c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0

Resubmissions

18/11/2024, 18:16

241118-wwktsssjgw 6

18/11/2024, 18:08

241118-wqy48ssfjm 6

Analysis

max time kernel
426s
max time network
433s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2024, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSTeamsSetup.exe
Size

1.4MB
MD5

7ee6219d0f497752aa7f1c129ca50bc1
SHA1

68bec1b6c594b6bdaf74b4062e4b3c477aa6a1ad
SHA256

c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0
SHA512

a91760aeb550d5683ce0222f40addb3507b79ccf10199c6c5a4773d3b3fc0bcf874360202bfcdca0871da5efe94b94b24fecb72dd5ebeca02939928c5a534094
SSDEEP

24576:E9Yu8GgnSf7uw7J8qyKD0OIqKT//pIgl6A5H2TuDWkd3WZZ7SuW42C7Z32o3:zGMo7NSK/Iqwp/6A5Wgz501SuWYZ3V

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e586099.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A7AB73A3-CB10-4AA5-9D38-6AEFFBDE4C91}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6927.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E86.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e586099.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6349.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI651F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B29.tmp	msiexec.exe
File created	C:\Windows\Installer\e58609d.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3420	Update.exe

Loads dropped DLL 6 IoCs

pid	Process
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSTeamsSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teamsupdate.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\Bios	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ms-teams.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\msteams	ms-teams.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\msteams\WarnOnOpen = "0"	ms-teams.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\msteams_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\msteams\shell	ms-teams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x86\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS\ = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x86\\"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect\ = "Connect Class"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\ = "AddinLoaderLib"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\msteams\shell\open	ms-teams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect\CurVer\FriendlyName = "Microsoft Teams Meeting Add-in for Microsoft Office"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\ = "AddinLoaderLib"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect.1\CLSID\ = "{19A6E644-14E6-4A60-B8D7-DD20610A871D}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x64\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect.1\ = "Connect Class"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID\ = "TeamsAddin.FastConnect"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\msteams	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect.1	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version\ = "1.0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect\CurVer\ = "TeamsAddin.FastConnect.1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version\ = "1.0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect.1\CLSID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib\ = "{C0529B10-073A-4754-9BB0-72325D80D122}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect\CurVer	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x86\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x64\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\HELPDIR	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID\ = "TeamsAddin.FastConnect.1"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID\ = "TeamsAddin.FastConnect.1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect.1\CLSID\ = "{CB965DF1-B8EA-49C7-BDAD-5457FDC1BF92}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\msteams_8wekyb3d8bbwe\Internet Settings\Cache	ms-teams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect\CurVer\Description = "Microsoft Teams Meeting Add-in for Microsoft Office"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID\ = "TeamsAddin.FastConnect"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\msteams_8wekyb3d8bbwe\Internet Settings	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect\CurVer	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect.1\ = "FastConnect Class"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\HELPDIR	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4276	ms-teams.exe
4276	ms-teams.exe
4276	ms-teams.exe
4276	ms-teams.exe
1668	msiexec.exe
1668	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3420	Update.exe
Token: SeShutdownPrivilege	4736	ms-teamsupdate.exe
Token: SeIncreaseQuotaPrivilege	4736	ms-teamsupdate.exe
Token: SeSecurityPrivilege	1668	msiexec.exe
Token: SeCreateTokenPrivilege	4736	ms-teamsupdate.exe
Token: SeAssignPrimaryTokenPrivilege	4736	ms-teamsupdate.exe
Token: SeLockMemoryPrivilege	4736	ms-teamsupdate.exe
Token: SeIncreaseQuotaPrivilege	4736	ms-teamsupdate.exe
Token: SeMachineAccountPrivilege	4736	ms-teamsupdate.exe
Token: SeTcbPrivilege	4736	ms-teamsupdate.exe
Token: SeSecurityPrivilege	4736	ms-teamsupdate.exe
Token: SeTakeOwnershipPrivilege	4736	ms-teamsupdate.exe
Token: SeLoadDriverPrivilege	4736	ms-teamsupdate.exe
Token: SeSystemProfilePrivilege	4736	ms-teamsupdate.exe
Token: SeSystemtimePrivilege	4736	ms-teamsupdate.exe
Token: SeProfSingleProcessPrivilege	4736	ms-teamsupdate.exe
Token: SeIncBasePriorityPrivilege	4736	ms-teamsupdate.exe
Token: SeCreatePagefilePrivilege	4736	ms-teamsupdate.exe
Token: SeCreatePermanentPrivilege	4736	ms-teamsupdate.exe
Token: SeBackupPrivilege	4736	ms-teamsupdate.exe
Token: SeRestorePrivilege	4736	ms-teamsupdate.exe
Token: SeShutdownPrivilege	4736	ms-teamsupdate.exe
Token: SeDebugPrivilege	4736	ms-teamsupdate.exe
Token: SeAuditPrivilege	4736	ms-teamsupdate.exe
Token: SeSystemEnvironmentPrivilege	4736	ms-teamsupdate.exe
Token: SeChangeNotifyPrivilege	4736	ms-teamsupdate.exe
Token: SeRemoteShutdownPrivilege	4736	ms-teamsupdate.exe
Token: SeUndockPrivilege	4736	ms-teamsupdate.exe
Token: SeSyncAgentPrivilege	4736	ms-teamsupdate.exe
Token: SeEnableDelegationPrivilege	4736	ms-teamsupdate.exe
Token: SeManageVolumePrivilege	4736	ms-teamsupdate.exe
Token: SeImpersonatePrivilege	4736	ms-teamsupdate.exe
Token: SeCreateGlobalPrivilege	4736	ms-teamsupdate.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3420	Update.exe
4276	ms-teams.exe
4276	ms-teams.exe
4276	ms-teams.exe
4276	ms-teams.exe
4276	ms-teams.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4276	ms-teams.exe
4276	ms-teams.exe
4276	ms-teams.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 3420	4856	MSTeamsSetup.exe	83
PID 4856 wrote to memory of 3420	4856	MSTeamsSetup.exe	83
PID 4856 wrote to memory of 3420	4856	MSTeamsSetup.exe	83
PID 1668 wrote to memory of 2300	1668	msiexec.exe	106
PID 1668 wrote to memory of 2300	1668	msiexec.exe	106
PID 1668 wrote to memory of 2300	1668	msiexec.exe	106

C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=MSTeamsSetup.exe --bootstrapperMode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3420
- - C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teams.exe
    "C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teams.exe" msteams:?instVersion=3.4.0.0&instExecTime=1731956809858&launchSrc=t2installer
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4276
  - - C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe
      "C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe" -CheckUpdate -AppSessionGUID f13fafc6-cf54-4abc-83c2-e7003ac85277
      4⤵
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4736
  - - C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe
      "C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe" -CheckUpdate -AppSessionGUID f13fafc6-cf54-4abc-83c2-e7003ac85277
      4⤵
      Checks processor information in registry
      PID:4340

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8716FB7BD3E90A334E1CB048E2322D7D
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58609c.rbs

Filesize
350KB

MD5
18488bf33e2665963624ca0e3ba41559

SHA1
296704945376caf4aa5c02dce1b0ddc76fbe3bb2

SHA256
ab42ca9a2eba4af4bc46c000bf460a29ebea4783450634e56472a24b2b13a7d4

SHA512
d06178460ed854a0536b99b499b4809da1f688d69c7fed9a573a13b0c4d9bdb9d0ceeebaa9ae73b7c739e73c5ebde1f20f5000995d1eb705eaae5fa9179ecd40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.25702\AddinInstaller.dll

Filesize
34KB

MD5
74c8e73ac9df19ffae99f833d78b58ab

SHA1
f576f7eaa7f10aa8a062c3a8745f5905b796fc79

SHA256
cfd58977a316a67e3f3587703d3ba104dd9a04e88aec44fca06687143ac263c0

SHA512
da66eb6fb1c6423ed25bc8de4b7102e287e34510a10089eca6501c27243b03c9377dc9b14fb741e86198e3bfda5656e20073234f2dd62b41b20e084b4e34f180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.25702\x64\Microsoft.IdentityModel.JsonWebTokens.dll

Filesize
66KB

MD5
622623a04c985eeaa82d2a1f15d508cf

SHA1
f6e6bcc42d1e1bf0dc7d635beb4a1f063a4f2b66

SHA256
041946c132c0561ce8d0a1b0f74eb979d69660deda241bef4a0570f1cd1d9289

SHA512
46027876fd165c8399e3896ab6bcba034bb69cc5e67c68fadb40101db05eb81882b12f86bfb75845155bb94d08c9c7d1c97461f1677b0cbe6b71e3a8358a6f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.25702\x64\System.IdentityModel.Tokens.Jwt.dll

Filesize
81KB

MD5
ef26e784474ef5ee4c86225829784bd6

SHA1
db058e83d7b6cde77821d9da640f7b169fd80e07

SHA256
15aa3a16426b1281f0a4cecafc2a054bb29b7f3d09b3048f048ebf67c4f53e1a

SHA512
7621855326125262ffa2de6577d79fbc20f60f0aad3aa6fd42006ab806438cf262e18cabb802eacb1337b7de424fa32c543b8315436d05e519a29458405ef706

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs\tma_addin_msi.log

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\app_settings.json

Filesize
985B

MD5
5995d7d0c7088db15b5c906d5910bb19

SHA1
f1aa2e752edc1c20a317f022613e582e32057d18

SHA256
4d7a73de9bb2d173fe4cfbc2415e40081c110bfa0c8bb8ee15c965a5741badb5

SHA512
267a1056d3a4c164afad6cb88fdb21596716cff7eb4f7b18fd4b6eb6c5aaa2a85ec5d1083231619f4600a87ded42e7744362017e46a589baf0151ff396129ae4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\ecs_settings.dat64

Filesize
2.0MB

MD5
2f5dc6bdbd2b0b57e506ac35783a2140

SHA1
5e58653a01f5d0786a47bc4ce0a76d6b9ad5d1a8

SHA256
4a571f5316bcc95146196b35d15eb629cdc3f1836562a8702a7116be4a07a347

SHA512
03aa170cd9e39631adcb49b3a351a0fde1b399e44aa257f1ae1fe4798d2990ad194c61b7f2bac0189d869c26a9a047606615320df1ec9315717e7444d778c792

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\ecs_settings.dat64

Filesize
2.0MB

MD5
fae4705eac6ab4fbffe80aa18a6d69f4

SHA1
e2a49b032f91c5db3568eacb348ea8a02526e5f6

SHA256
b3970007a6e909d8346a82c31062597aacb86975779b902e5b7f0abce411536f

SHA512
540663f5e5dae9c3e11e1113ca27c6b2834350b07d233accc7fd06fd8d7b5ce1d1a7ec860c5666f3fdcebe81ef5433cc29740a14dffef934f15efeff03fcc2d2

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
7KB

MD5
048ca1b9ebae471177c580f0f4a8b84f

SHA1
d5a35679dfb0b3544a85736d874c48c335217f4d

SHA256
b5791c0468fea30e470933b1b8ab11a7d8ba2cc048e4c0e0f978a3f9e2112f91

SHA512
88af27300a9f38212e73a314d7a8bf15258e4a0abe40eae0364bbfea5775a6342f79586e2d44428bde221c6b263d303adc130237f9b89a715eacb6d3e7f0b020

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
7KB

MD5
1fddc7c1df228b319ade0d551ac7a8d7

SHA1
6e40fd00d1091f75ace88bbc794b8c5a4e62edd9

SHA256
b364038a75f4e9c993ac895ac471401cfc7f3c1ef6aede3623d43727ff520a73

SHA512
a16920e82abcf839eaa4e8c06c54d469ca23f0266a3210e4226dd9b6fe4f6d05227b030fb3ebcb3cf5eaf058288b3de22dbf54f36bd1da372eb3f4d696eebacc

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
143B

MD5
35c1a510c31a7bbe6d73dc325a50907d

SHA1
ad1ffb63c341d58fd4823afc20b10d0059e88f5d

SHA256
b3b5e9562086f9690774ad8ad0913dcb22e86848f3dedafad9cc6c98f80b3ca1

SHA512
c6df32faea51b962617d8428a4822b5416b5fece8ac3674023b9872c3d0bbdbbe8e0485fe0a7bf71407da3365a96d8eaaf614e0c95e8895b1b22c5f77602150c

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
361B

MD5
00e316d4cdb067d4c6926f97e8d067e2

SHA1
4bab08fb5a6a04f3a83c7e10d1ea000dc63af13c

SHA256
e541580b456e15c7984bb9bdce6dbb65e12430ca63b6a8abf7fae66371c432ce

SHA512
2cb55e0c5d6d2b064508bbc4d43048e1d2cb126b76e4a89dd6808b9690b49d9602126de7c06ead46a5046baf9c01ec2e5d4cdd23d8f9047e4066e2a76fde6d71

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
361B

MD5
4e81db6edc3f08867231ee8871f8f40b

SHA1
b36b83685ac966e959aafa9bfadca01a10abc099

SHA256
a0647b60699c84a46d844a7c906c744742a3f1746b644347fd9d6b80b794d419

SHA512
0f1a5dd26d9547d5f5669447850f3f425a444dd44d59eb90b488c48e8c0dc4c70a4d19b1a00fd171fe34651bec9b70c40c20ca45f927d7b1a8ff677613851017

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json~RFe585c54.TMP

Filesize
124B

MD5
98d8595a47c9f70033706bb441d55a86

SHA1
162943310d516c7f44341af615241bbcd08f5c87

SHA256
d651df9b25e7b36f5492d15050c5281f0519042cbc4b40742332d10fe220d90c

SHA512
c7c81b6d80d0a868eaff3193e53f24c0eeeb25d7cf8d4df1b0d0aec14a4ef5f402e290ff5c9640cc3687462f8a9ccd4957715e823e9a50f38d635b7a7dc44e1b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
b690b2420b21107e633b4e325768c1d0

SHA1
8f3faaab9eb83af7eb1c9963230e5980642c1dfb

SHA256
1f2a34f84b7f4171bcd0d40c80acee8aef0d9dc3529deb3e372bae180f571c14

SHA512
64b900fb5cefb8dec747c768061ea95d4ae2202127ae41cad46a59ab5e5cdfaaa78743d6383241a124e3ee4e2015566eb8f05285e16c12669745e23d293c90f6

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\downloading.gif

Filesize
8KB

MD5
3488a1749b859e969c01ba981036fab6

SHA1
a65b72461fa14c89fce0d025e43454830a1f7972

SHA256
c3fa333fdbce95d504aee31912993dc17ab31324428f557ac774f7e98b049b99

SHA512
7363003422bdaabb7943439ee1e846867f0f3d0baed3456424544a81989bd2d142a411cf982d90e4158314d410cd1a1a4ee33d8707219b4274cd2841705bcecc

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\endpoint.json

Filesize
610B

MD5
34b2a3afe7ae8ad113f54e64d2f62111

SHA1
c0afa4727bab161b777363fd49225d7ef084c16e

SHA256
1578d085af8165ef971cbb88d327e07c2b82c34eff379fcb2ab030a188b2981d

SHA512
d6a8a70603157f0cf4b4d2a2992b8082d30e35aab7e47f973e8bde5841dc5528f7a62a8d3889093343f0a806a1161965126140345ffcb4cb0dbd36e56f155720

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFG64C0.tmp

Filesize
150B

MD5
2be48f533744efa173a2ede37ea8031e

SHA1
41fad4dd24cc97a3d3056b026ca8056c9e4b9e3f

SHA256
02375fa63b79648ed6bb419c08f78ba9032ee22ba7170250e24427f47fddfa4e

SHA512
f49495311687f2a1af4ff60f8ff304d3ccddcd66effc36dfcfd71de91ee86a405c14c3f9bd81240cca76d4de1f4abd3259a7af6d53b2c3737c8963123d6f6815

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db

Filesize
4KB

MD5
0c10104f99ef8f2a0476409bf24f918d

SHA1
49fb0dd5654ff54c2c772185a861a0e020b0940c

SHA256
a5593a4889231be7bc937df4ab64854aaaed43ef4da8e4c3694b8865bce979cc

SHA512
c58cfebdade8fd18b8c3e997aa5b199a41a576fe71cd435bf4c76a740710ab54b7ba66c9a720b3fac94cb37e2c534a32d7ac6def527ec5dbec40b81b4822efdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
52KB

MD5
b814871a4ad406d09497ae19afbb8841

SHA1
5e6fda2b7aa055cc75103a215c4bc1a5b4275604

SHA256
61ef80946a4fc44727b84e0e7ad57abe89732fa4fa6a3550cc54cebab140f282

SHA512
13b35bc4c9df87c9bc23b3f83db3041ec0e518d47fd830fb6bb89e37f63616e740f3bc6c8a12ae312f2bcd22737f5f19b7a8874467918af71437a4b9e6cada62

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
56KB

MD5
4be9bb85948015dd289567540b981375

SHA1
93f364b4cb5ba403fce475e5a3f747bdbfbdf8d4

SHA256
fc35a9d52f451646419d216b83492d06b21f4203eeb5a0161a35e7a9ac0b7f89

SHA512
a52be03b3bf3790693fde02bc210dc0a76575df0505a66a5ac47440d6b289e524f776560565aad7550e936c249e4edb44ee02d233c054439368f6fa42f150ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
48KB

MD5
ffe9a730e047dd670a220bfa3c0e9e19

SHA1
8bcfe6af548bb796dc821a3fbf9119166718d009

SHA256
8b640ea1380d949261a711ad339395aba209af4bff76a9dab9bb6c6370915d87

SHA512
53dceb78f2e13a57f3073f8937328617136d3db6e389dec40f1480e5ebe59fb3d23f8d90077dc43322da2fca45076f25c79a4d534bd718e8a85cc9820847cf16

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db.ses

Filesize
53B

MD5
7052a8f52f99628ff4fef0cbd6cd0b21

SHA1
69ded99c194b2d4648dab2781d68f0beee2a84bb

SHA256
180fd9aab8f1b5b940cec92b319fe45ac4e4c779b3568609588f454ea32315fd

SHA512
2e94fea4f61aa4e817f28cad41554da0b40dd54295a3b11a6e29746586cf84b9e44c15e471593d1e89f2bd6f13176949b8b2c90811d2f285f1a943ed92531a36

Download Submit
C:\Windows\Installer\MSI6349.tmp

Filesize
298KB

MD5
684f2d21637cb5835172edad55b6a8d9

SHA1
5eac3b8d0733aa11543248b769d7c30d2c53fcdb

SHA256
da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

SHA512
7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

Download Submit
C:\Windows\Installer\MSI7B29.tmp

Filesize
113KB

MD5
8fa4088a730b967d85df562fd5ef7d5e

SHA1
629db9229f4a4a691e14f38f4dbffba157fa1ce9

SHA256
cdb195012fa5d3cfb80f8ea9fb23348c8749720d7e3a20cb7774cfd717f2df36

SHA512
1037170aed40aa33a4f983e168ae91247c23768fa502877d0b872a462d04fd5687cc50056add6419e3637306ae15beb1cfd04a51f126109faece09087ec16fb2

Download Submit
C:\Windows\Installer\e586099.msi

Filesize
13.2MB

MD5
cebba83400d9eb6d33ef0bb7332bdada

SHA1
21db05f342dc62d01a863c63164f83bf00ad7f8a

SHA256
2db4946704305d2f59ac879da7ec8f8a4d928d6badcc2fe2bea5f375fb2d2314

SHA512
2d082dbd6214c51c7226f9110b02c0d145cf30b181d274393b9a27ad38d86d43327cecfc15521770812e6772dc9885f9b0c704acabb58618ab196f8bd3fe24dc

Download Submit
memory/2300-336-0x0000000004B10000-0x0000000004B4C000-memory.dmp

Filesize
240KB

Download
memory/2300-335-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2300-322-0x0000000002A30000-0x0000000002A3A000-memory.dmp

Filesize
40KB

Download
memory/2300-318-0x00000000028D0000-0x00000000028EA000-memory.dmp

Filesize
104KB

Download
memory/3420-27-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/3420-10-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/3420-23-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/3420-26-0x000000000BA80000-0x000000000BA8E000-memory.dmp

Filesize
56KB

Download
memory/3420-22-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/3420-19-0x0000000006DD0000-0x0000000006DF6000-memory.dmp

Filesize
152KB

Download
memory/3420-16-0x0000000005D20000-0x000000000624C000-memory.dmp

Filesize
5.2MB

Download
memory/3420-13-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/3420-11-0x0000000004DE0000-0x0000000004DFE000-memory.dmp

Filesize
120KB

Download
memory/3420-24-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/3420-25-0x000000000BAA0000-0x000000000BAD8000-memory.dmp

Filesize
224KB

Download
memory/3420-9-0x0000000004D00000-0x0000000004D0A000-memory.dmp

Filesize
40KB

Download
memory/3420-37-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/3420-8-0x0000000000150000-0x00000000003CA000-memory.dmp

Filesize
2.5MB

Download
memory/3420-28-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/3420-29-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/3420-30-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/3420-7-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/3420-31-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download