156cafa6da98a57e481aab74ef748726bd4dce2912536fb59e65d9a57a3ae7a7

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

microsoft-teams.exe
Size

1.4MB
MD5

092bff0405ab418fe22c565e231be2ba
SHA1

8aef2b7d83b3d5ae55b24f25ab6621bb2dea9287
SHA256

156cafa6da98a57e481aab74ef748726bd4dce2912536fb59e65d9a57a3ae7a7
SHA512

ea88a6265562f56914c68deb0f86f115b170b36297afa45bb59c3777ec056d50598ee055d7a3c1e10a6a24f84e96ece69a594715e43c9aa28ab76e63fc8da5f0
SSDEEP

24576:4NYuPOTryV7OXRiYZgJw2K9KS74fVyhfP0dhyaz/PxSbQOUP8oSf37Z3/UyD:MOX6743ZvFKS74Nwfahyazx0LZ3jD

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Teams.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 8 IoCs

pid	Process
2760	Update.exe
1828	Squirrel.exe
4996	Teams.exe
2928	Teams.exe
1916	Teams.exe
3048	Teams.exe
1360	Teams.exe
836	Teams.exe

Loads dropped DLL 29 IoCs

pid	Process
4996	Teams.exe
4996	Teams.exe
4996	Teams.exe
4996	Teams.exe
2928	Teams.exe
2928	Teams.exe
2928	Teams.exe
2928	Teams.exe
2928	Teams.exe
1916	Teams.exe
3048	Teams.exe
5932	regsvr32.exe
5976	regsvr32.exe
5976	regsvr32.exe
5976	regsvr32.exe
5976	regsvr32.exe
3048	Teams.exe
6020	regsvr32.exe
6020	regsvr32.exe
6020	regsvr32.exe
6020	regsvr32.exe
3048	Teams.exe
3048	Teams.exe
1360	Teams.exe
1360	Teams.exe
1360	Teams.exe
1360	Teams.exe
1360	Teams.exe
836	Teams.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Teams.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Teams.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Teams.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Teams.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Squirrel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsoft-teams.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Teams.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{A0C3E9BA-C622-45A2-9FED-2C662F3F489A}\ = "IRoomMessage"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{C12F0DE5-9A7D-425C-B391-8BE004EAA2F6}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{F0CE810F-E36F-4CD8-A836-515B9A6E09FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{209DA899-15F1-499A-B8B5-A847EAA899AE}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{D0DBB17D-565E-486C-A47B-BA32DC1FAD0A}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{BD891697-C93E-4A0B-9B6C-004BD81B6EE8}\TypeLib\Version = "1.0"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{995F992C-9DEF-47B9-BF11-81813C0C0E28}	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{8AFFB8CE-5404-4280-BCA3-E2E4388E6D73}\ProxyStubClsid32	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{04378C72-E58F-47C0-8621-901B85CA2ED4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{D0984CEF-E323-4574-B07B-5C970C9CAEE0}\TypeLib	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{21629AB6-9557-4985-9237-49177F618692}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{86B3E5FE-4635-4C1E-A725-C80B71D04984}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{68DA8699-6C6E-4390-BD82-709FF1DC1702}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{4EE0CE21-96D6-461F-8D44-EAC961468E50}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{DC63D621-11C8-4490-B017-B8C57EE1BE25}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{EFEC2816-F16D-48D8-9306-26C810F0EA55}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{18A9A79A-CBC7-4F8B-8B2B-9B40CA75EC3C}\TypeLib\Version = "1.0"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{7B39CB77-4AEB-42D7-B351-CB5472C1C6AD}\ProxyStubClsid32	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{B1F5BCD8-69A6-4FC3-9EF0-9BD4AD999061}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{5418E2AB-EB9A-4659-B4DC-28DE633B2B8F}\TypeLib\Version = "1.0"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{9112CE9B-3704-48C0-86DC-7A7B0F34D7A3}\ProxyStubClsid32	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{AA41EE75-F9C5-42F7-8D17-1D92D6BA4D92}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{25D64AEA-0E65-49CB-8D6D-65DB0AC1AF65}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{70DCCE38-90BF-4428-A34F-3A6082F29E50}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{9112CE9B-3704-48C0-86DC-7A7B0F34D7A3}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{B8FD4A53-E7E6-4995-A5B5-1306C7584964}\ = "IUnreadMessageCountChangedEventData"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{3187885C-A8AF-4D4B-8E80-F4B9D447A7B2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{0FDB5B86-DD44-41BF-A443-317FD19BBF3D}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{62074904-8D06-43FE-A531-E63DF7FDC2E7}\ = "IModalityPropertyDictionary"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{209DA899-15F1-499A-B8B5-A847EAA899AE}\ = "IRepresentationInfo"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{7CFE77CD-731D-48B2-82B1-ECA3414D62E3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{81C9D13F-A4F9-4E13-92D3-BB271E8DF3D2}\TypeLib	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{B1F3ACAE-139E-41D4-A5CE-50FE87A29737}\ProxyStubClsid32	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{2D3D62CA-E9F6-4F94-8EBD-5FABAB29E6A5}\ProxyStubClsid32	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{61CE9972-C619-4A88-A5D1-D2DFBCD4D2A1}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{53972397-8CC6-40DC-86A4-F27DE5E0CCCE}\ = "IMeetingInfo"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{1FF0E6F1-2FE4-4E29-A123-557AF0DB6927}\ = "IContactEndpoint"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{53D014C1-54DB-42B3-9DFD-8E231EF2C356}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{311DDE48-ED7D-46FA-9E0A-2E314B7FEF7C}\ProxyStubClsid32	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{F87AFD9A-9BF8-4AC4-953E-33C4D2035D33}\TypeLib	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{06437ABB-C419-4B11-A474-1A2B02FBD646}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{B00F2520-029C-47D0-B4E8-8FBEF47CAA7E}\ = "IVideoViewInformationDictionary"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{FD9000B3-479F-4B16-9D63-70A49E078946}\ = "IContactSettingDictionary"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{311DDE48-ED7D-46FA-9E0A-2E314B7FEF7C}\ = "_IContactCallback"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{F644C610-A146-4A56-8338-A69C45C71CEF}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{08DDF5C4-FA12-4978-B26E-C6D23C453413}\ = "_IDeviceManagerCallback"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{10FDD9BA-0CBA-4958-B6C8-D0912BF2703F}\ = "IContact2"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{00E22CBB-3170-453A-AE62-EAFBC75A9F8D}	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{62A75516-C79B-42D7-8B49-3BA492C2B385}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{DBA05C15-1C07-4A76-8248-08D8416A24E3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{95B8D3E8-F3D5-4DC0-BCFE-AB80C835DEA0}	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{464D5228-9F68-4B1F-B430-156A104E2B85}\TypeLib	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{B0C10F94-CAB6-4821-9643-D781885A46AF}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{9112CE9B-3704-48C0-86DC-7A7B0F34D7A3}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{53972397-8CC6-40DC-86A4-F27DE5E0CCCE}\ = "IMeetingInfo"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{B22EDBEA-9E61-4703-82BE-01C05619B6D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{26C8D96D-7D22-4E9E-948A-EDCCB4CA9C64}\ = "_IParticipantCallback"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{A9AAB6A0-54B9-4419-AAAF-6B26DFAC1585}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{86B3E5FE-4635-4C1E-A725-C80B71D04984}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{8E839AF9-9508-475A-AA47-3EE8A946B75E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{219DC126-9A48-483F-80C2-3F22B3B47829}\ProxyStubClsid32	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\Interface\{806D3227-4CB8-47C4-9864-7D4DF4F44069}\ProxyStubClsid32	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Interface\{F87AFD9A-9BF8-4AC4-953E-33C4D2035D33}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Teams.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Teams.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Teams.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	Update.exe
Token: SeShutdownPrivilege	4996	Teams.exe
Token: SeCreatePagefilePrivilege	4996	Teams.exe
Token: SeShutdownPrivilege	4996	Teams.exe
Token: SeCreatePagefilePrivilege	4996	Teams.exe
Token: SeShutdownPrivilege	4996	Teams.exe
Token: SeCreatePagefilePrivilege	4996	Teams.exe
Token: SeShutdownPrivilege	4996	Teams.exe
Token: SeCreatePagefilePrivilege	4996	Teams.exe
Token: SeShutdownPrivilege	4996	Teams.exe
Token: SeCreatePagefilePrivilege	4996	Teams.exe
Token: SeShutdownPrivilege	4996	Teams.exe
Token: SeCreatePagefilePrivilege	4996	Teams.exe
Token: SeShutdownPrivilege	4996	Teams.exe
Token: SeCreatePagefilePrivilege	4996	Teams.exe
Token: SeShutdownPrivilege	4996	Teams.exe
Token: SeCreatePagefilePrivilege	4996	Teams.exe
Token: SeShutdownPrivilege	4996	Teams.exe
Token: SeCreatePagefilePrivilege	4996	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe
Token: SeCreatePagefilePrivilege	3048	Teams.exe
Token: SeShutdownPrivilege	3048	Teams.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2760	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2760	2008	microsoft-teams.exe	85
PID 2008 wrote to memory of 2760	2008	microsoft-teams.exe	85
PID 2008 wrote to memory of 2760	2008	microsoft-teams.exe	85
PID 2760 wrote to memory of 1828	2760	Update.exe	99
PID 2760 wrote to memory of 1828	2760	Update.exe	99
PID 2760 wrote to memory of 1828	2760	Update.exe	99
PID 2760 wrote to memory of 4996	2760	Update.exe	100
PID 2760 wrote to memory of 4996	2760	Update.exe	100
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 2928	4996	Teams.exe	102
PID 4996 wrote to memory of 1916	4996	Teams.exe	103
PID 4996 wrote to memory of 1916	4996	Teams.exe	103
PID 2760 wrote to memory of 3048	2760	Update.exe	108
PID 2760 wrote to memory of 3048	2760	Update.exe	108
PID 2760 wrote to memory of 5932	2760	Update.exe	109
PID 2760 wrote to memory of 5932	2760	Update.exe	109
PID 2760 wrote to memory of 5932	2760	Update.exe	109
PID 5932 wrote to memory of 5976	5932	regsvr32.exe	110
PID 5932 wrote to memory of 5976	5932	regsvr32.exe	110
PID 2760 wrote to memory of 6020	2760	Update.exe	111
PID 2760 wrote to memory of 6020	2760	Update.exe	111
PID 2760 wrote to memory of 6020	2760	Update.exe	111
PID 3048 wrote to memory of 1360	3048	Teams.exe	112

C:\Users\Admin\AppData\Local\Temp\microsoft-teams.exe
"C:\Users\Admin\AppData\Local\Temp\microsoft-teams.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=microsoft-teams.exe --bootstrapperMode
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1828
- - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-install 1.7.00.19353
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 --field-trial-handle=1960,i,9044157746959480817,5503154186417582591,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2928
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2224 --field-trial-handle=1960,i,9044157746959480817,5503154186417582591,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1916
- - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-firstrun
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1912,i,2724286875310476078,8381729383624592445,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1360
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2196 --field-trial-handle=1912,i,2724286875310476078,8381729383624592445,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:836
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.2\x64\Microsoft.Teams.AddinLoader.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5932
  - - C:\Windows\system32\regsvr32.exe
      /s /n /i:user "C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.2\x64\Microsoft.Teams.AddinLoader.dll"
      4⤵
      Loads dropped DLL
      PID:5976
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\SysWOW64\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.2\x86\Microsoft.Teams.AddinLoader.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:6020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.2\x64\Microsoft.Teams.AddinLoader.dll

Filesize
243KB

MD5
1a9ae9934a774bcffcbab3d94dd17b37

SHA1
b5c44ec32474637f1700ecfe0f502687a596a9f0

SHA256
5ec09fb1d54bb5e57380af2578a609a0feff1f46d208f1a3fa4a230a653214ce

SHA512
df773c4e495bef8470b93771a314cb38daf87ae44774005a7aac21314d43f765d65feef22048491a222ec66078ee4e97df8c987e5049d114d206bc0b1c5c5bef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.2\x64\Microsoft.Web.WebView2.Wpf.dll

Filesize
49KB

MD5
b892e390743fa35cdd66ec64afe1148b

SHA1
dee84b5e35368ad442bc5bcb03411f00efaa5ae8

SHA256
d78de958e99694116bacfd64c5108c4fe7815760fd34ab01191950e6383a86f3

SHA512
9aae79891650552d9ce0785e07f715709a406ea77947cb08ca729c10af71e174b0ec7fed96deeba84011ecff3dede57a940db9bf6bd8753f31881c5f6e097fb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.2\x64\msvcp140.dll

Filesize
561KB

MD5
63e099115f372c01ff8bbe15906b7260

SHA1
230e853f4b1dfe8814a4227b6e8a72857e9acc58

SHA256
7c67e96c739f985d459359c6e85c5009f13cbf58f4eb11d4384732b98631d8a2

SHA512
5e02970048153d46c4824c504217611abebc87a7fc9139b00afbb88fa2ca96db8b0e295984fceaf84b26fe952e71f9c011d17a317597c5638133b9225326c542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.2\x64\vcruntime140.dll

Filesize
104KB

MD5
48f2f7733d64e69c6efea377135c583e

SHA1
eb6b6bb840b7d7392f9a79a5bb7b60355a250266

SHA256
99abae003c0595396be1c1be973f6b66391d7ee128d317cb2d555d4dcba8d029

SHA512
0f10c65015f364d4cdfc63573518c55631a0d620a488e05d4b5ce42af6bec836631250ceaad5dad594079eb5daff3d09289b01590afcf7ae06dc7d62e98b8597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.2\x64\vcruntime140_1.dll

Filesize
46KB

MD5
ec676c1feb470efea27f8aa43ad2f14d

SHA1
1f10c973f82feeb7ea2a517b89e8fcc8552b692c

SHA256
7ae3ecebd01c850aa09bad0ee497d4daa6ec89f09cd3ed5df4d5cc4aec0a40ee

SHA512
0a792b2c06244a37a5b26b4dd4a59ec862b0dba06011410808f41cc456a6b8699ff3ccd65ce93a6b4062aa87f93be3c0c8d2f914069891c923b81e728bf7381a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.2\x86\MSVCP140.dll

Filesize
436KB

MD5
eb378edd8807d283545757a11783affe

SHA1
8dd8f70b6a62dfc2949a70db355f7894e79ec625

SHA256
34b30dbaec1deeceece4fe9605ca19fdf979aa178df3e83cd07d98bfd1146acf

SHA512
40d41f6abb4225b465ef3e5ff03ebe5dc1e064b90db8f6bc6f0853f63016d4dcbd612cfe28cf2fa210b98db58ed125e1ce50545aba4491b51a465f26ac802548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.2\x86\Microsoft.Teams.AddinLoader.dll

Filesize
246KB

MD5
b20189e203c47742fec9803d528356e3

SHA1
1bbec0d3b5ee2eb67eff874cbed9d2dead8271bf

SHA256
dcba289290e3694e487f7e253b13169aabac86ba4df72b16ab2ce1224a31046e

SHA512
ee1ecf2158d4fff2071f702075fe2d071b3f6241860335880083ec1ae5dcd87e141cfcf4423d93dff70b654782639c7a7aa07e81a2c0c3557da1dffa9fb07e00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.2\x86\Microsoft.Web.WebView2.Core.dll

Filesize
288KB

MD5
65915807422184812ea7113f0f7ad73a

SHA1
5af59c513c4c24719f9420dd178022747ea1f977

SHA256
c96ec916877e28f7fcebac27c46ba3f5339933e656502a1d25e76ba92d217d54

SHA512
c1192e7a8d84b2a80aa4dd60d1f72ae09afb39c6b22e079f2e8cb73b7a64ecb6d62be8364af82e923b46cf88705436cd498bc1332ddd87805f70bbcb33afa6c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.2\x86\Microsoft.Web.WebView2.WinForms.dll

Filesize
44KB

MD5
32ab3256bfb6d76c97a0ee09cc42aac8

SHA1
3df9bcb13ef6077a4aa68baac67dd3c4fb89c36d

SHA256
3edf656bf7f5f2f4ddef70977f411f5ee89c428b5ed9a973577778a5e8d31362

SHA512
118ce9204475ebcaf44cc67b6a90d9722d486b0f520e49680594e1ddf8394da0776bbfd5e0f36434ffa3fe2caa6069e2e1da4bc487da06d0deaf37554ce98139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.2\x86\Newtonsoft.Json.dll

Filesize
697KB

MD5
cb94b1752c8ff2047dc25c78b0771efa

SHA1
e08d32befc4050c5aeb8279354520c94bf942dcd

SHA256
ada59a0c44fa2e0b3db097bdce3cb50630bc85c602b79eaa91fb659a1150db93

SHA512
31b24577a90a72769e9e74d6bdbfb51467fafc7b88422dfbc2494d2fb4e940b3090e1aa2c6002e59cd67fb80ca040a020515fa077af28386fb3bf83a42c480e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.2\x86\VCRUNTIME140.dll

Filesize
85KB

MD5
f92c9a1366d9889bcef42191a4657150

SHA1
c08eb3da06ec1e6398e4bf3106a4e1c3248bbd91

SHA256
31181363dd0b923570e558290a717e91385c06dd25ce3c24157959988634e5a5

SHA512
de8493cfe17b91983a7546d7fb928511eba66db9895de6999ee1b0ff8a50ce10f458fe8c1c67c394f69b4bcc765d7a6e29c09079db0e34c79648267cb663bb3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\meeting-addin-install-logs.txt

Filesize
810B

MD5
a33433b06c55574158cc8c85152ae41c

SHA1
1728ae01f0c8f58d4eb06b67fb3f36930d8a8528

SHA256
295314649de5b8a1ee9d686a95b0e12e0afc94fcb8124a926f78697172d9d31f

SHA512
af936b0b836b0792f3f4d9d1790cfbda8afd5eb75c3997063de8f61d8a261ac01c0e7f5582a0f2488ffa01b1513a0fa23b885044e0f5af6daf90dccd4dea27c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsPresenceAddin\Uc.tlb

Filesize
445KB

MD5
e3c8b42670ebb0530ee81f427671aaa1

SHA1
f8c75abc800c7326e6e814947390c14575d691cb

SHA256
1b31630cd15bfdc663b9630790b968aee407730dc94f48bb96fbedac9ecb1002

SHA512
4cca913dd1890dbfa72195eff3cb5856ac6c01a4a910df719376ea13264e129823d3788eb874c222534aee1e1cf7b3ace71900002252449a872bb3c9447f3b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsPresenceAddin\Uc.win32.tlb

Filesize
445KB

MD5
2eb6c328ace10bee32eecb6609578aab

SHA1
3fde2f845cf62ff557fd49e46fa6f761cff4c7ea

SHA256
40f438a5f0d0e9ff5bbcab29d51bc7b6cba03548c5db021a05426665a2f98a69

SHA512
e4ff466ceba47c71046985ab1e62877bfc57d5a98f0e966c46f64fb23710c85cc2aa3bd2f4b0abc134d18a501d7a01ffe881110fc57a8b5ddb07c89dcd4f3514

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsPresenceAddin\presence-addin-install-logs.txt

Filesize
757B

MD5
794b2905d5973d13c6436695bdeaa786

SHA1
ee6b0046666962bf41dd6da8d45e895dfd0d5918

SHA256
fd4a22693a2cb2c7ed5872bb7c616d4f3779fb1491435815b13f36f36e03eed1

SHA512
469aa0e8a7b9f2784f57f2379e677d2991551c476c298dcd120488a97652c9bd69f72b3720ba0ca1697bd9eea64153ded63d8dfaf1d45df7244b1460b19ecfe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\app.ico

Filesize
168KB

MD5
247d14144a313421d8d84aa0ea54d249

SHA1
83befdd6eba57faa3d3074aa08a28a4e8d75076a

SHA256
2d5aa67b8ace13a94fd09316787e3c9aba2adac767b6e2ab769a2265a2ad20f0

SHA512
f2d79a2a75148efaf90a4a92980e781b1f94a4a1034383ffe5749983085ef7eafa29d4804094296b212795501b4b4a126bc47c24a91b60c24104bc4b24d99565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe

Filesize
2.5MB

MD5
21e6a3d569e00dd4a91364604a8825e2

SHA1
47d7d4f3c395f20a6341a0e835ae82a28c251ae0

SHA256
79495998b7fc91768ece81f0fed8e9c9dd0c805fb5a127fe3b6b569f44cb678c

SHA512
bc095ce365993d9ffa970972f41167906a018533daa74a8ccd7d297b59643dfa9828d3b6a0ed0ad757938f04178d0bca2a33fae9866e244389cdaafc7c2a4614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\chrome_100_percent.pak

Filesize
126KB

MD5
d31f3439e2a3f7bee4ddd26f46a2b83f

SHA1
c5a26f86eb119ae364c5bf707bebed7e871fc214

SHA256
9f79f46ca911543ead096a5ee28a34bf1fbe56ec9ba956032a6a2892b254857e

SHA512
aa27c97bf5581eb3f5e88f112df8bfb6a5283ce44eb13fbc41855008f84fb5b111dfe0616c310c3642b7f8ac99623d7c217aecc353f54f4d8f7042840099abc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\chrome_200_percent.pak

Filesize
175KB

MD5
5604b67e3f03ab2741f910a250c91137

SHA1
a4bb15ac7914c22575f1051a29c448f215fe027f

SHA256
1408387e87cb5308530def6ce57bdc4e0abbbaa9e70f687fd6c3a02a56a0536c

SHA512
5e6f875068792e862b1fc8bb7b340ac0f1f4c51e53e50be81a5af8575ca3591f4e7eb9239890178b17c5a8ff4ebb23719190d7db0bd8a9aa6dcb4308ffa9a34d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\d3dcompiler_47.dll

Filesize
4.7MB

MD5
4f397f41e3d5329e9acb8cdd1ba4a536

SHA1
c47a9da990bd2cc01d368a30ddc9de3bc7fbe9fd

SHA256
72ed23e6e776f2fa2b6956afb272ff4e57abd9a49327962f8067a883d4c61ed0

SHA512
a8e5abdffde05bd189bc40218c3726741d494d7cc6fcdc699bdbbe57fb7a4699756d6e56fc97ff2fa4ee89e2db043ef9305045867ad738f139d2e8683ed09ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\ffmpeg.dll

Filesize
2.7MB

MD5
70367bcd68fc3cc75b0d720f3abd6efd

SHA1
319c154c4ef92e9742e035e5757a1a7e7c85ae2d

SHA256
87f9e8b4e3b48d369436cbb533e74c1df8f4ee7582e2e9b88098029e9948450c

SHA512
ca223ba46a743dc9045e9330b3d4f30c02b406bd59de05d14e5ae1c9af9488c3c874868ccd2a7868ff885beb94643722fe7567efbcbf196f86224908ac4c15d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\icudtl.dat

Filesize
10.0MB

MD5
5b25035a389d54a5fa442b7dfe8bbd58

SHA1
908055ff1e81f36143762194ade39eebd006755b

SHA256
30432a9b9b4cdc5feb4ef154dde378df1ae541203ba2fcffbf08bd76a2ddb353

SHA512
3c6edeb7e43f07135394b2aef589bff989570efff10ea9afc06c1f7a981e3797d13d1429f4568415d0c67d6324cf7d487df8248674f575edf43968b885d852d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\libEGL.dll

Filesize
502KB

MD5
ee5745ee1d7fbec33951f47b2438434f

SHA1
d98cd5964125ec6c3171b63a8985726e9e20d749

SHA256
9ac1e7da0caf19d482469bfacd94308c819ffe3c7d1d41c078f698a43b11ef55

SHA512
722bcf0281a82381d01c28acb7c0ada73cd9cd025309f86e7bf4ead1f281d6855281e4e10cb223f0d8a5b72916daa83a0b682b3e03c538cf84f1b614dd8d3778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\libGLESv2.dll

Filesize
7.2MB

MD5
13aa2277b034a8d0363d9dd9de65ce7e

SHA1
1cc2d80a23acbc48a14d0519faf184c2b9cb4b57

SHA256
3d4283c4ed684f91599e7c5c64e4d0630f2d1d76f755b3d1f73423038ea1383e

SHA512
62fc585b5c50cb5e5f32e4f36ddd6608385e2c198ebf0241a724738169981caa7765bdc0e27c7e0759c5999b1822ef03401b201a365e3b7e0c2ab97c95a7b089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\locales\en-US.pak

Filesize
313KB

MD5
3f6f4b2c2f24e3893882cdaa1ccfe1a3

SHA1
b021cca30e774e0b91ee21b5beb030fea646098f

SHA256
bb165eaa51456b52fcbdf7639ee727280e335a1f6b4cfb91afc45222895b564f

SHA512
bd80ddaa87f41cde20527ff34817d98605f11b30a291e129478712ebebe47956dbd49a317d3eeb223adf736c34750b59b68ad9d646c661474ad69866d5a53c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources.pak

Filesize
5.1MB

MD5
3e97cb3867a1a584eb5b5395cadd4f54

SHA1
c5366504f4e739eb920fa657ffcfcc85d4eb8e7d

SHA256
d688e9d44feb71e9873cbca63ee8e2228e956888a7a16518b689c6afed627268

SHA512
3b933f0f979fc141f5b4733b63edd22c07ef62ef5033ac7723443dc7998d42a28595fc76506f89bd517a6f7203a6f2ab4ec63701d55244dfbfa5b8fbfaac2cb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar

Filesize
25.6MB

MD5
853eadd320e5b3a211c63d0c4f0d83d6

SHA1
49378f3635e2cca0fc72937fb51cbdebe7b629ca

SHA256
34bdc9070b314e7e0bfe0c1315521d815ea093c352ed269e215a034d07aca6b7

SHA512
4c96457f3f31b6fb172847ee3b7b8c8f7643756d85ba1a6df8c0c16645c424dc765f457d39c841327bb7e917c51259b3588a7a75b9a6704ee02210a1de2c7083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\keytar4\build\Release\keytar.node

Filesize
204KB

MD5
8e8602f128608787d2de6dc3648c2fff

SHA1
2a27163241b0e81a3ae6c289675e6e569301d82a

SHA256
9a05667860aadbd3e32d39ace7d14661d7be64543f9e8e95c18cdd12f3efc833

SHA512
cc802983d0c8dcf1ec87751530e6501a0e37a92b9bbc0f0797f426bb0ee5f94d07c2cfddf5fe41f5fa7840bc9188a0f23c1c2b5d55b2de633707bf547be55980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\native-utils\build\Release\native-utils.node

Filesize
234KB

MD5
b6d7bdd0021faa04f60ed21a14d1039b

SHA1
68d9eb75457586ea4f68ef293c29ca31c3c8e64d

SHA256
13348384f9d1d4ed3ba6df6d98f41de7f2594038f477f08cc830a23aef4f8515

SHA512
8a063a37c2fe40e4da80e2b3aaf15d52e43734191adcac5b0663be38e1daa071da9a3d8eda56610dfa07250566e9735ea54e2fd941c41d7c53a3e8439e1f546b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\registry-utils\build\Release\registry-utils.node

Filesize
204KB

MD5
e9bd00a08f4375d94ac7a38df01ba948

SHA1
511a4336fb58527179a7799a47a7ad9973676ed5

SHA256
ac28b67899e5ed759a56234b8b28a40ac247b52a495bede169ae76b3805d5310

SHA512
c4ec0c5a6d864c657784de652269ccbc6919c44b3a6a2e8fddebecd62fa584564d58f3e750c2ee1b4c6a6dd432b2dc21ca8f5c1fa738ef4a953eb000852deaad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.2\x64\AddinInstaller.dll

Filesize
34KB

MD5
d85b3f0407d3d1e4b4e5f89e10a7cd85

SHA1
24be514867705e2bcc84d2fc716e93b904fe00eb

SHA256
51ec1f481fb0fe28b4e0ea9fb9b01933756358f5db5783bb9d51032b28555a9e

SHA512
9bc0fec81ecc66c972f7ad1ef91d41649b6e33850d556018ab7f0e0ee30ace1f1129ce8aa5442de715badd8425f73bb7d5a1702043c4d70165c5238a96d75b37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.2\x64\Assets\NewMeeting_Large_120.png

Filesize
1016B

MD5
e3b1ba3900bffae493b4463f9a6fbc48

SHA1
0bddcab7f9537f01900cb7a7ab0fbb1042e460e7

SHA256
8fde3d7378d0e9148068c3a9406d5bd754e93c9810ff5d2b8535fc2b65e0830e

SHA512
8ca0a6304bd871b1f2beccf6af9cbb2ec97d05b233b9388cfc760b262509b8bf6f9b50b837d21018fca6e8627fa11ae67f6af49440a837701b4c9ae920585246

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.2\x64\Assets\NewMeeting_Large_144.png

Filesize
1KB

MD5
6974cfc337bf190d728c6824ef94afb6

SHA1
741daba13f01c19518e2e1e72a93df2c96227934

SHA256
115340c0940669c7a55670f03737492fb86d5e34e0390e5664eea3f9b4147b0c

SHA512
679afa5d417748680624314a6e5ff63cbf37d11bf5e95fd2d2114076f1dcd75196849eb39b1d456a8a5db0019ef2c4c2fd61ea70651daf158b87a69d8b017faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.2\x64\Assets\NewMeeting_Large_192.png

Filesize
1KB

MD5
177094a528723cef49fa2ffdfab57cf5

SHA1
cbae150edcd83f2e9bb87a0bb86cf076eebc41c2

SHA256
66cd5e3cfc69af5087d33c570cfe424b50935b01c27e618ca11822ac7ae6d1e6

SHA512
ad9394116d2e132eb2bff48f1ae4ab7aec5b372ffd2b7b41e29cd8bf26c87725bb48d0c3ad85f7c3c94b4556872a06876d1e95f4ad8a0cf63dd949dbe350d8e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.2\x64\Assets\NewMeeting_Large_96.png

Filesize
821B

MD5
fafba571265b20e0ec4423fead972e1b

SHA1
b686d74ff48e3b990f0e312bb0f3af4e8f53069a

SHA256
1fb3b4832e92b1e2f998cd2ff4a872000822cbb897d869194195e5c4f8d43cd0

SHA512
d0523ccc27436a80c5a14094ad244349efe68fb5a813f97539c3025fcc1f05d6cec9b8ffd04883e35bcd787a36901246687162b4b86717e81e747b2cf035dd2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.2\x64\Assets\NewMeeting_Small_120.png

Filesize
574B

MD5
503e86e4628933d17b5b41b4918d6c9f

SHA1
f884f45cf4ef5b435e554ea30f654f076e50bdf5

SHA256
1c80cc98643e1d060b9443c98e9afe663125398f7bb99e5bab2c0eb952c9c111

SHA512
22d115a09597f7a8cb0c5bcd0e0bba55798d3a431b28ec27e9ddaa356bf0af674bdb78e6d9a3911e2750354d42a8ad628ebd0a7716410360f6d1160258e12c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.2\x64\Assets\NewMeeting_Small_144.png

Filesize
627B

MD5
75713d844925ac3404d59c5d56dd996a

SHA1
88f0f5b5450772a85fd61fb5fd54c3a6f7e48585

SHA256
d4746496079e9c334715958852fa8fb59e54dbdead19d83001fa15c1793d27b2

SHA512
b60e132bd5251084b2c7a22591d72dfdfebb7a24987adb8e78ca345694f6043c1f3c7a9205b6052cf3846fcf33179506bff88c1d1bc8093a7563cf150ec5d30a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.2\x64\Assets\NewMeeting_Small_192.png

Filesize
875B

MD5
f323d73771349b6374462b8a4b708d83

SHA1
39f8860aec7ac9ff8df80c770a23f3ac8c3be4a1

SHA256
ea0327cd2d987cf069747f70a317e552c0304170177101aa578f04d2ebe9ffb6

SHA512
5377fd3886fcdef87b61f1cc825655e6b977e370563b2c2f7b3bb675b8adcce621a47f056945a9c0a41f9c10bf4df6694167e62a310b146587f898d39e753eb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.2\x64\Assets\NewMeeting_Small_96.png

Filesize
483B

MD5
a2761de768472d09d1e02c92ebd144b5

SHA1
60ba18f0ff47b9e9c3e23b5ae9e95e3d319b5c5d

SHA256
ac7fe3232888bf96c520d586c723149cd3127e1ce7cc65bc35ba1984cc27bbca

SHA512
f330db55b79e561d2dac1cd051421f91d6981a489a004eb0eae3ae090b1386ddf46efb675a9b6f75a0bb83f741b5da12e4dfb872ee41782773bfaec9014ca667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.2\x86\Microsoft.IdentityModel.JsonWebTokens.dll

Filesize
76KB

MD5
ff6684d5368c15043903bd90cf51fc26

SHA1
497f9fab79c49fe7e0f8eda9d6f1b39424928750

SHA256
0506fb0c4eee19e2946f3f262f22770e3994be62a8b22a1b3cb2be2743d9ad76

SHA512
f70cf97a75cd6d7c844160d24bf62d7432bfd1a768a8105f77e3bf4da1abeee810f71ef64b9a5b61b2298d946982c59de5101f6ca2e7e5206a9523e263997820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.2\x86\Microsoft.IdentityModel.Logging.dll

Filesize
40KB

MD5
092bdc688b2e7e6ebba99f88c014bf48

SHA1
f1601d82b65907977ea71c4d365009a6bdc9ba68

SHA256
8636f282472e47f2b663b553139c2f0b11892814a6dd0424efdb6ab1ba60e2b4

SHA512
585256aa7df2c497c2988e9381f1c30886dd33de231f02a5be6197ef6327bb16c527980f713a741a7bea71b3673a524f1924cc57e7a23e699eb838d99af332c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.2\x86\Microsoft.IdentityModel.Tokens.dll

Filesize
915KB

MD5
90a3a4487498b81fa2bc97411bf80a0e

SHA1
fa659a0c6b4a0e16f4938f65471793b44fcd2ef3

SHA256
03e63ce7b0ea9532f0407a68df7e8bf870b71c8483e26e1fb487766eda4b4969

SHA512
a79d38b670634f4c972f1e5d754683e7fb97d23512d8d9518bf0f67d22e5bc380a32128e044a1807698644631c46da93c36dabb23ab4a4430cefc9c6ed5b906b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.2\x86\Microsoft.Teams.MeetingAddin.dll.config

Filesize
515B

MD5
ed080ed5825cf4893ca4f7d1395b9957

SHA1
3905e190109e5df90676f4716a69c815a6e52b44

SHA256
29f368def465f1ae30df31ebca4a976f180dbcf3718605b4acb0d6da95a30855

SHA512
73041863b7916b21a56d5c61933d9922d24b15548d7356dfee42c3ab617f72a04aa8080f3c5eb3f21d968ffb38c7244d4484e78540bf6bb8fc93600a017e43d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.2\x86\System.IdentityModel.Tokens.Jwt.dll

Filesize
91KB

MD5
017ec23c96d047c01ea9878d0c2fe946

SHA1
a18ba35b7eeb358b6b551d79a693e270915e2c65

SHA256
d0fd7f1cac2c0d9e6eb0d8a68b9cbfb50b7f582f7484eba5d913408d41967646

SHA512
08a39fa8cfd75d43c43db81195ec4f8c1b1cf8948995e687c6f5d1a48cf40aa47d3ad9873eb17768cb0df538434002155f438cc06521932eb21d9620afd0a62e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.2\x86\System.Net.Http.Formatting.dll

Filesize
185KB

MD5
ae4c418765f0bde533c88be39ec412a6

SHA1
b08b24191f992a7fa16733518bd5cbf2dcfbf784

SHA256
970f07da17f7112842746cb319eab7a4d57a5d1e37a4b940bb3e1780e7a376fd

SHA512
5f2adff16fbc93f98c017f1d38f93dd081d7a8bfaddcc0c0bddaf076291c33ad8cdb3cba49f89977eb78d07552b51416722e5c1fa5b07da117a0176520af18f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\v8_context_snapshot.bin

Filesize
472KB

MD5
9295df4ae3d0ef456eafbac5e7e4bb75

SHA1
1234b23ab66d82f718efd98b7fb153e9b6636295

SHA256
766b05836b9a60233a50b19bfcfcc0b1e48dd6c1bf501ad193c712be59050220

SHA512
3840c4ca95847dcd18a8f6967a1039715d0370a0756045393c95c1286cbdcbcb8c383cc08fe366e94f846e4a99e20cd9165d2424c00ad4e1df7fc5ee429373db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\current\vk_swiftshader.dll

Filesize
4.9MB

MD5
778a85ac299697932f9d4ae33f966291

SHA1
471137c2d3f4d2a5ba48cfc2f2894262dab04262

SHA256
7484b3790f481018f71278e1e4e295faa0f2c358e4fbcf6939f5fe2dd66d2a26

SHA512
dece48f9b31d97cf8a4273284487ee41395dc7f1bc86987164d3e5e25698041faa52fec5d6be7de2f4c6fda015efb4bb988d9230df7d9e4a39f03a5495c7a777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Teams\packages\RELEASES

Filesize
83B

MD5
279b0282b533547a1b4c8816c92a9c2a

SHA1
fdead2611ab097bcc8cdd2c3c09e9250efb5965d

SHA256
918acf9cf0ceec38dd561d478d991c953a80837b220d0968eb0c414e11b0f3c4

SHA512
0eaa8e5dccc13ab9f60449152a8465b7a573bb277dd620596ba6c4933c8d7ee4d5e4b87e907d56f1ea0837ca1d2b6526ab632419e4c0d9be0c31241e77e9a4a0

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.4MB

MD5
55d2be3ea0dc1dcaeefddd7ed12c05e9

SHA1
f7be8b87f666f90b0e55c1d95bad9e048cde3b91

SHA256
5caccd37e4df62dcf709605de3f79664de7190534b56cd69bcc96bdf0f939437

SHA512
347588473c93dc0f830509eabb2e62927c8a48aec3e537c1d9af8e0826c5ed4fc321ab0ec4f1bd18cabd328e236118a3d7ba7f72c4343128daba59631d9f91ee

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
8KB

MD5
ff1f29dca0451246c3ca6cb7b023434f

SHA1
b26bea187f072d9a401b7fd06661492418b893ec

SHA256
753d7d351e427246e2b6cc86c45e21f952939e306c3eb2fdb1bd7d67842c64b8

SHA512
ad3d2bac2ada88cba32567a5c2dc67c7b4e3a0d0834c262e577dd77bf3b38cd60b35df72407cbea256343ced449d9c7c01d0a6ee58eb8d1188695359f47e15f2

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\downloading.gif

Filesize
8KB

MD5
3488a1749b859e969c01ba981036fab6

SHA1
a65b72461fa14c89fce0d025e43454830a1f7972

SHA256
c3fa333fdbce95d504aee31912993dc17ab31324428f557ac774f7e98b049b99

SHA512
7363003422bdaabb7943439ee1e846867f0f3d0baed3456424544a81989bd2d142a411cf982d90e4158314d410cd1a1a4ee33d8707219b4274cd2841705bcecc

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\endpoint.json

Filesize
344B

MD5
677cab9a8b50ad026cfa7625a35dd2d7

SHA1
236780c5fbf2d5607f7cb165549584c9153112a2

SHA256
07890dda20815e1e57dca9553f5dfcff1b85f4a4369685d4991599e2618978f0

SHA512
d1863063926b405a6bade3327cfde25983d94e626d568abbdbdff9ae95e00061ed9ca80cc03a826c2144e4469a2734ea887a6c56ae0ed0caf70ce0077d219162

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Teams\Local State

Filesize
389B

MD5
9382fbeb269c7d775be1065929e3a86f

SHA1
39cbbc96e452a2204db7c3c6478d60725f4909b4

SHA256
c2e41e5b7ca887d320f69bbaeec530290ce130becfec5331f3fbfe5de7113964

SHA512
b0701538e3860ad134677f0c5319d04dcfc1cd0175112f52a27775ff64c37b09b2a1760afa5db7bedb7e54f0aa769872ab16adf43919b1b7e678af921997d9ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Teams\SquirrelTelemetry.log

Filesize
15KB

MD5
6c3044cd7bc18aa918dfa338369f2561

SHA1
23c3ba5338ca37ba032b74fa657f4569cb96a4f2

SHA256
9d7cca8dd571703e3c8700146e9d9cec02129164caff580161fb9e99fde2dd87

SHA512
3c42079c281a907a7a4ae9ee339f9767a63e63f8319e3e100e0e38b6669e0858c5f167e322862365f1d3057de1e79433d176d7c9f569c8ff4712a01974579ebb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Teams\SquirrelTelemetry.log

Filesize
5KB

MD5
5cccee67f4081bea018297361de02b5d

SHA1
d5dacfc7f257c41a84808a99d5dafce3f2375cc6

SHA256
8e026351f36f30a90d538833c9b00fdd86a6fa82b013a7cfd383da62851deed3

SHA512
4ce1b92a56bcda07930b45456a1c15b874145c6c8d517065f74057da9f0f50be84b5f1cd7cd9c64f074d3dd726eb06a2719be5de81e21f9e1e760cbe97fcac75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Teams\SquirrelTelemetry.log

Filesize
6KB

MD5
11fa6ef8bd799699d671c4dc4856cc57

SHA1
53b2b0234a0e98a1c668051cdcb0d19b6da8dee6

SHA256
5d28f43d52e6c0186cee825b102bcfe89780d97e6c3a1ace6e8b9f3eceb554c9

SHA512
aaa99eb241e33b60810060f98c4b9b4ace82a27285e2e9a85135018c64b5debfa8658f9d444464e856f3d8b47cbb6619887e1e84a8ef28d52454a4ce9d580930

Download Submit
memory/1828-495-0x0000000000070000-0x00000000002E8000-memory.dmp

Filesize
2.5MB

Download
memory/1828-521-0x0000000073A80000-0x0000000074230000-memory.dmp

Filesize
7.7MB

Download
memory/1828-502-0x0000000073A80000-0x0000000074230000-memory.dmp

Filesize
7.7MB

Download
memory/1828-503-0x0000000073A80000-0x0000000074230000-memory.dmp

Filesize
7.7MB

Download
memory/1828-498-0x0000000004AB0000-0x0000000004ABA000-memory.dmp

Filesize
40KB

Download
memory/1828-1060-0x0000000073A80000-0x0000000074230000-memory.dmp

Filesize
7.7MB

Download
memory/2760-28-0x0000000073A8E000-0x0000000073A8F000-memory.dmp

Filesize
4KB

Download
memory/2760-8-0x0000000000B50000-0x0000000000DB2000-memory.dmp

Filesize
2.4MB

Download
memory/2760-26-0x000000000C2C0000-0x000000000C2F8000-memory.dmp

Filesize
224KB

Download
memory/2760-14-0x0000000006A00000-0x0000000006F2C000-memory.dmp

Filesize
5.2MB

Download
memory/2760-27-0x000000000C280000-0x000000000C28E000-memory.dmp

Filesize
56KB

Download
memory/2760-12-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/2760-11-0x00000000057A0000-0x00000000057BE000-memory.dmp

Filesize
120KB

Download
memory/2760-10-0x0000000073A80000-0x0000000074230000-memory.dmp

Filesize
7.7MB

Download
memory/2760-9-0x0000000005700000-0x0000000005708000-memory.dmp

Filesize
32KB

Download
memory/2760-25-0x0000000073A80000-0x0000000074230000-memory.dmp

Filesize
7.7MB

Download
memory/2760-1041-0x000000000DB10000-0x000000000DBA2000-memory.dmp

Filesize
584KB

Download
memory/2760-29-0x0000000073A80000-0x0000000074230000-memory.dmp

Filesize
7.7MB

Download
memory/2760-7-0x0000000073A8E000-0x0000000073A8F000-memory.dmp

Filesize
4KB

Download
memory/2760-1053-0x0000000073A80000-0x0000000074230000-memory.dmp

Filesize
7.7MB

Download
memory/2760-499-0x0000000073A80000-0x0000000074230000-memory.dmp

Filesize
7.7MB

Download
memory/2760-543-0x0000000007150000-0x0000000007170000-memory.dmp

Filesize
128KB

Download
memory/2928-528-0x00007FFFFE300000-0x00007FFFFE301000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads