c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0

Analysis

max time kernel
423s
max time network
1147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2024, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSTeamsSetup.exe
Size

1.4MB
MD5

7ee6219d0f497752aa7f1c129ca50bc1
SHA1

68bec1b6c594b6bdaf74b4062e4b3c477aa6a1ad
SHA256

c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0
SHA512

a91760aeb550d5683ce0222f40addb3507b79ccf10199c6c5a4773d3b3fc0bcf874360202bfcdca0871da5efe94b94b24fecb72dd5ebeca02939928c5a534094
SSDEEP

24576:E9Yu8GgnSf7uw7J8qyKD0OIqKT//pIgl6A5H2TuDWkd3WZZ7SuW42C7Z32o3:zGMo7NSK/Iqwp/6A5Wgz501SuWYZ3V

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4EBA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI51D8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58344a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI364D.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A7AB73A3-CB10-4AA5-9D38-6AEFFBDE4C91}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BFC.tmp	msiexec.exe
File created	C:\Windows\Installer\e58344a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI38DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e58344e.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2124	Update.exe

Loads dropped DLL 6 IoCs

pid	Process
1216	MsiExec.exe
1216	MsiExec.exe
1216	MsiExec.exe
1216	MsiExec.exe
1216	MsiExec.exe
1216	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSTeamsSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teamsupdate.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\Bios	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ms-teams.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\msteams	ms-teams.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\msteams\WarnOnOpen = "0"	ms-teams.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect\CurVer\ = "TeamsAddin.Connect.1"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS\ = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x86\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\msteams\shell\open\command	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect\CurVer	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\HELPDIR	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect.1	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x64\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect.1\ = "FastConnect Class"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID\ = "TeamsAddin.FastConnect.1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\HELPDIR	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\msteams	ms-teams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect\CurVer\ = "TeamsAddin.FastConnect.1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect\ = "FastConnect Class"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\ = "AddinLoaderLib"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version\ = "1.0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect\CurVer	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x86\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect.1	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib\ = "{C0529B10-073A-4754-9BB0-72325D80D122}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID\ = "TeamsAddin.FastConnect"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x86\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect.1\ = "Connect Class"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID\ = "TeamsAddin.FastConnect"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect.1\CLSID\ = "{CB965DF1-B8EA-49C7-BDAD-5457FDC1BF92}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\msteams\shell\open	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ = "FastConnect Class"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x86\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect.1\CLSID\ = "{19A6E644-14E6-4A60-B8D7-DD20610A871D}"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect\ = "Connect Class"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib\ = "{C0529B10-073A-4754-9BB0-72325D80D122}"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.FastConnect\CurVer\Description = "Microsoft Teams Meeting Add-in for Microsoft Office"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID\ = "TeamsAddin.FastConnect.1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.25702\\x64\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TeamsAddin.Connect.1\CLSID	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4744	ms-teams.exe
4744	ms-teams.exe
4744	ms-teams.exe
4744	ms-teams.exe
2316	msiexec.exe
2316	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	Update.exe
Token: SeBackupPrivilege	4744	ms-teams.exe
Token: SeSecurityPrivilege	4744	ms-teams.exe
Token: SeSecurityPrivilege	4744	ms-teams.exe
Token: SeSecurityPrivilege	4744	ms-teams.exe
Token: SeSecurityPrivilege	4744	ms-teams.exe
Token: SeSecurityPrivilege	4744	ms-teams.exe
Token: SeSecurityPrivilege	4744	ms-teams.exe
Token: SeSecurityPrivilege	4744	ms-teams.exe
Token: SeSecurityPrivilege	4744	ms-teams.exe
Token: SeShutdownPrivilege	2192	ms-teamsupdate.exe
Token: SeIncreaseQuotaPrivilege	2192	ms-teamsupdate.exe
Token: SeSecurityPrivilege	2316	msiexec.exe
Token: SeCreateTokenPrivilege	2192	ms-teamsupdate.exe
Token: SeAssignPrimaryTokenPrivilege	2192	ms-teamsupdate.exe
Token: SeLockMemoryPrivilege	2192	ms-teamsupdate.exe
Token: SeIncreaseQuotaPrivilege	2192	ms-teamsupdate.exe
Token: SeMachineAccountPrivilege	2192	ms-teamsupdate.exe
Token: SeTcbPrivilege	2192	ms-teamsupdate.exe
Token: SeSecurityPrivilege	2192	ms-teamsupdate.exe
Token: SeTakeOwnershipPrivilege	2192	ms-teamsupdate.exe
Token: SeLoadDriverPrivilege	2192	ms-teamsupdate.exe
Token: SeSystemProfilePrivilege	2192	ms-teamsupdate.exe
Token: SeSystemtimePrivilege	2192	ms-teamsupdate.exe
Token: SeProfSingleProcessPrivilege	2192	ms-teamsupdate.exe
Token: SeIncBasePriorityPrivilege	2192	ms-teamsupdate.exe
Token: SeCreatePagefilePrivilege	2192	ms-teamsupdate.exe
Token: SeCreatePermanentPrivilege	2192	ms-teamsupdate.exe
Token: SeBackupPrivilege	2192	ms-teamsupdate.exe
Token: SeRestorePrivilege	2192	ms-teamsupdate.exe
Token: SeShutdownPrivilege	2192	ms-teamsupdate.exe
Token: SeDebugPrivilege	2192	ms-teamsupdate.exe
Token: SeAuditPrivilege	2192	ms-teamsupdate.exe
Token: SeSystemEnvironmentPrivilege	2192	ms-teamsupdate.exe
Token: SeChangeNotifyPrivilege	2192	ms-teamsupdate.exe
Token: SeRemoteShutdownPrivilege	2192	ms-teamsupdate.exe
Token: SeUndockPrivilege	2192	ms-teamsupdate.exe
Token: SeSyncAgentPrivilege	2192	ms-teamsupdate.exe
Token: SeEnableDelegationPrivilege	2192	ms-teamsupdate.exe
Token: SeManageVolumePrivilege	2192	ms-teamsupdate.exe
Token: SeImpersonatePrivilege	2192	ms-teamsupdate.exe
Token: SeCreateGlobalPrivilege	2192	ms-teamsupdate.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2124	Update.exe
4744	ms-teams.exe
4744	ms-teams.exe
4744	ms-teams.exe
4744	ms-teams.exe
4744	ms-teams.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4744	ms-teams.exe
4744	ms-teams.exe
4744	ms-teams.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2124	1460	MSTeamsSetup.exe	84
PID 1460 wrote to memory of 2124	1460	MSTeamsSetup.exe	84
PID 1460 wrote to memory of 2124	1460	MSTeamsSetup.exe	84
PID 2316 wrote to memory of 1216	2316	msiexec.exe	106
PID 2316 wrote to memory of 1216	2316	msiexec.exe	106
PID 2316 wrote to memory of 1216	2316	msiexec.exe	106

C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=MSTeamsSetup.exe --bootstrapperMode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2124
- - C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teams.exe
    "C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teams.exe" msteams:?instVersion=3.4.0.0&instExecTime=1731974754687&launchSrc=t2installer
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4744
  - - C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe
      "C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe" -CheckUpdate -AppSessionGUID c2380398-2225-4bdc-8aed-6afc1c4d844f
      4⤵
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:2192
  - - C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe
      "C:\Program Files\WindowsApps\MSTeams_24277.3507.3205.5228_x64__8wekyb3d8bbwe\ms-teamsupdate.exe" -CheckUpdate -AppSessionGUID c2380398-2225-4bdc-8aed-6afc1c4d844f
      4⤵
      Checks processor information in registry
      PID:3972

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4B1F367E7789515D0364E6071ED8B1DD
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58344d.rbs

Filesize
350KB

MD5
c6b27d6c78b74cc558faa39f453f235e

SHA1
4f88993ed1ea9603d038ad3c6ea1ed583d8d8822

SHA256
a8174795a9d8fafeeb992e3df8243e3bdeea57e3a94d954638ef1bcc3f4a106b

SHA512
70e75b4c9982112bcf2efcc3c29abd3e9cb9cfcf92d9cbc91689f8b8ae17e1590c0c2298a5e37ce119499005f30f6c583212adda0bb3ac58f2306191ae8591d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.25702\AddinInstaller.dll

Filesize
34KB

MD5
74c8e73ac9df19ffae99f833d78b58ab

SHA1
f576f7eaa7f10aa8a062c3a8745f5905b796fc79

SHA256
cfd58977a316a67e3f3587703d3ba104dd9a04e88aec44fca06687143ac263c0

SHA512
da66eb6fb1c6423ed25bc8de4b7102e287e34510a10089eca6501c27243b03c9377dc9b14fb741e86198e3bfda5656e20073234f2dd62b41b20e084b4e34f180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.25702\x64\Microsoft.IdentityModel.JsonWebTokens.dll

Filesize
66KB

MD5
622623a04c985eeaa82d2a1f15d508cf

SHA1
f6e6bcc42d1e1bf0dc7d635beb4a1f063a4f2b66

SHA256
041946c132c0561ce8d0a1b0f74eb979d69660deda241bef4a0570f1cd1d9289

SHA512
46027876fd165c8399e3896ab6bcba034bb69cc5e67c68fadb40101db05eb81882b12f86bfb75845155bb94d08c9c7d1c97461f1677b0cbe6b71e3a8358a6f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.25702\x64\System.IdentityModel.Tokens.Jwt.dll

Filesize
81KB

MD5
ef26e784474ef5ee4c86225829784bd6

SHA1
db058e83d7b6cde77821d9da640f7b169fd80e07

SHA256
15aa3a16426b1281f0a4cecafc2a054bb29b7f3d09b3048f048ebf67c4f53e1a

SHA512
7621855326125262ffa2de6577d79fbc20f60f0aad3aa6fd42006ab806438cf262e18cabb802eacb1337b7de424fa32c543b8315436d05e519a29458405ef706

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs\tma_addin_msi.log

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\app_settings.json

Filesize
985B

MD5
5995d7d0c7088db15b5c906d5910bb19

SHA1
f1aa2e752edc1c20a317f022613e582e32057d18

SHA256
4d7a73de9bb2d173fe4cfbc2415e40081c110bfa0c8bb8ee15c965a5741badb5

SHA512
267a1056d3a4c164afad6cb88fdb21596716cff7eb4f7b18fd4b6eb6c5aaa2a85ec5d1083231619f4600a87ded42e7744362017e46a589baf0151ff396129ae4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\ecs_settings.dat64

Filesize
2.0MB

MD5
08c92cd524c5e9d31e1ed7283e792716

SHA1
c87e1d6bff62f930d1e16b77c4005860ca889e4e

SHA256
aef83702d1b2930e032b5ac009f3983876e7b2d6db261871eb27ce8c75e313f1

SHA512
bc0823beed32e2dbb6a3a0b06f26799837a3a7a219f56fbe25a9cfbc0923a8b2c0c15cfba44542745cc5db780ce300b76dca9403c220c9ab1a20d35ae8a3f430

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\ecs_settings.dat64

Filesize
2.0MB

MD5
bb297e6b42dd2539ac7b48ff89a25859

SHA1
e3acd59c27acc12d13253d4b0961ac75ffdd6b69

SHA256
539e827e6c0f47bcfdf27452f6863b6ff923d331502e88cd6827d91c0dfc6b8d

SHA512
999eb26abb8f8a3f85fc254785a4a2c588f3fa8c26176eb86d5e7a9a3fe2eab75fd51acc0bae59a9a35e3b006bae79235b39c2f3dea601f7da3c7f11f67cada4

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
7KB

MD5
c6f275cdc7e77dca75f25e4e83d44936

SHA1
4a78b47743e8ca785e942f552a4d526e20132fb2

SHA256
374e574eb1cdfd2be89b5bffffb37ce34e3499108c4bd6f9ef110218f0a012b3

SHA512
5a8639f395b25f33107fcee91030b6dcd125eb04ff9e482d1aeb5c794f6548d81b9822d29370eb3710882625797668450d0796717e271248b6e38b913047b4f7

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
7KB

MD5
c274cac0010b549a0ea9f4e5e42f350f

SHA1
a253cfbb3b28bba92829a747e427ab94db563ea0

SHA256
398f455f862e9cc93bc6237344695b772678e9700be874c9ee44f6dd4ecc3dc4

SHA512
52dcc67b5667e26adf9bf739434f61a5005f783fa22971ae4da83f01b1c43a6676f7b97b037a3b267111506379144a623f81599b22b07d478bf694921d17b507

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
143B

MD5
2d3861bbbeb3ed68b53ca7cb02925f4b

SHA1
2d4c07ae8349a67a82252db00739d1951df87218

SHA256
fefa127e1bfe0220a61f784e320581acc24529f5ee2614ed9080c96112bb8482

SHA512
c84554653bd7962809a9957f1c29299299e299faf112c5c8094a2350d4f0eddbd8fdd743e4557211ed19d1794353760581a2b4e0f06ef7479dfc4b2506c95300

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
361B

MD5
3bdad149194f97386a5432d8b50e0900

SHA1
9e47d151b6503274fdb5ff1fc7db0f779c28091c

SHA256
c8274b622797819c4626d950731b966ca541d21c637d86fd0fbe50a005bc97aa

SHA512
2ec97d913139ec3791f1963cebac094c98ae7bc9f88e76557d4770e77a3a68994cdec8eb37b8bd0b89a3767df1fa9e26d1962cb404bea55a779e88ca2fadc007

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json~RFe5830cf.TMP

Filesize
124B

MD5
98d8595a47c9f70033706bb441d55a86

SHA1
162943310d516c7f44341af615241bbcd08f5c87

SHA256
d651df9b25e7b36f5492d15050c5281f0519042cbc4b40742332d10fe220d90c

SHA512
c7c81b6d80d0a868eaff3193e53f24c0eeeb25d7cf8d4df1b0d0aec14a4ef5f402e290ff5c9640cc3687462f8a9ccd4957715e823e9a50f38d635b7a7dc44e1b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
b690b2420b21107e633b4e325768c1d0

SHA1
8f3faaab9eb83af7eb1c9963230e5980642c1dfb

SHA256
1f2a34f84b7f4171bcd0d40c80acee8aef0d9dc3529deb3e372bae180f571c14

SHA512
64b900fb5cefb8dec747c768061ea95d4ae2202127ae41cad46a59ab5e5cdfaaa78743d6383241a124e3ee4e2015566eb8f05285e16c12669745e23d293c90f6

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\downloading.gif

Filesize
8KB

MD5
3488a1749b859e969c01ba981036fab6

SHA1
a65b72461fa14c89fce0d025e43454830a1f7972

SHA256
c3fa333fdbce95d504aee31912993dc17ab31324428f557ac774f7e98b049b99

SHA512
7363003422bdaabb7943439ee1e846867f0f3d0baed3456424544a81989bd2d142a411cf982d90e4158314d410cd1a1a4ee33d8707219b4274cd2841705bcecc

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\endpoint.json

Filesize
610B

MD5
34b2a3afe7ae8ad113f54e64d2f62111

SHA1
c0afa4727bab161b777363fd49225d7ef084c16e

SHA256
1578d085af8165ef971cbb88d327e07c2b82c34eff379fcb2ab030a188b2981d

SHA512
d6a8a70603157f0cf4b4d2a2992b8082d30e35aab7e47f973e8bde5841dc5528f7a62a8d3889093343f0a806a1161965126140345ffcb4cb0dbd36e56f155720

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFG38AF.tmp

Filesize
150B

MD5
2be48f533744efa173a2ede37ea8031e

SHA1
41fad4dd24cc97a3d3056b026ca8056c9e4b9e3f

SHA256
02375fa63b79648ed6bb419c08f78ba9032ee22ba7170250e24427f47fddfa4e

SHA512
f49495311687f2a1af4ff60f8ff304d3ccddcd66effc36dfcfd71de91ee86a405c14c3f9bd81240cca76d4de1f4abd3259a7af6d53b2c3737c8963123d6f6815

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\Teams\meeting-addin\meeting-addin-t21-msi.log

Filesize
585B

MD5
44c46c426b57094e58b7f26a5cff3545

SHA1
a3ac265ff11bbe263d1e5c3a60887c713589abf2

SHA256
380079b6d8fb5dee3321ce73e2451a3ac9aa80b40afd6156acbac1f87d6c6f4b

SHA512
12eb81f41d3b47867dc156fad2d7baee79e13ee97970cc66005b254f9ad020b2f11c49f2dd4bdda5c7ab463f48139b84503fb4aa913ea39d66d7ed9b6e1dabe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db

Filesize
4KB

MD5
0c10104f99ef8f2a0476409bf24f918d

SHA1
49fb0dd5654ff54c2c772185a861a0e020b0940c

SHA256
a5593a4889231be7bc937df4ab64854aaaed43ef4da8e4c3694b8865bce979cc

SHA512
c58cfebdade8fd18b8c3e997aa5b199a41a576fe71cd435bf4c76a740710ab54b7ba66c9a720b3fac94cb37e2c534a32d7ac6def527ec5dbec40b81b4822efdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
56KB

MD5
064589245f10348b0159064dc7f83d9a

SHA1
ab9024c532d26186fc2199cb91481ede102ee3d5

SHA256
5e49b67f767a64f8055eb5a220ada7ebdefeca323942cd6709afe5609a1ce4af

SHA512
0fa3928063c5d361fc4b1b6c9a51ba21157595728eb222469e540a56c2198d525fa2de2b6ac866ef8dd6192f6383ab34e1bef93e1c6812511a14f150ffd5ca6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
48KB

MD5
a9384aaf4f9686afb2398fe8c5d245e6

SHA1
d871b8abfd04679146b1d4dbc73ac4ef2c9a5dde

SHA256
6eea1d238a7a883bd9a146c94d6dbaa3e9898e9821c801a8d815a9402c2feb3d

SHA512
8536ca694a8d190cdad6f55660e329eb23abefc180b2e9d34edc34f63eeb26002aaeac1e6ee8427fcdf27d9fa84c05faa6dc70c1b9a77a70f5ac30cde84accec

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
52KB

MD5
3eb317cd43a4997c738638895e712d09

SHA1
f970b6a810ce277a2d9803fe3db1b227ec950d0c

SHA256
cc39cc78e59f809578e21617b2710a638a7e6381090ed61354b48257874f0073

SHA512
46d3f6f3070f2eca8f96992627ee238a36a34f76db49b2f5f7ed92631086af5b484885a135cad4119322872efa652745c0457bde8aea7f72bc0709b9a70901ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db.ses

Filesize
53B

MD5
e18b8384be85768b1474b3421cd3aea9

SHA1
d9792ede593a92df1a40a6219a3a0c5b2f87962b

SHA256
a474723b63211a1cecec29b3f548df8c1bddf1a2e8e9dec09a9946679c3f5829

SHA512
4e26d46a23d775134fdc1e1ec1e4d1428c3538a3daab931bcc242b1aec5a7bc781d898c9178f95df7c91d45df05a685afbfd35418fd01338055f4d08805f86f4

Download Submit
C:\Windows\Installer\MSI364D.tmp

Filesize
298KB

MD5
684f2d21637cb5835172edad55b6a8d9

SHA1
5eac3b8d0733aa11543248b769d7c30d2c53fcdb

SHA256
da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

SHA512
7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

Download Submit
C:\Windows\Installer\MSI4EBA.tmp

Filesize
113KB

MD5
8fa4088a730b967d85df562fd5ef7d5e

SHA1
629db9229f4a4a691e14f38f4dbffba157fa1ce9

SHA256
cdb195012fa5d3cfb80f8ea9fb23348c8749720d7e3a20cb7774cfd717f2df36

SHA512
1037170aed40aa33a4f983e168ae91247c23768fa502877d0b872a462d04fd5687cc50056add6419e3637306ae15beb1cfd04a51f126109faece09087ec16fb2

Download Submit
C:\Windows\Installer\e58344a.msi

Filesize
13.2MB

MD5
cebba83400d9eb6d33ef0bb7332bdada

SHA1
21db05f342dc62d01a863c63164f83bf00ad7f8a

SHA256
2db4946704305d2f59ac879da7ec8f8a4d928d6badcc2fe2bea5f375fb2d2314

SHA512
2d082dbd6214c51c7226f9110b02c0d145cf30b181d274393b9a27ad38d86d43327cecfc15521770812e6772dc9885f9b0c704acabb58618ab196f8bd3fe24dc

Download Submit
memory/1216-322-0x00000000051B0000-0x00000000051EC000-memory.dmp

Filesize
240KB

Download
memory/1216-321-0x0000000005150000-0x0000000005162000-memory.dmp

Filesize
72KB

Download
memory/1216-308-0x0000000005110000-0x000000000511A000-memory.dmp

Filesize
40KB

Download
memory/1216-304-0x0000000004FA0000-0x0000000004FBA000-memory.dmp

Filesize
104KB

Download
memory/2124-22-0x0000000073B60000-0x0000000074310000-memory.dmp

Filesize
7.7MB

Download
memory/2124-10-0x0000000073B60000-0x0000000074310000-memory.dmp

Filesize
7.7MB

Download
memory/2124-23-0x0000000073B60000-0x0000000074310000-memory.dmp

Filesize
7.7MB

Download
memory/2124-19-0x0000000007980000-0x00000000079A6000-memory.dmp

Filesize
152KB

Download
memory/2124-16-0x0000000006A30000-0x0000000006F5C000-memory.dmp

Filesize
5.2MB

Download
memory/2124-13-0x0000000006290000-0x00000000062F6000-memory.dmp

Filesize
408KB

Download
memory/2124-11-0x0000000005AC0000-0x0000000005ADE000-memory.dmp

Filesize
120KB

Download
memory/2124-26-0x0000000073B60000-0x0000000074310000-memory.dmp

Filesize
7.7MB

Download
memory/2124-24-0x000000000CB50000-0x000000000CB88000-memory.dmp

Filesize
224KB

Download
memory/2124-25-0x000000000CB20000-0x000000000CB2E000-memory.dmp

Filesize
56KB

Download
memory/2124-9-0x0000000001B40000-0x0000000001B4A000-memory.dmp

Filesize
40KB

Download
memory/2124-35-0x0000000073B60000-0x0000000074310000-memory.dmp

Filesize
7.7MB

Download
memory/2124-8-0x0000000000E40000-0x00000000010BA000-memory.dmp

Filesize
2.5MB

Download
memory/2124-27-0x0000000073B6E000-0x0000000073B6F000-memory.dmp

Filesize
4KB

Download
memory/2124-28-0x0000000073B60000-0x0000000074310000-memory.dmp

Filesize
7.7MB

Download
memory/2124-7-0x0000000073B6E000-0x0000000073B6F000-memory.dmp

Filesize
4KB

Download
memory/2124-31-0x0000000073B60000-0x0000000074310000-memory.dmp

Filesize
7.7MB

Download