHA256
1f2a34f84b7f4171bcd0d40c80acee8aef0d9dc3529deb3e372bae180f571c14

SHA512
64b900fb5cefb8dec747c768061ea95d4ae2202127ae41cad46a59ab5e5cdfaaa78743d6383241a124e3ee4e2015566eb8f05285e16c12669745e23d293c90f6

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\downloading.gif

Filesize
8KB

MD5
3488a1749b859e969c01ba981036fab6

SHA1
a65b72461fa14c89fce0d025e43454830a1f7972

SHA256
c3fa333fdbce95d504aee31912993dc17ab31324428f557ac774f7e98b049b99

SHA512
7363003422bdaabb7943439ee1e846867f0f3d0baed3456424544a81989bd2d142a411cf982d90e4158314d410cd1a1a4ee33d8707219b4274cd2841705bcecc

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\endpoint.json

Filesize
610B

MD5
34b2a3afe7ae8ad113f54e64d2f62111

SHA1
c0afa4727bab161b777363fd49225d7ef084c16e

SHA256
1578d085af8165ef971cbb88d327e07c2b82c34eff379fcb2ab030a188b2981d

SHA512
d6a8a70603157f0cf4b4d2a2992b8082d30e35aab7e47f973e8bde5841dc5528f7a62a8d3889093343f0a806a1161965126140345ffcb4cb0dbd36e56f155720

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFG265F.tmp

Filesize
150B

MD5
2be48f533744efa173a2ede37ea8031e

SHA1
41fad4dd24cc97a3d3056b026ca8056c9e4b9e3f

SHA256
02375fa63b79648ed6bb419c08f78ba9032ee22ba7170250e24427f47fddfa4e

SHA512
f49495311687f2a1af4ff60f8ff304d3ccddcd66effc36dfcfd71de91ee86a405c14c3f9bd81240cca76d4de1f4abd3259a7af6d53b2c3737c8963123d6f6815

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db

Filesize
4KB

MD5
0c10104f99ef8f2a0476409bf24f918d

SHA1
49fb0dd5654ff54c2c772185a861a0e020b0940c

SHA256
a5593a4889231be7bc937df4ab64854aaaed43ef4da8e4c3694b8865bce979cc

SHA512
c58cfebdade8fd18b8c3e997aa5b199a41a576fe71cd435bf4c76a740710ab54b7ba66c9a720b3fac94cb37e2c534a32d7ac6def527ec5dbec40b81b4822efdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
56KB

MD5
0c3f00029eeec877b2d56ff673ecfc07

SHA1
3d6b994c66dcd5cb2ffeccc07d088889af7200db

SHA256
d6733f1fc8a738caa6a7d97c9f60b13da53d203bd3f643fbb319ca1fb7376aea

SHA512
e5d65af8c790e33b276454c444b7554a08ffb2fbfb63cf5c65dfd7582cb828fe3eee94984ad064641ce18ce85795d9aba370c015d54775fa35741616bda4820e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
48KB

MD5
fee9d7b77236b9fa078283d1c487e368

SHA1
82004014859f7e1f82974dae6688208814eced53

SHA256
0a5c2cb49aaef5eda7610966a19373bd80f93db73d5974481d6a18d26c1d533a

SHA512
a5d3d155b8b18a48fe418b142bbb5062900a663060f95045bae0d3dba8864ae49950ba182d8b4679b64cdb12f46fa9a9dfc17a3bfa1a8db6fef567ca239b4cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
52KB

MD5
a0c8ea26e40b6af92a33f3db1679575d

SHA1
284c76a32d5eff19891f8ecede2472ab763ca435

SHA256
47ddc16996ef60339dbd5630bf3d00d266d032221fc35fd81ed3c96f0c684a57

SHA512
7ccd2b94fca9555eae051b19ecd0880f1518f66952d7a6972b36c7b7cbb9359417ebe13f3c33ce34e9a47af09c9cd58721392522908e79e273d64c1d8c2c03c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db.ses

Filesize
53B

MD5
b55c3c992a514c440a00ee841c51c53b

SHA1
c2f0c5e0b96684f15c01e87a7e342dbd33a3c878

SHA256
76035b21a42bbbe9c25ba40383af0b8f0808545ac2acffbea3ffb107ee93caf0

SHA512
5895033e13b0961b3806cdfa5ed8a1b5cab69f78fcc8eefece77b5e18eecfb9b5b65a21244a9c92300899293b9d8bd3f76dd79beb8f3b5b05fd9014a9ef3478d

Download Submit
C:\Windows\Installer\MSI2575.tmp

Filesize
298KB

MD5
684f2d21637cb5835172edad55b6a8d9

SHA1
5eac3b8d0733aa11543248b769d7c30d2c53fcdb

SHA256
da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

SHA512
7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

Download Submit
C:\Windows\Installer\MSI3FF5.tmp

Filesize
113KB

MD5
8fa4088a730b967d85df562fd5ef7d5e

SHA1
629db9229f4a4a691e14f38f4dbffba157fa1ce9

SHA256
cdb195012fa5d3cfb80f8ea9fb23348c8749720d7e3a20cb7774cfd717f2df36

SHA512
1037170aed40aa33a4f983e168ae91247c23768fa502877d0b872a462d04fd5687cc50056add6419e3637306ae15beb1cfd04a51f126109faece09087ec16fb2

Download Submit
C:\Windows\Installer\e582323.msi

Filesize
13.2MB

MD5
cebba83400d9eb6d33ef0bb7332bdada

SHA1
21db05f342dc62d01a863c63164f83bf00ad7f8a

SHA256
2db4946704305d2f59ac879da7ec8f8a4d928d6badcc2fe2bea5f375fb2d2314

SHA512
2d082dbd6214c51c7226f9110b02c0d145cf30b181d274393b9a27ad38d86d43327cecfc15521770812e6772dc9885f9b0c704acabb58618ab196f8bd3fe24dc

Download Submit
memory/2768-24-0x000000000C190000-0x000000000C19E000-memory.dmp

Filesize
56KB

Download
memory/2768-25-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-37-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-31-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-30-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-29-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-28-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-27-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

Filesize
4KB

Download
memory/2768-26-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-10-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-23-0x000000000C1D0000-0x000000000C208000-memory.dmp

Filesize
224KB

Download
memory/2768-7-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

Filesize
4KB

Download
memory/2768-22-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-8-0x0000000000870000-0x0000000000AEA000-memory.dmp

Filesize
2.5MB

Download
memory/2768-19-0x00000000073D0000-0x00000000073F6000-memory.dmp

Filesize
152KB

Download
memory/2768-16-0x0000000006440000-0x000000000696C000-memory.dmp

Filesize
5.2MB

Download
memory/2768-9-0x0000000005420000-0x000000000542A000-memory.dmp

Filesize
40KB

Download
memory/2768-13-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/2768-11-0x0000000005500000-0x000000000551E000-memory.dmp

Filesize
120KB

Download
memory/4676-323-0x0000000003390000-0x00000000033A2000-memory.dmp

Filesize
72KB

Download
memory/4676-306-0x0000000003320000-0x000000000333A000-memory.dmp

Filesize
104KB

Download
memory/4676-310-0x0000000003350000-0x000000000335A000-memory.dmp

Filesize
40KB

Download
memory/4676-324-0x0000000005580000-0x00000000055BC000-memory.dmp

Filesize
240KB

Download