c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0

Analysis

max time kernel
299s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSTeamsSetup.exe
Size

1.4MB
MD5

7ee6219d0f497752aa7f1c129ca50bc1
SHA1

68bec1b6c594b6bdaf74b4062e4b3c477aa6a1ad
SHA256

c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0
SHA512

a91760aeb550d5683ce0222f40addb3507b79ccf10199c6c5a4773d3b3fc0bcf874360202bfcdca0871da5efe94b94b24fecb72dd5ebeca02939928c5a534094
SSDEEP

24576:E9Yu8GgnSf7uw7J8qyKD0OIqKT//pIgl6A5H2TuDWkd3WZZ7SuW42C7Z32o3:zGMo7NSK/Iqwp/6A5Wgz501SuWYZ3V

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	setup.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 10 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\ml.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\az.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\MicrosoftEdgeUpdateSetup.exe	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_et.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_fr-CA.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_gd.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\msedge.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Trust Protection Lists\Mu\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\VisualElements\SmallLogo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Trust Protection Lists\Sigma\Staging	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\psmachine.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_kk.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\MicrosoftEdgeUpdateCore.exe	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\identity_proxy\win11\identity_helper.Sparse.Stable.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\es.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Trust Protection Lists\Mu\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\identity_proxy\win10\identity_helper.Sparse.Beta.msix	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\ru.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\VisualElements\SmallLogo.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1592_401532746\msedge_7z.data	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\identity_proxy\win11\identity_helper.Sparse.Beta.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Locales\gu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\ur.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\de.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\sv.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_sk.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_mk.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\msedgewebview2.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Locales\mk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_bg.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\sl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\pa.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\sr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Locales\kk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_vi.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Locales\pl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_en-GB.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\sq.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Locales\da.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Locales\is.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_gu.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Edge.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedge_200_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Locales\bg.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Locales\ms.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\concrt140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\id.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_id.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\es.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\pa.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\ug.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_mt.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\fr-CA.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\hu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Edge.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\psmachine_arm64.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\vi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\en-GB.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\identity_proxy\win10\identity_helper.Sparse.Dev.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Locales\nn.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_it.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI6FCD.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A7AB73A3-CB10-4AA5-9D38-6AEFFBDE4C91}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI73E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F4E.tmp	msiexec.exe
File created	C:\Windows\Installer\e586ab0.msi	msiexec.exe
File created	C:\Windows\Installer\e586aac.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e586aac.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D5B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI929A.tmp	msiexec.exe

Executes dropped EXE 16 IoCs

pid	Process
3944	Update.exe
5484	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
3180	MicrosoftEdgeUpdate.exe
2172	MicrosoftEdgeUpdate.exe
3476	MicrosoftEdgeUpdate.exe
3224	MicrosoftEdgeUpdateComRegisterShell64.exe
3124	MicrosoftEdgeUpdateComRegisterShell64.exe
2972	MicrosoftEdgeUpdateComRegisterShell64.exe
5672	MicrosoftEdgeUpdate.exe
2804	MicrosoftEdgeUpdate.exe
6120	MicrosoftEdgeUpdate.exe
3316	MicrosoftEdgeUpdate.exe
4020	MicrosoftEdgeWebview_X64_131.0.2903.51.exe
1592	setup.exe
4908	setup.exe
6024	MicrosoftEdgeUpdate.exe

Loads dropped DLL 22 IoCs

pid	Process
1456	MsiExec.exe
1456	MsiExec.exe
1456	MsiExec.exe
1456	MsiExec.exe
1456	MsiExec.exe
1456	MsiExec.exe
3180	MicrosoftEdgeUpdate.exe
2172	MicrosoftEdgeUpdate.exe
3476	MicrosoftEdgeUpdate.exe
3224	MicrosoftEdgeUpdateComRegisterShell64.exe
3476	MicrosoftEdgeUpdate.exe
3124	MicrosoftEdgeUpdateComRegisterShell64.exe
3476	MicrosoftEdgeUpdate.exe
2972	MicrosoftEdgeUpdateComRegisterShell64.exe
3476	MicrosoftEdgeUpdate.exe
5672	MicrosoftEdgeUpdate.exe
2804	MicrosoftEdgeUpdate.exe
6120	MicrosoftEdgeUpdate.exe
6120	MicrosoftEdgeUpdate.exe
2804	MicrosoftEdgeUpdate.exe
3316	MicrosoftEdgeUpdate.exe
6024	MicrosoftEdgeUpdate.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSTeamsSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6024	MicrosoftEdgeUpdate.exe
5672	MicrosoftEdgeUpdate.exe
3316	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teamsupdate.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\Bios	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\msteams	ms-teams.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\msteams\WarnOnOpen = "0"	ms-teams.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133764358914898597"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods\ = "17"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0\CLSID\ = "{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods\ = "16"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.35\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ = "IGoogleUpdate3Web"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\Elevation	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ = "IProcessLauncher2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID\ = "TeamsAddin.FastConnect"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods\ = "12"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.35\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.PolicyStatusMachine"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback\CLSID\ = "{E421557C-0628-43FB-BF2B-7C9F8A4D067C}"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LocalServer32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\ProgID\ = "MicrosoftEdgeUpdate.CoreClass.1"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3316A154-AC5C-4126-9021-B201E9C33D7B}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.35\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.35\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID\ = "TeamsAddin.FastConnect.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ = "IBrowserHttpRequest2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ = "ICredentialDialog"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32\ = "{3316A154-AC5C-4126-9021-B201E9C33D7B}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ServiceParameters = "/comsvc"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc.1.0\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{3316A154-AC5C-4126-9021-B201E9C33D7B}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ = "IBrowserHttpRequest2"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ = "IAppBundle"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.35\\msedgeupdate.dll,-1004"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ = "Update3COMClass"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ = "IAppWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ELEVATION	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ = "IPolicyStatus5"	MicrosoftEdgeUpdateComRegisterShell64.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2920	ms-teams.exe
2920	ms-teams.exe
2920	ms-teams.exe
2920	ms-teams.exe
2136	msiexec.exe
2136	msiexec.exe
2992	chrome.exe
2992	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
3180	MicrosoftEdgeUpdate.exe
3180	MicrosoftEdgeUpdate.exe
3180	MicrosoftEdgeUpdate.exe
3180	MicrosoftEdgeUpdate.exe
3180	MicrosoftEdgeUpdate.exe
3180	MicrosoftEdgeUpdate.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3944	Update.exe
Token: SeBackupPrivilege	2920	ms-teams.exe
Token: SeSecurityPrivilege	2920	ms-teams.exe
Token: SeSecurityPrivilege	2920	ms-teams.exe
Token: SeSecurityPrivilege	2920	ms-teams.exe
Token: SeSecurityPrivilege	2920	ms-teams.exe
Token: SeSecurityPrivilege	2920	ms-teams.exe
Token: SeSecurityPrivilege	2920	ms-teams.exe
Token: SeSecurityPrivilege	2920	ms-teams.exe
Token: SeSecurityPrivilege	2920	ms-teams.exe
Token: SeSecurityPrivilege	2920	ms-teams.exe
Token: SeShutdownPrivilege	2928	ms-teamsupdate.exe
Token: SeIncreaseQuotaPrivilege	2928	ms-teamsupdate.exe
Token: SeSecurityPrivilege	2136	msiexec.exe
Token: SeCreateTokenPrivilege	2928	ms-teamsupdate.exe
Token: SeAssignPrimaryTokenPrivilege	2928	ms-teamsupdate.exe
Token: SeLockMemoryPrivilege	2928	ms-teamsupdate.exe
Token: SeIncreaseQuotaPrivilege	2928	ms-teamsupdate.exe
Token: SeMachineAccountPrivilege	2928	ms-teamsupdate.exe
Token: SeTcbPrivilege	2928	ms-teamsupdate.exe
Token: SeSecurityPrivilege	2928	ms-teamsupdate.exe
Token: SeTakeOwnershipPrivilege	2928	ms-teamsupdate.exe
Token: SeLoadDriverPrivilege	2928	ms-teamsupdate.exe
Token: SeSystemProfilePrivilege	2928	ms-teamsupdate.exe
Token: SeSystemtimePrivilege	2928	ms-teamsupdate.exe
Token: SeProfSingleProcessPrivilege	2928	ms-teamsupdate.exe
Token: SeIncBasePriorityPrivilege	2928	ms-teamsupdate.exe
Token: SeCreatePagefilePrivilege	2928	ms-teamsupdate.exe
Token: SeCreatePermanentPrivilege	2928	ms-teamsupdate.exe
Token: SeBackupPrivilege	2928	ms-teamsupdate.exe
Token: SeRestorePrivilege	2928	ms-teamsupdate.exe
Token: SeShutdownPrivilege	2928	ms-teamsupdate.exe
Token: SeDebugPrivilege	2928	ms-teamsupdate.exe
Token: SeAuditPrivilege	2928	ms-teamsupdate.exe
Token: SeSystemEnvironmentPrivilege	2928	ms-teamsupdate.exe
Token: SeChangeNotifyPrivilege	2928	ms-teamsupdate.exe
Token: SeRemoteShutdownPrivilege	2928	ms-teamsupdate.exe
Token: SeUndockPrivilege	2928	ms-teamsupdate.exe
Token: SeSyncAgentPrivilege	2928	ms-teamsupdate.exe
Token: SeEnableDelegationPrivilege	2928	ms-teamsupdate.exe
Token: SeManageVolumePrivilege	2928	ms-teamsupdate.exe
Token: SeImpersonatePrivilege	2928	ms-teamsupdate.exe
Token: SeCreateGlobalPrivilege	2928	ms-teamsupdate.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe
Token: SeTakeOwnershipPrivilege	2136	msiexec.exe
Token: SeRestorePrivilege	2136	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3944	Update.exe
2920	ms-teams.exe
2920	ms-teams.exe
2920	ms-teams.exe
2920	ms-teams.exe
2920	ms-teams.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2920	ms-teams.exe
2920	ms-teams.exe
2920	ms-teams.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 3944	4560	MSTeamsSetup.exe	83
PID 4560 wrote to memory of 3944	4560	MSTeamsSetup.exe	83
PID 4560 wrote to memory of 3944	4560	MSTeamsSetup.exe	83
PID 2136 wrote to memory of 1456	2136	msiexec.exe	107
PID 2136 wrote to memory of 1456	2136	msiexec.exe	107
PID 2136 wrote to memory of 1456	2136	msiexec.exe	107
PID 2992 wrote to memory of 4192	2992	chrome.exe	110
PID 2992 wrote to memory of 4192	2992	chrome.exe	110
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 3788	2992	chrome.exe	111
PID 2992 wrote to memory of 2996	2992	chrome.exe	112
PID 2992 wrote to memory of 2996	2992	chrome.exe	112
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113
PID 2992 wrote to memory of 1400	2992	chrome.exe	113

C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=MSTeamsSetup.exe --bootstrapperMode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3944
- - C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teams.exe
    "C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teams.exe" msteams:?instVersion=3.4.0.0&instExecTime=1731962277551&launchSrc=t2installer
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2920
  - - C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe
      "C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe" -CheckUpdate -AppSessionGUID de2bbf98-a65a-46af-afc7-6a12581eb412
      4⤵
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:2928
  - - C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe
      "C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe" -CheckUpdate -AppSessionGUID de2bbf98-a65a-46af-afc7-6a12581eb412
      4⤵
      Checks processor information in registry
      PID:412

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 94C7D3F2A4CDB39CF9CA26E25D5062EF
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffca603cc40,0x7ffca603cc4c,0x7ffca603cc58
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4612,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4228,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4740,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4556,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4568,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4492,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4528,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:2
  2⤵
  PID:5768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5200,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5088,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5292,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4600,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5680,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5664,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5924,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3172,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5124,i,7939089706905140041,12311317326918479297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:5752

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5424

C:\Users\Admin\Downloads\MicrosoftEdgeWebView2RuntimeInstallerX64.exe
"C:\Users\Admin\Downloads\MicrosoftEdgeWebView2RuntimeInstallerX64.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5484
- C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Checks system information in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3180
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2172
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3476
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.35\MicrosoftEdgeUpdateComRegisterShell64.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.35\MicrosoftEdgeUpdateComRegisterShell64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:3224
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.35\MicrosoftEdgeUpdateComRegisterShell64.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.35\MicrosoftEdgeUpdateComRegisterShell64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:3124
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.35\MicrosoftEdgeUpdateComRegisterShell64.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.35\MicrosoftEdgeUpdateComRegisterShell64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:2972
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMzUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjU2RDJCQUYtOTNCMC00ODkyLUI5NUYtNkYxMEJBNjhDRTMxfSIgdXNlcmlkPSJ7QTgyRjg5MUYtNTNFMS00NjQwLUI0RjMtOEUwODlDNkREOTM1fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezBDMjc3NTVBLUE4MEItNDhCNy1BQzY4LTJFMDhDM0Q3RjY0Mn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE0Ny4zNyIgbmV4dHZlcnNpb249IjEuMy4xOTUuMzUiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY4NzU2MTQ4OTYiIGluc3RhbGxfdGltZV9tcz0iODI5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    3⤵
    - Checks system information in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5672
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers" /installsource offline /sessionid "{B56D2BAF-93B0-4892-B95F-6F10BA68CE31}" /offlinedir "{0106C17E-A839-4062-AC70-1C970E9C13C6}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2804

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6120
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMzUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjU2RDJCQUYtOTNCMC00ODkyLUI5NUYtNkYxMEJBNjhDRTMxfSIgdXNlcmlkPSJ7QTgyRjg5MUYtNTNFMS00NjQwLUI0RjMtOEUwODlDNkREOTM1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDk0Qzk1QjItQkYzNi00QTJFLTlGOEYtQkM2QkNBOTExQ0Y5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O2xoVmkxMlFjazZTbDB1VTFPQjZZMTUyOWJSNmJzZXk0K2N1N2RIeHM2Y2s9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0MiIgaW5zdGFsbGRhdGV0aW1lPSIxNzI4MjkyODU4IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNzI3NjU0NTE0NTMwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjg4MzExNDg0NSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Checks system information in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3316
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{85872BCB-5840-42D3-96FB-D35CCCAD8C9D}\MicrosoftEdgeWebview_X64_131.0.2903.51.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{85872BCB-5840-42D3-96FB-D35CCCAD8C9D}\MicrosoftEdgeWebview_X64_131.0.2903.51.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:4020
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{85872BCB-5840-42D3-96FB-D35CCCAD8C9D}\EDGEMITMP_5E3B7.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{85872BCB-5840-42D3-96FB-D35CCCAD8C9D}\EDGEMITMP_5E3B7.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{85872BCB-5840-42D3-96FB-D35CCCAD8C9D}\MicrosoftEdgeWebview_X64_131.0.2903.51.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Executes dropped EXE
    PID:1592
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{85872BCB-5840-42D3-96FB-D35CCCAD8C9D}\EDGEMITMP_5E3B7.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{85872BCB-5840-42D3-96FB-D35CCCAD8C9D}\EDGEMITMP_5E3B7.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{85872BCB-5840-42D3-96FB-D35CCCAD8C9D}\EDGEMITMP_5E3B7.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.51 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff64e1e2918,0x7ff64e1e2924,0x7ff64e1e2930
      4⤵
      Executes dropped EXE
      PID:4908
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMzUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjU2RDJCQUYtOTNCMC00ODkyLUI5NUYtNkYxMEJBNjhDRTMxfSIgdXNlcmlkPSJ7QTgyRjg5MUYtNTNFMS00NjQwLUI0RjMtOEUwODlDNkREOTM1fSIgaW5zdGFsbHNvdXJjZT0ib2ZmbGluZSIgcmVxdWVzdGlkPSJ7NkI1NTFFQTEtRTQ1NC00NEE0LUJCQTctMkRDNjgwMDkwQzcyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEzMS4wLjI5MDMuNTEiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY4ODc5NTg3MjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2ODg4MTE0OTQzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjkwNDIwOTMzNCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY5MTkzNjUzMDQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc1NDI2NDY3MTYiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZWQ9IjE3NjYwNzgyNCIgdG90YWw9IjE3NjYwNzgyNCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjEiIGluc3RhbGxfdGltZV9tcz0iNjIzMjgiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Checks system information in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e586aaf.rbs

Filesize
350KB

MD5
106107a301635e8d1e1de630c346de5c

SHA1
b48b20593becdcac44a35bf9c84b7d47f931b3da

SHA256
eaed31ee1569d8b7a4d8b9e91c41e2f08a980f18b2cea91c6086c088658b7071

SHA512
3c527231300d4f6acef174e094f14511bc9d03e400e30d79df7a41658a6ec0fab3fbc66f7a0412a31e39ce0a88244c183689068fa52ce086c1bf0e6a9970aeb1

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Installer\setup.exe

Filesize
6.6MB

MD5
e8ecc691b6b345c25ea749591911d934

SHA1
b54f8b8ece5c4221c4180edfdef39df38a36ba21

SHA256
e226aafcb47b85afe8962b885921dd982bbeb356ddd1c66e5a6f42be80dd052a

SHA512
9364268b3e7333a6d52e3ab1eedb15c9cee98d5139be0708790275ef05abba12f32c2a39546b4c81f799d7ee662d5f705af9de28b0fca12a64c72ebcccd4f066

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
182KB

MD5
67bcf8d877953c1fdb8732942d0af1ac

SHA1
4966a3e20423bc62066c1ce8eaa1610d3a23fd17

SHA256
cb390e9ef56c02f0ddedba962a22ebfb6c9b8f75291c0a7b3bd2a6b01c097644

SHA512
fd56c381a28bae0538b3cd8c1dceeeaaee915eb1ebd02028847e5dcc33e5d4f8afdf12fed8ffd31f4a5188f7cb1bf749ddcd3cfeb0be4f0410fccd9fb015db8d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
db1acd5625c82435c72dfe120e0fddd7

SHA1
b8cad7b3f9efec8b4ff3c8c344481ba509096021

SHA256
f8cbc120b6d4536300838ffb510b0a4dbff19086065d0ddd015386a73bcb5a09

SHA512
13c8cbcdfb72f6a220825d35f5bc0d1a31046e32fb2258ae55f6538e4b0779fe20f2b92c0ad264256d9268f24e0480468e7f90985a5ba3e8c2a62211e760a010

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
215KB

MD5
f4f2de0a3710012e2ea5e64232f1c869

SHA1
028d8c90fa9e5036df028ea5a5a8d78ef1a4428f

SHA256
b0993ebb535f4e399489ff9456ce33f929597d246a46e89b7300595fc449cd7c

SHA512
adbcb2d058e8573b299ec974501cabf150287e018f6aaf4aba187bd534d96239f822a90c2e577c60643d9146ba47597793596d54dfd9bc30e7efa8b9f6e0b37f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
262KB

MD5
96a9bb6df038d9dec964905c0ae60e52

SHA1
912b4a4d2a220af283b626fcff673c4c537612f0

SHA256
9f555145640d2b11dd95b9dfff088a066e0f4398e03906c8142ff33613fe23d2

SHA512
ea0058bfe7ce0868f8cd9cbd830616e07f58fade8814bfa5a81094ce58d015a00025b030de27fd10b544cd0d6cb79b2a0e4f91314b9a53279e83bf2249e2ef19

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
396fe7495ec53d354cc4383e3590c296

SHA1
22f1c3b7b21a1f80f8d53b0e69e7df740e811bf4

SHA256
66dd98d249287e7707b8f1ee181bfb7ab1e2d1d96a5a8a4605d2cc4065a516ec

SHA512
c9826a18b5e4e8ff60d9960835c513d82c84c9fd864fb9e5ca99b276d32c88d1362beb870f3d7faab36009b7a430000d603483b1e7d4f124f87e366b0455ec1b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_af.dll

Filesize
29KB

MD5
d937e1fd21e13275d67ab8090870b550

SHA1
5d9e56deb55f1a10628e56fa89f1601ed7e3903b

SHA256
16eda0080ead81c7a2a0b58cf6afde6a26aeaaa041abe25cd67afa2ec3289c43

SHA512
202fccef200c07abbe888936e18cca41bbd4acb9d292df49377b00a482ff51ad847bb377a50466cc0eaa511bd8acb506bcaaa28e1ab7f5d153a0fde0d45890bc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
0da4268d8116a2b9ada30f2669414f1e

SHA1
51bbe90e02921861a745414af95bd4d7e804a9e0

SHA256
f58a3a76b5d4b7180c7f0f85c7f5539b8dcb70a520c42cd9f6c0a6c17899c60c

SHA512
4d7c74312103db926d29ef744cc497165cce83f29d3b1274e7f6e21f6f67e6354a5da3dd9a1d9b829c9e6316bc3f3284179020abdbb5e98d50729b1988ed2634

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
66e61a107128e46f8b29236eb13c2a2c

SHA1
fa1a72f66ba36bfd4723411ca2290d39c5da0067

SHA256
3ea7bd0ebc7d7230bf769c28073004b80faa91a511e46224fef93ad8df15de26

SHA512
b893caaacb8a9a70049dc60dbcbc4d338153918506049c26ad2b7820ccc1779923f2a9b6e10526d15ef3922e638e142679361924bf6b81921057ea3c2bd25e48

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_as.dll

Filesize
29KB

MD5
ce2b8d59f952e5f340db29ae0723e5bc

SHA1
01bc443adca8556135112537dd8eb389e626707e

SHA256
734f7957f2bf69da418938b07f0f69e5d648a2f60545c14098ac5cef1bdcefff

SHA512
ffe85f8b655585b42c90df0e0d8d49d412e892e1223532c0fdae7c0038c2e5dc422c5d1631a53702e51bd54fc8e2320784e606f81040b4e640add65363c0d88a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUA142.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
8165e466a1a47380785f33d1e8dc30af

SHA1
d054321c568fe9da4031f89ebfe04e0ebe323f20

SHA256
af4de59b73a32643e02a4fffb527f15377b38285a713731c01b3e1de648604f9

SHA512
d8fa806f5f3b71b7260aaf0f3d2899f37ae40fd99c0325257b5ae828245dfd503f7cdccc6b13a458fe3c9fc4291c9912a90f7280564f39e81446ab5878ad9cf0

Download Submit
C:\Program Files\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
54c457be34e3c15e4f75b6a26cb43a3f

SHA1
ea73d151c55aab9d753e510862c88e68677d85ae

SHA256
d4570619269136d1eedebe3a6de082eb7bf198483a63c48f0e56ce78b1c4d8cb

SHA512
54051e732d42bba0b0ad0b168b16acb41be8a638c86972515b4edb16870cbe0cdd4c290f91aa38f4a92ea612aca729d325f0cd707f82d2b02e6b20b17b9653c5

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
94KB

MD5
8dff81872f0f5947f7f40a8a0cef4cb4

SHA1
985756c7b35cd93b9f6e1a6d495b9cf3ee8efe1d

SHA256
de2f6204ff1cd7fcd9062f28559fef08132e3f1adfd58610651fdaff8b23e37a

SHA512
c376e416a0c587f244e4663ebf063acd8211c402ba415a5fbf55c31dd6fc20245db83fd1f8882d4b4d3e1d04c6fe96a03e90dd6c8c72a2c5dab55ff2edae1f24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
6b1dc3d19821301ca3e83d1053aa0b0b

SHA1
c4e4ee1cd06aeb47efdb96627ec0c088e8a096fd

SHA256
0f299895cc6ad40f61b0b09c49d7b362521b417ad9bc53df80d371c7cc0b0b22

SHA512
dd194f8cafe45cc19006a919bd758f1612e6f681cb79a3f96a245b18ab131e4278c1609a71f1b16850e80701bc9293a8595a196f083bb6a47eef11f5c573d93d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
7bdd4760141c8d1c6f85a1f258930249

SHA1
b5d5ece6d1da5f61ff96d4939f27250cac9ad47e

SHA256
4a5dc4c892ed661fadf736932b2113da394feefec3ac9db0d102b742a1263102

SHA512
2e3bcbf427faf7bb66cd8046107052f34c536a30047f2e8968f9b6fd5014a3eda11d2f9435b223c12af8c5c2d75eaa594b0790fb2504773cdabcda77116884e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0c85391c2a2ecf11740a8bb96b186867

SHA1
c9db2cf2a41474105da3d73151a8151de00f8663

SHA256
dad453a242ea4a972ac123a4f1ef771e49da429d393259ab162b7f10228d4f75

SHA512
758de7914d8ee7b59aabcdbe0451d1dfe482be20a2387fe7cab35d524ba3166ff3e71a26529da01e74b6deef4ffd2f25947b26813d0b732e734c5a008c901ad3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
216B

MD5
051b38cd8bc91971e81be4fc2f9aef74

SHA1
67927e2a768621650a4e03075ef8e375c83212ef

SHA256
6bae28b35a17a64880f6304ac04c110e01fcc8a297e7e6ed04ec970892676610

SHA512
551c4fe6e120192f4f769e4c529983f3dd13cd4e55f674966443aebcfa5dddc74c0aeea20cc421590318b2ad2893edf9ee54121fc9a949391d4bad3674d42f22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e12dc63f7ca1067b8d5d9da31d8525e0

SHA1
842ce929bf598e702897d243903a1067e4c3dd20

SHA256
44b7508e826bda86952c876dd37701fcd796077a9572f0d6e1524115422bc159

SHA512
551a55e7f984e4a13efb59fd13baffc3147a66b2079a088fbf1d1363cf17d68d01fba10f50088df34bf820c75268c664a6bf3ebe23e084c0d71315b4e279a8d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\76f3d263-c01e-44cf-aff4-e67e55310e99.tmp

Filesize
3KB

MD5
ded1340707be81bed57e6a303318646c

SHA1
49c43126f7139aa6c8001e3dce2947661fcb7034

SHA256
dad8e6b660ed1371d8be33e8a441e0e86ad0e0f84e62d882e102d7764cd23df1

SHA512
12662444ceb836dd4c1ffd151db944e88927203dfbc61e5900d89a1e6c6dd76ebf54281011d18445603c4b9f09f7b81f3bb75350f36c70412aefdff1c59b2d35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
0418581ae14535df1f1801cb089fed2e

SHA1
2e44cbf978333d36f352baf7aa7a410389333bbb

SHA256
a832e302c8392c78bcf0c65795cd0dfc4da8e683f90cfcde7194f1aff1a3c245

SHA512
d45afbaa89cbe07fbf0cbe9acfa78b41920833bba82f0a8ad94099f563362486f5db401e026d76bbed39150840e51489650cf5de463d3bc8a31439fdd991c8f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5113b5866de3f64fd71920e578d55ad0

SHA1
0f164da32b242dd18013f31db5a42388240deb59

SHA256
ae7b47babfe69ef427b04bbbd943b1b67a2d474822a1bec3d91812b7dff3ab47

SHA512
d2baee068f29f44e920361a8fe464fa00f0e41a428efccdf44c83dc340fd6b17887796a1e65d3e8c6fd345d3f14fb2f27f80eaffff34333bbfc31dc431a5f69a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
d63a3ce1565451c943f5ede543a679fb

SHA1
5e84a18518097734c6f43309cff56d597fa3a2a5

SHA256
cba291e910299670f5ba38a70f570fee9010726ed873df89c540cdb8e7b60b20

SHA512
c577b0133a96185af247b20a163f2b720197cab012536b6811f1ba6500d5f097e99beee7db6764bf97f8ab6085dec36b9b7eb19132e609adaaed83f2a0a94068

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ae3dfdc7833ee6a36502286c9fab87a6

SHA1
ceec98264d5f49366732c504abef448644854d0f

SHA256
d5be296a0e9ee36309931f607d825bdb5a85a25781be346abb818e44079f72be

SHA512
c9d7b7854fa4015a089e144fc5a7db3f10b2cbcad1e540171a861bb031c3bba72810d1cee155b55c34692ab255357e904d56ea79be85216fdaf0fa98d02c0f11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
d2f86eddbdeeee588a5591b1eabe3014

SHA1
df0b31e8627088bf1afde8a083caa3f500ce1190

SHA256
35e73715026629cc774facaf0c59c9e9c36a128144abf63689d70bb88d9d52d1

SHA512
80473969fd9e7cbe7f12bced20c68d7a740de270bd7cab56ce5ade88ef4fd082456e36e0c3f9716fd352f71f369d128c9a342aa3076019d0cf889075ec67046d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
6ea430cceeeae4a53b8490890fcc1d90

SHA1
720bc98616026eae1b224656568449c54588e516

SHA256
c752279104877651286cbb2aebdf6342232d113549f8dd54c1d714fed434b0fd

SHA512
0fe75b29ab03f7813ddfb439023a20fa77b7bfd5a203c6eb71fca5a1cd25a7a207b6a1b12fcd51672bca092061bbb3c1b6850eacdbc00a09653400095b168ad9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c4cb23a97c2e00ad5e51f798cfef6996

SHA1
6fc637e60fdd0f27cbceebc6d546001ddfdedfaa

SHA256
0066e2e453479ca593eb6b748a3e1a07fc6a35367acc2ab2fd7dcc6df5b5747d

SHA512
27be6890add3328929ca5099150324098fda03987ec7f694447a8b09293f85e7b2e10163c1b40626f4807a31ef7da9a67a485e7f7c9905fbb0b8f6ce80074551

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3fdc806bab61da706f77b2a00cab0d2c

SHA1
bccb6e9763497396c1731e576bdcde0bca3d152f

SHA256
da9db145d1c6c4d54faddee432ba3707f26c3ec4478549635e068289e5b5c72d

SHA512
6c7a04a61aebaedce645919459b7e8c127255fc65490aba9a92ef95283400bbe496d604242d739d3b6a79751a8b6800455ae732d3ca21889c011a348646fe335

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
318d5b398ab989bbc5e73d5fd707a673

SHA1
21ea2963e089ddce8016c58695a0e8a4de34b808

SHA256
1ad14451ed03eaf448557231d374588bcd9bde8664ed5babe699606ec18b31dc

SHA512
1b53fe1323e36eb1792bc6d9b0bec059e293b9b2e0a13b9dd33d90914e85f2c5038abd337f19fb9184329731bf599c8a701c5a4af59c24e157ae4cb996462fa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
98c8e0ebb2ecc3ebdf0daf268a8daa80

SHA1
138e7968a2bd3e679902a1562101804c1de07ce2

SHA256
76a0cea565b5d04230f72ab879b30538571662462ca6bd23c0424e7d92f8b445

SHA512
5177f9aa364987e5fbb06ed66348ad29402bf1a281f2582d3e10d01f669d09fe900a7c33a77620b05e8312539b49edf6ca74c249de72f7fc0ffdd93c8c7fad80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dab2f5bfa7243c8b7e5026b2e7df4ff8

SHA1
1771c0fca800b4fd11f7823ffe40c5bd30a5b6f1

SHA256
58fdedd92e2325f8e648ebf621810a67fa8511c3fe59e965096a6a436468ceab

SHA512
d560ae88097ee2de14af759f19f47cfd5bfef63e1af1a09361415c5ba230d3a700509cfd0af27c4d34a2f82c971b86ac0e625eb50f25c70c9e567b7f50338e06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d68f1983d57d755bef814229e8cac4e1

SHA1
4fd97b86709c65278fc3ac5cd344f066406e7b77

SHA256
9e60e5d0806ae74b492599a99c7f804d8dbd87ac71fe8d09d62b790386ae47f4

SHA512
e244220acbbcb78fa9bec9e39a9028ceaf1b7b7e6042f9a0d4141b4cdfd0c872fa71354b61b815de1ac8c9c4c9387b0cf170d5d9fe2df4460fb11c5caf696e79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ef43d41e3817912115bd1d54b978248d

SHA1
12c0653f99b4d0388e8f227ccf5abed11b190248

SHA256
b08aa3af04dd5cb1d11b8ca46378b4f1a408ebf7de7ac9648acc24e6e434cad6

SHA512
d7a0cc3f046736593aee6cceb3481d53960009a4e10727f1dd2d9e9e54e79086a9e96591cecaa7fe424eb7f7dd9b81c2ae586ce53ff8852c31f32b54bf05e4dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a27f2a43203e6122eb3a03edb4da4eea

SHA1
241d17887eb0f5fa4127f8648b4da9d47646af1b

SHA256
81b0187fbdfa23590681118e2123add1126ad23e6cd120c2f65016c2639830d8

SHA512
8d69c71f3755fcf8a09922341a3a2ed95bbc8cb5ce297239c306dfb3db3cdd9542191803a56a0df65446bb1b0ccedf5291f0636c3f261dd2317c9be565588ecb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ebba1ff6b6662b5d95eb7cc5ec528816

SHA1
667d17f04a265c3a5bdd234d561e38f74d92ad6c

SHA256
57d58cee6fff982bab38a5b201b6b9a0c2ef9086dfea48ffde468427ee59d169

SHA512
498cd9bb89e8513fb77a31744562ca6e5131f1a628556bbbb7c8237a99c1a66d8504041842e09f325fd93c4170871acc731f4ad7930c15da11df619ab55e8328

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c414d3a4ea0edbe4b51ba69e275cab15

SHA1
1c2f6c347de5d944531b36e31e87bdf4ede95de0

SHA256
06d090b0227d8d55b9ba300fd8ade27726c958787cec16c4410ad13123e0bfd7

SHA512
38a408c422ce9280d26325440a84b9587b8d3392564bfebc58bcc3048384bcdb4f4a40de1d43cba73b60147a60d2e6433c22e8f2ed6b79e0c9eeccd25a807488

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8c5a392b86d7dab2551f9b8cf197c7b6

SHA1
f1d295c8facc5495f618b163dd786a0a28cf68f8

SHA256
edc41470fb5682de54948863eb4fec5e700999fcd84c420ee53c95012088bf96

SHA512
ab1624c5688ad318d0601a736d5afcf56688da8930da724ac927e6ed958244b44b271c4564085e96ca3ee44b973489f94254f9aa2901922ce23fb4242fb9e7b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c4be9bb13cfdd4211bc60bfe571f6d78

SHA1
e034f3fdfa0e6c08e07102cdc2dbbe755358e831

SHA256
f71ec63474d5ad5e06a4d31f33f56d675ef6e032677a9574585f544166b9ec3e

SHA512
9194c64793520bf68a11333feb4f19f444e92b7ad1ff5137150200c83ed26f11aa86293c2e57f517e9368e797ce0126ecf3515fac0c90b106df1a5173d9fd8eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a024886eef433956c0fb2394fecbe9b5

SHA1
641d6a7a62993db99d16eb5867da6d2f1a739f2c

SHA256
d7506e375810f9e1e3774c55214df94b35184698fa2ecabb5a5c73a20911c963

SHA512
1668587e688be2d906da0f57d4f0eb6cf2b756be908dc7a651c6205af4acb86f83ce6c7864095ce0795fdd3a6cc026efc3398cebbac32ef1d1488e27634f06fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
160abf53cc48db06ee777fa0be9f52e0

SHA1
86efa5331263d489c728875f8ed0a71b087b58cc

SHA256
485d45bac8637e1776c21a771a69a1a8e38572821b7c1a85c8cd04e618d22a3b

SHA512
62541d6755ef1e69cc30d873f095e962cd9aa1bd8884c2c76fb2365152a72369867457943e40ef832996d3ad0306cf15a95fb1f10b5debd0549dafc83905ccbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
34119e17e70e1f92218969589110e440

SHA1
45563169a99077b98f0e0b5149f5c57b53451ad8

SHA256
d86da7b2cf3ebc51612cdd5bb10f844f0a366f762e012b6fb7302a9b3596ab5e

SHA512
1d67b76eaa0859b82f8bfdc316803521cabd4c71332ab3a66ab96e26421e9c08bdaaade8c7a70a9c8500a5c070c3ae6fc766243ebf9ec9b116d7095a05e43e17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b918d4784eded149613c67e9083f7b9c

SHA1
df907803808447c667be5207c52f8a017f6a5aae

SHA256
f7401cbf27b2e403c2c87bade7d3df8ee67a50888c7a8eb2780b7efd28808820

SHA512
b697e68e79664746d5600195554a2ae788d56489f0249a88fff765d382d69906c08068053a668e3f993722f25f080d3ecd5f5cd5f3b8deee3309b89ea9558377

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
070979384b109134f846764332a7a35f

SHA1
261e6845b3f335c7ec1c0811b8d925aed74086f3

SHA256
b27ef5680b5da092c076252ef801601b963daf1af36c0100452104af053265c3

SHA512
a3ceedb7b0f8fc82a38d1828988977262c746955f144932b06e26e7912364039a77d49480ebd9787fdf07c89eda9e1128b5d400ea7a21455aa9438ed7871bbe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
3bc89f65e7571720944da95f1259b9f8

SHA1
c58911b476a98d85a2de27d17eb9998b9c9f1a1d

SHA256
e84c0d77e317cbca42e15577a0d275d3d02802334c44e06fa69ae715cd2f203a

SHA512
c2a1ac91854fc49c1b1d26b208ce944b3095c0cdc5c0390f17c2be510e431cbfcc7b409788c9aa9248d70afa0163c74c6ef128756ea18f7b78575d9774ce0735

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.25702\AddinInstaller.dll

Filesize
34KB

MD5
74c8e73ac9df19ffae99f833d78b58ab

SHA1
f576f7eaa7f10aa8a062c3a8745f5905b796fc79

SHA256
cfd58977a316a67e3f3587703d3ba104dd9a04e88aec44fca06687143ac263c0

SHA512
da66eb6fb1c6423ed25bc8de4b7102e287e34510a10089eca6501c27243b03c9377dc9b14fb741e86198e3bfda5656e20073234f2dd62b41b20e084b4e34f180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.25702\x64\Microsoft.IdentityModel.JsonWebTokens.dll

Filesize
66KB

MD5
622623a04c985eeaa82d2a1f15d508cf

SHA1
f6e6bcc42d1e1bf0dc7d635beb4a1f063a4f2b66

SHA256
041946c132c0561ce8d0a1b0f74eb979d69660deda241bef4a0570f1cd1d9289

SHA512
46027876fd165c8399e3896ab6bcba034bb69cc5e67c68fadb40101db05eb81882b12f86bfb75845155bb94d08c9c7d1c97461f1677b0cbe6b71e3a8358a6f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.25702\x64\System.IdentityModel.Tokens.Jwt.dll

Filesize
81KB

MD5
ef26e784474ef5ee4c86225829784bd6

SHA1
db058e83d7b6cde77821d9da640f7b169fd80e07

SHA256
15aa3a16426b1281f0a4cecafc2a054bb29b7f3d09b3048f048ebf67c4f53e1a

SHA512
7621855326125262ffa2de6577d79fbc20f60f0aad3aa6fd42006ab806438cf262e18cabb802eacb1337b7de424fa32c543b8315436d05e519a29458405ef706

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs\tma_addin_msi.log

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\app_settings.json

Filesize
985B

MD5
5995d7d0c7088db15b5c906d5910bb19

SHA1
f1aa2e752edc1c20a317f022613e582e32057d18

SHA256
4d7a73de9bb2d173fe4cfbc2415e40081c110bfa0c8bb8ee15c965a5741badb5

SHA512
267a1056d3a4c164afad6cb88fdb21596716cff7eb4f7b18fd4b6eb6c5aaa2a85ec5d1083231619f4600a87ded42e7744362017e46a589baf0151ff396129ae4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\ecs_settings.dat64

Filesize
2.0MB

MD5
85e4595bfe2916fd797e88310114caba

SHA1
501d26774fc370c5cae9b58f3ae1d281ffa6b9ce

SHA256
7df85b01c1deaf4b939f5d431a9c8a4cb0bdf83300b4ff15db17be5db9b2f3bf

SHA512
83d650247ddddce8d0d73a295cf0e2865677d19a52aaa0c0938809cf73c293f951f7a10c65ae30388e2b059aa58c1d4db37c0419f33802f73ffe5094a6c348ef

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\ecs_settings.dat64

Filesize
2.0MB

MD5
95adda4268065e0d226951ee56d89381

SHA1
a27b9eb1e6a33fa30e0ded38a5ea5a23f300e3a6

SHA256
1fc964c9a2f95b8d51079a6dbb6008f0a53661b0ec3497b1045c81f6652bae64

SHA512
84d5e56b6e4c07d3341338727eb1d8f8aaefc68fde3b8150bdffb9c366e9171854b9a1e407b48e3c84d5c4f2fd75b3b10e226af0cb825010d6d734f8da5ea39f

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
7KB

MD5
b2a42dd67f53f1b33525041a4bcf92b1

SHA1
a69cf0cd5c2c3dc7ff95fabfe28fec819ad169c0

SHA256
2c5e9cd6690bfdfe463aca99ebaf521c4e644c7063db1dfad57a28d222db21d9

SHA512
2394cbbb56e998fa835e4a7907922c78cf9bd7f1aaa6954fb4a44392ab6e1021632c757049baca6af19df6130216c5ea76c551161a8d07abc5fb841629144b91

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
7KB

MD5
a09c0bebba1c7e04a1a51a3d8eb53437

SHA1
8dfd078eed795a995b875edc0bc27b16de8bf407

SHA256
94cd28b780207483bda18e264945c3a146d712da8fbc8d7d78a642b143d27c9f

SHA512
333fae36cc127ee9f7987ea5a4ff5ac9ab616afd3c60791ee3eda7749ececa9f4aaa9051469b6d0278d7da4d8f682acd8683ac21ad114cc1b5fb695b881261d5

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
143B

MD5
5e71c27e37ac0985914045c9e885c7a0

SHA1
2e3a5f5c2025b6d87b0c6efc31f16295ca55a517

SHA256
ebb506b09997dd07339eb247cee6da71aa8020694f0a1e43a88ca94d02f49478

SHA512
4a623e13c696e425e11b13bd7ec3916d23a6b949e1764564d813ededbd52bbe038028664cf6bd6dcd691208083d3d1ea9111c9f4e6c35fd6cae4fdda9b3a4213

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
361B

MD5
080bc970a98f828ee3d0ba365e5fb9c9

SHA1
66db3cbd2c13971a9804d9c0a29c4f87a30d9547

SHA256
f677cf1f2b651835cc15813f1c074a5d9f488e470893fd9c1dbf82d50b446508

SHA512
770ff9b2cda026776d0d75be51e00d7e34503966b8fd72c19431ae8aaad6161e58cb09bdcb32f89980967a3d551f119fdab3e592c4b92972b887dd3bcc18109f

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
361B

MD5
4ae7df06c7145192a0da0b5ba976e3be

SHA1
4a2f8e43d990b8ad4bf9357a7e2ab5e1b7bfe17d

SHA256
1e7bd907ed09299e7e43d370b56f088242a3b64ba386a455f392dae5687967d3

SHA512
1602d12dc6116c8ee0566e06f1109cdc48c054e94a808c56c8fce5da700f6dcc5ba6a60c066dc81ec5a0001a5fc0cdc67da6a6712aef07ecd9c29b95f1922cb6

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json~RFe5866b4.TMP

Filesize
124B

MD5
98d8595a47c9f70033706bb441d55a86

SHA1
162943310d516c7f44341af615241bbcd08f5c87

SHA256
d651df9b25e7b36f5492d15050c5281f0519042cbc4b40742332d10fe220d90c

SHA512
c7c81b6d80d0a868eaff3193e53f24c0eeeb25d7cf8d4df1b0d0aec14a4ef5f402e290ff5c9640cc3687462f8a9ccd4957715e823e9a50f38d635b7a7dc44e1b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
b690b2420b21107e633b4e325768c1d0

SHA1
8f3faaab9eb83af7eb1c9963230e5980642c1dfb

SHA256
1f2a34f84b7f4171bcd0d40c80acee8aef0d9dc3529deb3e372bae180f571c14

SHA512
64b900fb5cefb8dec747c768061ea95d4ae2202127ae41cad46a59ab5e5cdfaaa78743d6383241a124e3ee4e2015566eb8f05285e16c12669745e23d293c90f6

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\downloading.gif

Filesize
8KB

MD5
3488a1749b859e969c01ba981036fab6

SHA1
a65b72461fa14c89fce0d025e43454830a1f7972

SHA256
c3fa333fdbce95d504aee31912993dc17ab31324428f557ac774f7e98b049b99

SHA512
7363003422bdaabb7943439ee1e846867f0f3d0baed3456424544a81989bd2d142a411cf982d90e4158314d410cd1a1a4ee33d8707219b4274cd2841705bcecc

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\endpoint.json

Filesize
610B

MD5
34b2a3afe7ae8ad113f54e64d2f62111

SHA1
c0afa4727bab161b777363fd49225d7ef084c16e

SHA256
1578d085af8165ef971cbb88d327e07c2b82c34eff379fcb2ab030a188b2981d

SHA512
d6a8a70603157f0cf4b4d2a2992b8082d30e35aab7e47f973e8bde5841dc5528f7a62a8d3889093343f0a806a1161965126140345ffcb4cb0dbd36e56f155720

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFG6F4F.tmp

Filesize
150B

MD5
2be48f533744efa173a2ede37ea8031e

SHA1
41fad4dd24cc97a3d3056b026ca8056c9e4b9e3f

SHA256
02375fa63b79648ed6bb419c08f78ba9032ee22ba7170250e24427f47fddfa4e

SHA512
f49495311687f2a1af4ff60f8ff304d3ccddcd66effc36dfcfd71de91ee86a405c14c3f9bd81240cca76d4de1f4abd3259a7af6d53b2c3737c8963123d6f6815

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\Teams\meeting-addin\meeting-addin-t21-msi.log

Filesize
1KB

MD5
45c122ef0695959fb995d72bebdebe4f

SHA1
205b9e9f5a1f60bcebbb3f810a9fe2378e6ecb4e

SHA256
61abc8f9bf17aaa8fcfe6a4891a88e88178fda5afff45cc9bed7ab2de57545e5

SHA512
7ab3f7b4294dab774b851d32616bf7548be344f5b988e4118bf7aeb281bf2b7b4070762be1e92879221a8f0c4d66a6a093b9e4710d93d8f6cd7bcc3ca7006d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db

Filesize
4KB

MD5
0c10104f99ef8f2a0476409bf24f918d

SHA1
49fb0dd5654ff54c2c772185a861a0e020b0940c

SHA256
a5593a4889231be7bc937df4ab64854aaaed43ef4da8e4c3694b8865bce979cc

SHA512
c58cfebdade8fd18b8c3e997aa5b199a41a576fe71cd435bf4c76a740710ab54b7ba66c9a720b3fac94cb37e2c534a32d7ac6def527ec5dbec40b81b4822efdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
52KB

MD5
e69abffa47ee084e13438d9df5c2e406

SHA1
f444809edc094be0eb6862252586366407396a06

SHA256
5ecd5d31d045d58cd75d9967a78dd1d1c4641d23a09a10256c25678843e0abaf

SHA512
64193c765fcdd6f0b727bb156abb501df961210e462520d8ab8c216c963f634a1277fb65a29ca2e0c360dcc80f37561bc5141d47d189f1183c4f87c0de96b2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
56KB

MD5
33a28c19cf9cce18706dade561dd6103

SHA1
b3793e2815464116653e1015c55a6369e693700f

SHA256
caea744862ea37f295041b24f2e361b068d74d19f03df192d79112c33c27ec21

SHA512
9e04fd291d63a7d268707500bde7e59ca15aee1fd33ac81094a07e84eb247343aa9b7ff94832385c29f8503d40c143f1a2649d491f28e3e61988debc9b13f1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
48KB

MD5
839262c3806d7c568c270bb1280cecf6

SHA1
a713bc0c1e801f88752d3015f0c9e3a22f3f456f

SHA256
d6e7c27bfb511db7731a794d6a41302a01cd7dc23c5e73108288cee5047d122c

SHA512
5c54732d06d7ef7e8f97a07470a20025dbb645b292c4ea1e679f31287108cfffda61bd2d51c0fb18c171ec6e1928853b2cc7047d54a0ae067e17038a6f1c7852

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db.ses

Filesize
53B

MD5
b26e4967e15b6ee60758aa399f1cb65b

SHA1
fb47d93a31cb9146f4328cf9f47b815345ee114f

SHA256
3be5ead7814518c742a170f54d5edd119def35a32a91cd8f4ef6ecb8f244b900

SHA512
76775b060c7e55d81792fa666829edd03bdf245b4c0c753c0f8e34cb192545c025b78602a183e4a7aac490fb13260fac7326fb9a794e32cf21ab15e42ee9fe51

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2992_696220090\2ec9ec61-5988-4530-807b-fc065e35cf30.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2992_696220090\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Windows\Installer\MSI6D5B.tmp

Filesize
298KB

MD5
684f2d21637cb5835172edad55b6a8d9

SHA1
5eac3b8d0733aa11543248b769d7c30d2c53fcdb

SHA256
da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

SHA512
7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

Download Submit
C:\Windows\Installer\MSI8F4E.tmp

Filesize
113KB

MD5
8fa4088a730b967d85df562fd5ef7d5e

SHA1
629db9229f4a4a691e14f38f4dbffba157fa1ce9

SHA256
cdb195012fa5d3cfb80f8ea9fb23348c8749720d7e3a20cb7774cfd717f2df36

SHA512
1037170aed40aa33a4f983e168ae91247c23768fa502877d0b872a462d04fd5687cc50056add6419e3637306ae15beb1cfd04a51f126109faece09087ec16fb2

Download Submit
C:\Windows\Installer\e586aac.msi

Filesize
13.2MB

MD5
cebba83400d9eb6d33ef0bb7332bdada

SHA1
21db05f342dc62d01a863c63164f83bf00ad7f8a

SHA256
2db4946704305d2f59ac879da7ec8f8a4d928d6badcc2fe2bea5f375fb2d2314

SHA512
2d082dbd6214c51c7226f9110b02c0d145cf30b181d274393b9a27ad38d86d43327cecfc15521770812e6772dc9885f9b0c704acabb58618ab196f8bd3fe24dc

Download Submit
memory/1456-358-0x0000000004C30000-0x0000000004C6C000-memory.dmp

Filesize
240KB

Download
memory/1456-357-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/1456-344-0x0000000002A40000-0x0000000002A4A000-memory.dmp

Filesize
40KB

Download
memory/1456-340-0x0000000002A00000-0x0000000002A1A000-memory.dmp

Filesize
104KB

Download
memory/3180-1286-0x0000000074930000-0x0000000074B56000-memory.dmp

Filesize
2.1MB

Download
memory/3180-1285-0x0000000000D40000-0x0000000000D75000-memory.dmp

Filesize
212KB

Download
memory/3180-1343-0x0000000000D40000-0x0000000000D75000-memory.dmp

Filesize
212KB

Download
memory/3180-1323-0x0000000074930000-0x0000000074B56000-memory.dmp

Filesize
2.1MB

Download
memory/3944-16-0x0000000006A70000-0x0000000006F9C000-memory.dmp

Filesize
5.2MB

Download
memory/3944-36-0x0000000073C90000-0x0000000074440000-memory.dmp

Filesize
7.7MB

Download
memory/3944-26-0x0000000073C90000-0x0000000074440000-memory.dmp

Filesize
7.7MB

Download
memory/3944-25-0x000000000CA20000-0x000000000CA2E000-memory.dmp

Filesize
56KB

Download
memory/3944-24-0x000000000CA40000-0x000000000CA78000-memory.dmp

Filesize
224KB

Download
memory/3944-22-0x0000000073C90000-0x0000000074440000-memory.dmp

Filesize
7.7MB

Download
memory/3944-19-0x00000000079B0000-0x00000000079D6000-memory.dmp

Filesize
152KB

Download
memory/3944-30-0x0000000073C90000-0x0000000074440000-memory.dmp

Filesize
7.7MB

Download
memory/3944-13-0x00000000062D0000-0x0000000006336000-memory.dmp

Filesize
408KB

Download
memory/3944-23-0x0000000073C90000-0x0000000074440000-memory.dmp

Filesize
7.7MB

Download
memory/3944-27-0x0000000073C9E000-0x0000000073C9F000-memory.dmp

Filesize
4KB

Download
memory/3944-11-0x0000000005B00000-0x0000000005B1E000-memory.dmp

Filesize
120KB

Download
memory/3944-10-0x0000000073C90000-0x0000000074440000-memory.dmp

Filesize
7.7MB

Download
memory/3944-9-0x0000000005A30000-0x0000000005A3A000-memory.dmp

Filesize
40KB

Download
memory/3944-28-0x0000000073C90000-0x0000000074440000-memory.dmp

Filesize
7.7MB

Download
memory/3944-8-0x0000000000E70000-0x00000000010EA000-memory.dmp

Filesize
2.5MB

Download
memory/3944-29-0x0000000073C90000-0x0000000074440000-memory.dmp

Filesize
7.7MB

Download
memory/3944-7-0x0000000073C9E000-0x0000000073C9F000-memory.dmp

Filesize
4KB

Download