c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0

Analysis

max time kernel
417s
max time network
439s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSTeamsSetup.exe
Size

1.4MB
MD5

7ee6219d0f497752aa7f1c129ca50bc1
SHA1

68bec1b6c594b6bdaf74b4062e4b3c477aa6a1ad
SHA256

c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0
SHA512

a91760aeb550d5683ce0222f40addb3507b79ccf10199c6c5a4773d3b3fc0bcf874360202bfcdca0871da5efe94b94b24fecb72dd5ebeca02939928c5a534094
SSDEEP

24576:E9Yu8GgnSf7uw7J8qyKD0OIqKT//pIgl6A5H2TuDWkd3WZZ7SuW42C7Z32o3:zGMo7NSK/Iqwp/6A5Wgz501SuWYZ3V

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A7AB73A3-CB10-4AA5-9D38-6AEFFBDE4C91}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6781.tmp	msiexec.exe
File created	C:\Windows\Installer\e5860ad.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e5860a9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI62DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6425.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7175.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7416.tmp	msiexec.exe
File created	C:\Windows\Installer\e5860a9.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3028	Update.exe

Loads dropped DLL 6 IoCs

pid	Process
5020	MsiExec.exe
5020	MsiExec.exe
5020	MsiExec.exe
5020	MsiExec.exe
5020	MsiExec.exe
5020	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSTeamsSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teamsupdate.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\Bios	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ms-teams.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\msteams\WarnOnOpen = "0"	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\msteams	ms-teams.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TeamsAddin.FastConnect\CurVer	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TeamsAddin.FastConnect.1\CLSID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\msteams_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\msteams\shell\open\command	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\msteams\shell\open	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID\ = "TeamsAddin.FastConnect.1"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x64\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\msteams\shell\open\command\ = "\"ms-teams.exe\" \"%1\""	ms-teams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TeamsAddin.FastConnect\CurVer\FriendlyName = "Microsoft Teams Meeting Add-in for Microsoft Office"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x64\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TeamsAddin.FastConnect\ = "FastConnect Class"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\ = "AddinLoaderLib"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version\ = "1.0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\TypeLib	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\msteams_8wekyb3d8bbwe\Internet Settings	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TeamsAddin.FastConnect.1\CLSID\ = "{19A6E644-14E6-4A60-B8D7-DD20610A871D}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x86\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TeamsAddin.Connect.1\CLSID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TeamsAddin.Connect.1\CLSID\ = "{CB965DF1-B8EA-49C7-BDAD-5457FDC1BF92}"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TeamsAddin.FastConnect\CurVer\Description = "Microsoft Teams Meeting Add-in for Microsoft Office"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID\ = "TeamsAddin.FastConnect.1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TeamsAddin.Connect\CurVer	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x86\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib\ = "{C0529B10-073A-4754-9BB0-72325D80D122}"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TeamsAddin.FastConnect\CurVer\ = "TeamsAddin.FastConnect.1"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x64\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\HELPDIR	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\ = "AddinLoaderLib"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x86\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\msteams_8wekyb3d8bbwe\Internet Settings\Cache	ms-teams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TeamsAddin.Connect\CurVer\ = "TeamsAddin.Connect.1"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID\ = "TeamsAddin.FastConnect"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TeamsAddin.Connect.1\ = "Connect Class"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x86\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TeamsAddin.FastConnect.1\ = "FastConnect Class"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib\ = "{C0529B10-073A-4754-9BB0-72325D80D122}"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID\ = "TeamsAddin.FastConnect"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\TeamsAddin.Connect\ = "Connect Class"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ = "FastConnect Class"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3692	ms-teams.exe
3692	ms-teams.exe
3692	ms-teams.exe
3692	ms-teams.exe
5084	msiexec.exe
5084	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	Update.exe
Token: SeShutdownPrivilege	3020	ms-teamsupdate.exe
Token: SeIncreaseQuotaPrivilege	3020	ms-teamsupdate.exe
Token: SeSecurityPrivilege	5084	msiexec.exe
Token: SeCreateTokenPrivilege	3020	ms-teamsupdate.exe
Token: SeAssignPrimaryTokenPrivilege	3020	ms-teamsupdate.exe
Token: SeLockMemoryPrivilege	3020	ms-teamsupdate.exe
Token: SeIncreaseQuotaPrivilege	3020	ms-teamsupdate.exe
Token: SeMachineAccountPrivilege	3020	ms-teamsupdate.exe
Token: SeTcbPrivilege	3020	ms-teamsupdate.exe
Token: SeSecurityPrivilege	3020	ms-teamsupdate.exe
Token: SeTakeOwnershipPrivilege	3020	ms-teamsupdate.exe
Token: SeLoadDriverPrivilege	3020	ms-teamsupdate.exe
Token: SeSystemProfilePrivilege	3020	ms-teamsupdate.exe
Token: SeSystemtimePrivilege	3020	ms-teamsupdate.exe
Token: SeProfSingleProcessPrivilege	3020	ms-teamsupdate.exe
Token: SeIncBasePriorityPrivilege	3020	ms-teamsupdate.exe
Token: SeCreatePagefilePrivilege	3020	ms-teamsupdate.exe
Token: SeCreatePermanentPrivilege	3020	ms-teamsupdate.exe
Token: SeBackupPrivilege	3020	ms-teamsupdate.exe
Token: SeRestorePrivilege	3020	ms-teamsupdate.exe
Token: SeShutdownPrivilege	3020	ms-teamsupdate.exe
Token: SeDebugPrivilege	3020	ms-teamsupdate.exe
Token: SeAuditPrivilege	3020	ms-teamsupdate.exe
Token: SeSystemEnvironmentPrivilege	3020	ms-teamsupdate.exe
Token: SeChangeNotifyPrivilege	3020	ms-teamsupdate.exe
Token: SeRemoteShutdownPrivilege	3020	ms-teamsupdate.exe
Token: SeUndockPrivilege	3020	ms-teamsupdate.exe
Token: SeSyncAgentPrivilege	3020	ms-teamsupdate.exe
Token: SeEnableDelegationPrivilege	3020	ms-teamsupdate.exe
Token: SeManageVolumePrivilege	3020	ms-teamsupdate.exe
Token: SeImpersonatePrivilege	3020	ms-teamsupdate.exe
Token: SeCreateGlobalPrivilege	3020	ms-teamsupdate.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe
Token: SeTakeOwnershipPrivilege	5084	msiexec.exe
Token: SeRestorePrivilege	5084	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3028	Update.exe
3692	ms-teams.exe
3692	ms-teams.exe
3692	ms-teams.exe
3692	ms-teams.exe
3692	ms-teams.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3692	ms-teams.exe
3692	ms-teams.exe
3692	ms-teams.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 3028	3920	MSTeamsSetup.exe	85
PID 3920 wrote to memory of 3028	3920	MSTeamsSetup.exe	85
PID 3920 wrote to memory of 3028	3920	MSTeamsSetup.exe	85
PID 5084 wrote to memory of 5020	5084	msiexec.exe	105
PID 5084 wrote to memory of 5020	5084	msiexec.exe	105
PID 5084 wrote to memory of 5020	5084	msiexec.exe	105

C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=MSTeamsSetup.exe --bootstrapperMode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3028
- - C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teams.exe
    "C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teams.exe" msteams:?instVersion=3.4.0.0&instExecTime=1731963565608&launchSrc=t2installer
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3692
  - - C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe
      "C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe" -CheckUpdate -AppSessionGUID 8cdbb87f-d396-44d4-8c8d-21d482334db1
      4⤵
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:3020
  - - C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe
      "C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe" -CheckUpdate -AppSessionGUID 8cdbb87f-d396-44d4-8c8d-21d482334db1
      4⤵
      Checks processor information in registry
      PID:2912

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 30F62D1B3D1C8E9BED708ED63B3512F1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5860ac.rbs

Filesize
350KB

MD5
6be3bd06889ee111a342ab95a781e357

SHA1
c578e4df0d388afbaad3962af9afa0e63d64531e

SHA256
67421b3c731bcd516d41233b4b50fe59f45fc67fe079be4b0fdf210a46b48eb4

SHA512
1ae924bf9dee512b1ddb4a2c1831861f242c8916ea0d94bad60560ac100cd40aeafb4f2de94a0458f4c7ccdbd9129d740b7bc6f535bc510fe9b5a1136b79f8a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
9d0cd5e87696103f2f54a104937b6d25

SHA1
ee37b3aaef78a9cd68dfa6d8fc4cc731c56966d0

SHA256
1f3e06d5348cc8e5de491c4fd926c118298a7f689d38fa5f387bfddd722d1274

SHA512
0d48b45297e5caaef378ece31c6fa36acfe4881b7ab99b4467276dc3f71d0308016ea0fae878e706c63f543ca77d5b10ad41db4b06b28d798686403a093ad266

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
724bc5b1af379436e35dab5d9263098a

SHA1
9ca9ae26596d7bffaece559898e2ba28c0880833

SHA256
6ee2c24e8f0eeda61d1a5b5a7b8f4ca91ce283d614e1f4d5d3df21719d0023cf

SHA512
3c447ee0e65ef68a2dd0e031b2a96e1cfc5c38a555905f1c4821b6ba0b5d6d8d08dd29ebbb50a160d8c88bbf0b165742cb94bf20438eb796d6f3e928b6c11684

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
7093b4e3758964c2ea3235d6ef7aaf3c

SHA1
d14248021a1c54f0bb941c8307750eaf369aac78

SHA256
b2df7723ee5d7c3778104efc4c21125177a721dcedd686c387a6f3616ec0a7b2

SHA512
e5f1973b4e3f6e8aebbe4d19d71951f2a3396544913633a9997df0d0bb0d15e3f3a13c2e6f392b8b1d117e0799cc802319d5b6734d6bdc02464e8d0a08372283

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
e5fd4fd91bb94c1f8402e036dc52ae27

SHA1
1bc7a45edf58ed32bf8cd2a97c3d1f68a2591dc4

SHA256
83cdd9868117e678f4bb14b54c8e685fd3b496c718ac98845c140701f2f346da

SHA512
a226eae035f926f77a5f531c4e3f04415804123bede12b49837120ab7f2e83651f53ec2847dae47551a135f8588c6597a161dc274d23951fc2b636926add803f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.25702\AddinInstaller.dll

Filesize
34KB

MD5
74c8e73ac9df19ffae99f833d78b58ab

SHA1
f576f7eaa7f10aa8a062c3a8745f5905b796fc79

SHA256
cfd58977a316a67e3f3587703d3ba104dd9a04e88aec44fca06687143ac263c0

SHA512
da66eb6fb1c6423ed25bc8de4b7102e287e34510a10089eca6501c27243b03c9377dc9b14fb741e86198e3bfda5656e20073234f2dd62b41b20e084b4e34f180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.25702\x64\Microsoft.IdentityModel.JsonWebTokens.dll

Filesize
66KB

MD5
622623a04c985eeaa82d2a1f15d508cf

SHA1
f6e6bcc42d1e1bf0dc7d635beb4a1f063a4f2b66

SHA256
041946c132c0561ce8d0a1b0f74eb979d69660deda241bef4a0570f1cd1d9289

SHA512
46027876fd165c8399e3896ab6bcba034bb69cc5e67c68fadb40101db05eb81882b12f86bfb75845155bb94d08c9c7d1c97461f1677b0cbe6b71e3a8358a6f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.25702\x64\System.IdentityModel.Tokens.Jwt.dll

Filesize
81KB

MD5
ef26e784474ef5ee4c86225829784bd6

SHA1
db058e83d7b6cde77821d9da640f7b169fd80e07

SHA256
15aa3a16426b1281f0a4cecafc2a054bb29b7f3d09b3048f048ebf67c4f53e1a

SHA512
7621855326125262ffa2de6577d79fbc20f60f0aad3aa6fd42006ab806438cf262e18cabb802eacb1337b7de424fa32c543b8315436d05e519a29458405ef706

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs\tma_addin_msi.log

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\app_settings.json

Filesize
985B

MD5
5995d7d0c7088db15b5c906d5910bb19

SHA1
f1aa2e752edc1c20a317f022613e582e32057d18

SHA256
4d7a73de9bb2d173fe4cfbc2415e40081c110bfa0c8bb8ee15c965a5741badb5

SHA512
267a1056d3a4c164afad6cb88fdb21596716cff7eb4f7b18fd4b6eb6c5aaa2a85ec5d1083231619f4600a87ded42e7744362017e46a589baf0151ff396129ae4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\app_settings.json~RFe5859e3.TMP

Filesize
952B

MD5
0b44af534fe6777f7176293dff1a8288

SHA1
bbfb1062216d4bf7f01f7048642634196a9abcf2

SHA256
561b401b9283d027d9cc74f825a1dafd80e4e8599463fcdaccd154fc713cb6df

SHA512
cb10c2df8418afb72ac70e8754c2929c4beda2e83314dc9b77738aec56d15c500f890ebecf079a071170085fd6033e6540e07c8c32684e64f00386e7d72632d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\ecs_settings.dat64

Filesize
2.0MB

MD5
95f3cbf59a6c969c9f3c301bafd8df6c

SHA1
cbef16bf45a97d0e309ed280e857c8c37b338aae

SHA256
0ef23f2f1adbabecc101a14826928f51d02b65fe9fada51e7eda318c55929e55

SHA512
c4d3b1cecece9516930a71691b75f1922bda3176d112d844a451359455a86234d94ee4c2c04a81c5b02e4954baf3aa74e3344c957683a60166a2b7f3ecc8a952

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\ecs_settings.dat64

Filesize
32B

MD5
808fe0bc4a35c59e459d195facb045c8

SHA1
3cfa0f26d23b51e1a60f0448d7e885a30054a8ab

SHA256
d2dacd4bd564bbc5c11c6703b4859bb9b1a5e2d4081c243e6cdcd538e4bf36f0

SHA512
62c77acecaec48e9444bec6aa40707bb03974052c6eaf2141cf7a1fa8ee7ffd7b8f218c2f9e266292149bc633e980960fe099de9c73f01dca0ad2f8213368955

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\ecs_settings.dat64

Filesize
2.0MB

MD5
08dd15dc2e1ae84c1f616c488223b192

SHA1
c399ae94f56f4c0e584c83e3406ef931cef3545e

SHA256
bb931362e239bd07b85e5e1c85a7de04c300870ed682f7cb968db4aa48a81dcb

SHA512
635d053962690369c6ae335d5f7e7c82667147894e57e9c21be01e7c09a85c89d575833c3a8f9e95f5863393cc16ba51bc659259d93d0da652f528e592fa910c

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
7KB

MD5
1b5e7855c070fbfdbe8faab562111e4a

SHA1
f38f96b20dfb450799845e967ea9df5b7e8bb29b

SHA256
ee9901d22ddbbfc80a70ae7dbc8a69c32b3322ab40698b8d6685da35231b7ec3

SHA512
bc092024396268f82495cc8f1e29c57467d5e5823fedef14baa90b798b65c19961f7eaff34136c6317c16bfa98d1d324c278434e92c551ad06370e8746d34aa1

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
7KB

MD5
509ca356e11c282c33d6f741e86fdc51

SHA1
187198ea4abdffcdddb59c3553c5753f2a653b19

SHA256
05d0db3b15c4d02539cb082c1457f5c4e6ce9ecef35f1182c8ce3cb31fc030d2

SHA512
f87919c1c65f8b372a70b77cadd5e10bc05a8289be7fe6d572fbc3fe48dd0570cc04be15c1d51c041f982e8436afa6bbbefde383f682c402a235f6740d752a47

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
143B

MD5
3e6a85e4cdd7bf9fb5098aa0a3fd4975

SHA1
6e510f04ac10e9623f87a92321c709836bcebd8e

SHA256
55f4d6574e5a6c027fc24a885c284fbefa58056b44febb4a5ff25bfcfb8692d2

SHA512
53790b8219830bc24b3a546e6823520bdf73c039d9fe5c0cb536e336d8987d32944a8f0f031cae408a04a9fb313f86589b62b63cc35e5e79383a2f1be1536829

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
361B

MD5
86ddefdc71c5d50d341ac167db119428

SHA1
178530f374c13e3cdbcb1ebb1004948754092206

SHA256
5f09968f8ef9b255d01706ace34e20db31cba5db79ad49e73205d9d297e5f183

SHA512
6ee0693205c7be60b8171f9e65bba91c017ae3d3a1528280beef86a04eefb99baf50d2000ee01615f97a44f352d8b78f6146fb89d5daa959b00361cfb7952f01

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json~RFe58585c.TMP

Filesize
124B

MD5
98d8595a47c9f70033706bb441d55a86

SHA1
162943310d516c7f44341af615241bbcd08f5c87

SHA256
d651df9b25e7b36f5492d15050c5281f0519042cbc4b40742332d10fe220d90c

SHA512
c7c81b6d80d0a868eaff3193e53f24c0eeeb25d7cf8d4df1b0d0aec14a4ef5f402e290ff5c9640cc3687462f8a9ccd4957715e823e9a50f38d635b7a7dc44e1b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
b690b2420b21107e633b4e325768c1d0

SHA1
8f3faaab9eb83af7eb1c9963230e5980642c1dfb

SHA256
1f2a34f84b7f4171bcd0d40c80acee8aef0d9dc3529deb3e372bae180f571c14

SHA512
64b900fb5cefb8dec747c768061ea95d4ae2202127ae41cad46a59ab5e5cdfaaa78743d6383241a124e3ee4e2015566eb8f05285e16c12669745e23d293c90f6

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\downloading.gif

Filesize
8KB

MD5
3488a1749b859e969c01ba981036fab6

SHA1
a65b72461fa14c89fce0d025e43454830a1f7972

SHA256
c3fa333fdbce95d504aee31912993dc17ab31324428f557ac774f7e98b049b99

SHA512
7363003422bdaabb7943439ee1e846867f0f3d0baed3456424544a81989bd2d142a411cf982d90e4158314d410cd1a1a4ee33d8707219b4274cd2841705bcecc

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\endpoint.json

Filesize
610B

MD5
34b2a3afe7ae8ad113f54e64d2f62111

SHA1
c0afa4727bab161b777363fd49225d7ef084c16e

SHA256
1578d085af8165ef971cbb88d327e07c2b82c34eff379fcb2ab030a188b2981d

SHA512
d6a8a70603157f0cf4b4d2a2992b8082d30e35aab7e47f973e8bde5841dc5528f7a62a8d3889093343f0a806a1161965126140345ffcb4cb0dbd36e56f155720

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFG6378.tmp

Filesize
150B

MD5
2be48f533744efa173a2ede37ea8031e

SHA1
41fad4dd24cc97a3d3056b026ca8056c9e4b9e3f

SHA256
02375fa63b79648ed6bb419c08f78ba9032ee22ba7170250e24427f47fddfa4e

SHA512
f49495311687f2a1af4ff60f8ff304d3ccddcd66effc36dfcfd71de91ee86a405c14c3f9bd81240cca76d4de1f4abd3259a7af6d53b2c3737c8963123d6f6815

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\Teams\meeting-addin\meeting-addin-t21-msi.log

Filesize
877B

MD5
b47304a3a6f6528b788edb47340bd539

SHA1
8ee4c3502a05ef2bd348a11e4c9385444a3020fa

SHA256
fc00f4fb9ef9c89e0047e8ccfa39eb1bd11b69f799d298e83aadcfbb845174f7

SHA512
a5d3ed79e4dcaa1be86f45f111defdc0bfecfc73c9f23bfc9e017e4d4991b6716d598d810a94f3f3dd471c1349d874a63e7e188aa19732377c7b6d9c6f966ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db

Filesize
4KB

MD5
0c10104f99ef8f2a0476409bf24f918d

SHA1
49fb0dd5654ff54c2c772185a861a0e020b0940c

SHA256
a5593a4889231be7bc937df4ab64854aaaed43ef4da8e4c3694b8865bce979cc

SHA512
c58cfebdade8fd18b8c3e997aa5b199a41a576fe71cd435bf4c76a740710ab54b7ba66c9a720b3fac94cb37e2c534a32d7ac6def527ec5dbec40b81b4822efdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
52KB

MD5
37fde116576e3f4ede8be296dfa31dc3

SHA1
7ad2a9f3b40f93590336c8b712d37c17a62d524c

SHA256
05d45c453613e6372eae6837879d0f8d7bec5fc1f21e8f210db70230d9fcd683

SHA512
04aade168dcccc6d493add6932dd53989ff0ef0a831341bc31e52033020109e206332f7371bca5c560a3d7e0a2e98bcaaa3e7a715db1e130e626b7987f0abc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
56KB

MD5
7e8d409b18ec9b7ad36ce54a9f4b332f

SHA1
11a86fdacfc5abbad10479bbc739a470359f93bd

SHA256
4d1699202a647256780031ef4496c9e5a0218c2a98287143c67e9fa45650f024

SHA512
cf2afc5465affba515cf4fa71d412a590de130d6bc231263d487a6a797f9453b4b827767b63b7187d184eeb318832b3a4527fb989a3989ef977233f5196b93c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
48KB

MD5
10ec91af9979e25c0cabc61c05ce21b8

SHA1
8bf6efd920b5425bf514017e5dfb18c5e071774c

SHA256
573fe043e2f1f3ecd7c33ae30d64335a1975bb5965c3b43bc04beab22a9bcda0

SHA512
ddb459753dc00bb9eec83f11f4dda775571975159b1aac82e0743b7e5d529fc8a407d069afde0760453c29d36dced1ba4f12f090697455a36e93a68d799e449d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db.ses

Filesize
53B

MD5
31d7a0352ff3de70ee52a2594ae23edf

SHA1
7684f8f107910f02ae768c87d9026f3a4bd6057d

SHA256
d5183e8dd95f19422e11890c0f1e8ae7d126694c9a93c80d80d070c2724dfd29

SHA512
9099c5a109a8ea5428b974abcc03a02cae84be188889bef51db63ee38d2a2a6898c8bc0f003f763a0f10545088252f48310eecec29142b61bcd46676aeacb53d

Download Submit
C:\Windows\Installer\MSI62DC.tmp

Filesize
298KB

MD5
684f2d21637cb5835172edad55b6a8d9

SHA1
5eac3b8d0733aa11543248b769d7c30d2c53fcdb

SHA256
da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

SHA512
7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

Download Submit
C:\Windows\Installer\MSI7175.tmp

Filesize
113KB

MD5
8fa4088a730b967d85df562fd5ef7d5e

SHA1
629db9229f4a4a691e14f38f4dbffba157fa1ce9

SHA256
cdb195012fa5d3cfb80f8ea9fb23348c8749720d7e3a20cb7774cfd717f2df36

SHA512
1037170aed40aa33a4f983e168ae91247c23768fa502877d0b872a462d04fd5687cc50056add6419e3637306ae15beb1cfd04a51f126109faece09087ec16fb2

Download Submit
C:\Windows\Installer\e5860a9.msi

Filesize
13.2MB

MD5
cebba83400d9eb6d33ef0bb7332bdada

SHA1
21db05f342dc62d01a863c63164f83bf00ad7f8a

SHA256
2db4946704305d2f59ac879da7ec8f8a4d928d6badcc2fe2bea5f375fb2d2314

SHA512
2d082dbd6214c51c7226f9110b02c0d145cf30b181d274393b9a27ad38d86d43327cecfc15521770812e6772dc9885f9b0c704acabb58618ab196f8bd3fe24dc

Download Submit
memory/3028-22-0x00000000737F0000-0x0000000073FA0000-memory.dmp

Filesize
7.7MB

Download
memory/3028-31-0x00000000737F0000-0x0000000073FA0000-memory.dmp

Filesize
7.7MB

Download
memory/3028-27-0x00000000737FE000-0x00000000737FF000-memory.dmp

Filesize
4KB

Download
memory/3028-26-0x00000000737F0000-0x0000000073FA0000-memory.dmp

Filesize
7.7MB

Download
memory/3028-29-0x00000000737F0000-0x0000000073FA0000-memory.dmp

Filesize
7.7MB

Download
memory/3028-24-0x000000000CC80000-0x000000000CCB8000-memory.dmp

Filesize
224KB

Download
memory/3028-25-0x000000000CC60000-0x000000000CC6E000-memory.dmp

Filesize
56KB

Download
memory/3028-23-0x00000000737F0000-0x0000000073FA0000-memory.dmp

Filesize
7.7MB

Download
memory/3028-30-0x00000000737F0000-0x0000000073FA0000-memory.dmp

Filesize
7.7MB

Download
memory/3028-19-0x0000000007BF0000-0x0000000007C16000-memory.dmp

Filesize
152KB

Download
memory/3028-16-0x0000000006A60000-0x0000000006F8C000-memory.dmp

Filesize
5.2MB

Download
memory/3028-28-0x00000000737F0000-0x0000000073FA0000-memory.dmp

Filesize
7.7MB

Download
memory/3028-13-0x00000000063C0000-0x0000000006426000-memory.dmp

Filesize
408KB

Download
memory/3028-37-0x00000000737F0000-0x0000000073FA0000-memory.dmp

Filesize
7.7MB

Download
memory/3028-11-0x0000000005C00000-0x0000000005C1E000-memory.dmp

Filesize
120KB

Download
memory/3028-7-0x00000000737FE000-0x00000000737FF000-memory.dmp

Filesize
4KB

Download
memory/3028-10-0x00000000737F0000-0x0000000073FA0000-memory.dmp

Filesize
7.7MB

Download
memory/3028-8-0x0000000000F70000-0x00000000011EA000-memory.dmp

Filesize
2.5MB

Download
memory/3028-9-0x0000000003540000-0x000000000354A000-memory.dmp

Filesize
40KB

Download
memory/5020-333-0x0000000004B20000-0x0000000004B5C000-memory.dmp

Filesize
240KB

Download
memory/5020-332-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/5020-319-0x00000000028E0000-0x00000000028EA000-memory.dmp

Filesize
40KB

Download
memory/5020-315-0x00000000028A0000-0x00000000028BA000-memory.dmp

Filesize
104KB

Download