c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/12/2024, 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSTeamsSetup.exe
Size

1.4MB
MD5

7ee6219d0f497752aa7f1c129ca50bc1
SHA1

68bec1b6c594b6bdaf74b4062e4b3c477aa6a1ad
SHA256

c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0
SHA512

a91760aeb550d5683ce0222f40addb3507b79ccf10199c6c5a4773d3b3fc0bcf874360202bfcdca0871da5efe94b94b24fecb72dd5ebeca02939928c5a534094
SSDEEP

24576:E9Yu8GgnSf7uw7J8qyKD0OIqKT//pIgl6A5H2TuDWkd3WZZ7SuW42C7Z32o3:zGMo7NSK/Iqwp/6A5Wgz501SuWYZ3V

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DE6.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A7AB73A3-CB10-4AA5-9D38-6AEFFBDE4C91}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9C20.tmp	msiexec.exe
File created	C:\Windows\Installer\e587aec.msi	msiexec.exe
File created	C:\Windows\Installer\e587ae8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e587ae8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D1A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI81EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI98C3.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1996	Update.exe

Loads dropped DLL 6 IoCs

pid	Process
5112	MsiExec.exe
5112	MsiExec.exe
5112	MsiExec.exe
5112	MsiExec.exe
5112	MsiExec.exe
5112	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSTeamsSetup.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teamsupdate.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\Bios	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ms-teams.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\msteams\WarnOnOpen = "0"	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\msteams	ms-teams.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.28402\\x86\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\msteams\shell\open\command\ = "\"ms-teams.exe\" \"%1\""	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TeamsAddin.FastConnect	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.28402\\x64\\"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID\ = "TeamsAddin.FastConnect.1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TeamsAddin.FastConnect.1\CLSID\ = "{19A6E644-14E6-4A60-B8D7-DD20610A871D}"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TeamsAddin.Connect\ = "Connect Class"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\ = "AddinLoaderLib"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID\ = "TeamsAddin.FastConnect"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TeamsAddin.FastConnect\CurVer\Description = "Microsoft Teams Meeting Add-in for Microsoft Office"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TeamsAddin.Connect.1\ = "Connect Class"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TeamsAddin.Connect\CurVer\ = "TeamsAddin.Connect.1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TeamsAddin.Connect	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.28402\\x86\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\msteams\shell\open\command	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\msteams\shell	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TeamsAddin.FastConnect.1\CLSID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\CLSID	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ = "FastConnect Class"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\msteams_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\ = "AddinLoaderLib"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TeamsAddin.Connect\CurVer	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.28402\\x64\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TeamsAddin.Connect.1\CLSID\ = "{CB965DF1-B8EA-49C7-BDAD-5457FDC1BF92}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TeamsAddin.Connect.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib\ = "{C0529B10-073A-4754-9BB0-72325D80D122}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\msteams\shell\open	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\msteams_8wekyb3d8bbwe\Internet Settings	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TeamsAddin.FastConnect.1	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\HELPDIR	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID\ = "TeamsAddin.FastConnect"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TeamsAddin.FastConnect\CurVer	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TeamsAddin.FastConnect.1\ = "FastConnect Class"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TeamsAddin.Connect.1	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TeamsAddin.FastConnect\ = "FastConnect Class"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS\ = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS\ = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version\ = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.28402\\x86\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2856	ms-teams.exe
2856	ms-teams.exe
2856	ms-teams.exe
2856	ms-teams.exe
660	msiexec.exe
660	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	Update.exe
Token: SeShutdownPrivilege	5052	ms-teamsupdate.exe
Token: SeIncreaseQuotaPrivilege	5052	ms-teamsupdate.exe
Token: SeSecurityPrivilege	660	msiexec.exe
Token: SeCreateTokenPrivilege	5052	ms-teamsupdate.exe
Token: SeAssignPrimaryTokenPrivilege	5052	ms-teamsupdate.exe
Token: SeLockMemoryPrivilege	5052	ms-teamsupdate.exe
Token: SeIncreaseQuotaPrivilege	5052	ms-teamsupdate.exe
Token: SeMachineAccountPrivilege	5052	ms-teamsupdate.exe
Token: SeTcbPrivilege	5052	ms-teamsupdate.exe
Token: SeSecurityPrivilege	5052	ms-teamsupdate.exe
Token: SeTakeOwnershipPrivilege	5052	ms-teamsupdate.exe
Token: SeLoadDriverPrivilege	5052	ms-teamsupdate.exe
Token: SeSystemProfilePrivilege	5052	ms-teamsupdate.exe
Token: SeSystemtimePrivilege	5052	ms-teamsupdate.exe
Token: SeProfSingleProcessPrivilege	5052	ms-teamsupdate.exe
Token: SeIncBasePriorityPrivilege	5052	ms-teamsupdate.exe
Token: SeCreatePagefilePrivilege	5052	ms-teamsupdate.exe
Token: SeCreatePermanentPrivilege	5052	ms-teamsupdate.exe
Token: SeBackupPrivilege	5052	ms-teamsupdate.exe
Token: SeRestorePrivilege	5052	ms-teamsupdate.exe
Token: SeShutdownPrivilege	5052	ms-teamsupdate.exe
Token: SeDebugPrivilege	5052	ms-teamsupdate.exe
Token: SeAuditPrivilege	5052	ms-teamsupdate.exe
Token: SeSystemEnvironmentPrivilege	5052	ms-teamsupdate.exe
Token: SeChangeNotifyPrivilege	5052	ms-teamsupdate.exe
Token: SeRemoteShutdownPrivilege	5052	ms-teamsupdate.exe
Token: SeUndockPrivilege	5052	ms-teamsupdate.exe
Token: SeSyncAgentPrivilege	5052	ms-teamsupdate.exe
Token: SeEnableDelegationPrivilege	5052	ms-teamsupdate.exe
Token: SeManageVolumePrivilege	5052	ms-teamsupdate.exe
Token: SeImpersonatePrivilege	5052	ms-teamsupdate.exe
Token: SeCreateGlobalPrivilege	5052	ms-teamsupdate.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1996	Update.exe
2856	ms-teams.exe
2856	ms-teams.exe
2856	ms-teams.exe
2856	ms-teams.exe
2856	ms-teams.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2856	ms-teams.exe
2856	ms-teams.exe
2856	ms-teams.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1996	1928	MSTeamsSetup.exe	85
PID 1928 wrote to memory of 1996	1928	MSTeamsSetup.exe	85
PID 1928 wrote to memory of 1996	1928	MSTeamsSetup.exe	85
PID 660 wrote to memory of 5112	660	msiexec.exe	114
PID 660 wrote to memory of 5112	660	msiexec.exe	114
PID 660 wrote to memory of 5112	660	msiexec.exe	114

C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=MSTeamsSetup.exe --bootstrapperMode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1996
- - C:\Program Files\WindowsApps\MSTeams_24295.605.3225.8804_x64__8wekyb3d8bbwe\ms-teams.exe
    "C:\Program Files\WindowsApps\MSTeams_24295.605.3225.8804_x64__8wekyb3d8bbwe\ms-teams.exe" msteams:?instVersion=3.4.0.0&instExecTime=1733797504139&launchSrc=t2installer
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2856
  - - C:\Program Files\WindowsApps\MSTeams_24295.605.3225.8804_x64__8wekyb3d8bbwe\ms-teamsupdate.exe
      "C:\Program Files\WindowsApps\MSTeams_24295.605.3225.8804_x64__8wekyb3d8bbwe\ms-teamsupdate.exe" -CheckUpdate -AppSessionGUID a6aacac3-4c9c-4bab-afb7-1e65ae8a38be
      4⤵
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:5052
  - - C:\Program Files\WindowsApps\MSTeams_24295.605.3225.8804_x64__8wekyb3d8bbwe\ms-teamsupdate.exe
      "C:\Program Files\WindowsApps\MSTeams_24295.605.3225.8804_x64__8wekyb3d8bbwe\ms-teamsupdate.exe" -CheckUpdate -AppSessionGUID a6aacac3-4c9c-4bab-afb7-1e65ae8a38be
      4⤵
      Checks processor information in registry
      PID:4000

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2F1458C7E2E79CB2E3E823031D08AB3D
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e587aeb.rbs

Filesize
350KB

MD5
f25f00db874098d02dabdc79f1fe90c7

SHA1
24b03d2a395673e41b6d1958e22d02aa5d62eb3b

SHA256
5c177e745cdec0b0566fa473dd95be94215259ea5eaf8afa4a0c9d90aac33806

SHA512
e3cab06892053e9efbe288328a480a0550de11bdc08a08b1f902e7456648d94f84b49f22dd6cf0fe77b7493862ffe461dab94e4ab1c32abd2c318d0a77ff51fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.28402\AddinInstaller.dll

Filesize
34KB

MD5
fd109be1f7a56bebf0ef87189b2135f1

SHA1
d519908c1ab3bb7e079ed30f7bbfac9aeb88cdaf

SHA256
d414cf6887841b35f7380d4de9e2982eaefd4736f83dde81f3e3480aee00c39f

SHA512
72166b7e1b8f953b2409c1520ef4a23d38584ef0fd1c87fff31c4c2e52d6fcf049d1a3a8443cdc9f2dce8872553b8369e7dd21263b8942567cdd5a9736a3cdcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.28402\x64\Microsoft.IdentityModel.JsonWebTokens.dll

Filesize
66KB

MD5
622623a04c985eeaa82d2a1f15d508cf

SHA1
f6e6bcc42d1e1bf0dc7d635beb4a1f063a4f2b66

SHA256
041946c132c0561ce8d0a1b0f74eb979d69660deda241bef4a0570f1cd1d9289

SHA512
46027876fd165c8399e3896ab6bcba034bb69cc5e67c68fadb40101db05eb81882b12f86bfb75845155bb94d08c9c7d1c97461f1677b0cbe6b71e3a8358a6f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.28402\x64\System.IdentityModel.Tokens.Jwt.dll

Filesize
81KB

MD5
ef26e784474ef5ee4c86225829784bd6

SHA1
db058e83d7b6cde77821d9da640f7b169fd80e07

SHA256
15aa3a16426b1281f0a4cecafc2a054bb29b7f3d09b3048f048ebf67c4f53e1a

SHA512
7621855326125262ffa2de6577d79fbc20f60f0aad3aa6fd42006ab806438cf262e18cabb802eacb1337b7de424fa32c543b8315436d05e519a29458405ef706

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs\tma_addin_msi.log

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\app_settings.json

Filesize
994B

MD5
6a26ce521c14209053de44c411eee0fa

SHA1
4109423c3f0c78a26aa6a5581b978a4fb96a3415

SHA256
8b4478e1189e7ffb8b516dcf0e577eb38a86ff4e770e71ee423c7c669aa5c479

SHA512
7bd3adbbf2f24403b888bf79fdb4e3d75a91d85de01a8217c7efd03fb9feb4934f1ae7bd311add57f54c0de2185bca062b2dbfa28fbd5a609bd99bb6cfbe4ab5

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\app_settings.json~RFe587858.TMP

Filesize
961B

MD5
aa01b6d5996e8aa6aa0ead4540c5f71d

SHA1
298225befe3ebb8d46ece0f86473a39042afc54a

SHA256
375519e63b569c23f4cd94b9acc77cdac7f8c417e56b77fe8dc7543f4c8950bb

SHA512
d344c5ba1bf82b7bac91cfb052e58698493f907b52578d829c66cad2477607470d6959d1c3187658ac64fead0a92fa4dbb24ef2ad5bbda1680eb31342f597757

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\ecs_settings.dat64

Filesize
2.0MB

MD5
fd708051f01d8c833ca67dcc55aa74ed

SHA1
29890ad1646e9b0b38059f5c358e200d71e709b0

SHA256
1e7f2454ece05de63d2ef4920112242cd9ee2d653890e8a8ba16f99714bdbfec

SHA512
f8f6f264033809f905d2dcc19184cfa9c7578dacaa6abeef4c04ec7ca0c1714dd1e91ede0d8c3ee40e92b3992fa504dff14ede829dd6ab06c2198c617f5708e9

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\ecs_settings.dat64

Filesize
2.0MB

MD5
21f1de1f00b2bb9b3bc5394e0f427430

SHA1
9bc4d51376dd1ebb80518cb16aac5b08f71d9c43

SHA256
6bdf90a5a697e2d461029f10d68f4fd8d4cc0015368d17cbe1b2162806c5a237

SHA512
d585256f18d2fa9f0cdfdcce9508bb170bf93c72aaac7dc3524df873ba911b006eec8725573154105b3cd1605abaf1570071fdd2966d7266182b5c1d2ca898d9

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
7KB

MD5
6ed6895dc98f150caa1cb0d1bf50bb3a

SHA1
261dac2a101c9cf16369fc00febeb0a59bb945ea

SHA256
7baa3337884e72c9fb7c4400db807ed7079a76fea4993a028a4ee83189fcaa49

SHA512
489b113bc9e0a5fe1215a6381c18b1203fcc045bff82b71f2b715eaefe6b93e568d038e4671f922296d0034c67d3763abc646e1d9cd5f52c9b50a082c4e3829e

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
143B

MD5
3205d53943152cb9d08340d323b75600

SHA1
5680e38250730183740335007ac9756f55dfef6a

SHA256
a5dd39a7f6133c00f8c440325a01e8a04f25bbfa839a173626867e2adc3c1f02

SHA512
b585e5c7c3589bd7f2fa00bd62906c2abf70b6f5cb4d4c3be9cb66717334a3a933cb7498f0beb56c772b338a8d9dbb0e8cb17b596ec86d07ee25005be5c81448

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
360B

MD5
50eba967da2aa8d1201ba1b201b5a619

SHA1
56175cd1fd98b166b814658c7c3d8e0c7bda10a2

SHA256
a9374fe5b024077a59abc3c3e3427448f7983bf4522dc4322fccbb1fc32485d6

SHA512
74fbd4b597b6c13b249fbd030174f4f2da54df5d4754ed672550a246fa49a92fecc87a9671d69a21bb03efd8e8e7c321827889c008dce311e1ab1e5301ec14ac

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
7KB

MD5
92b55efe5a1eadcc7e28397686920c81

SHA1
eebe01e746e0ac7255331a88e98696c5ce8ddfb4

SHA256
6b20630f16e98d9550a364e0bf1feaa3a5db15be78b727bb99f292b33426214a

SHA512
a169efd32538fb565477f2e37f3a52efb3e54130a7e79f92cb31796f53d5d964a3e21a26a2627842485c9fd4f26df81a86623ecbeb80f1f2426082e6ea90dd3c

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json~RFe58774e.TMP

Filesize
124B

MD5
98d8595a47c9f70033706bb441d55a86

SHA1
162943310d516c7f44341af615241bbcd08f5c87

SHA256
d651df9b25e7b36f5492d15050c5281f0519042cbc4b40742332d10fe220d90c

SHA512
c7c81b6d80d0a868eaff3193e53f24c0eeeb25d7cf8d4df1b0d0aec14a4ef5f402e290ff5c9640cc3687462f8a9ccd4957715e823e9a50f38d635b7a7dc44e1b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
b690b2420b21107e633b4e325768c1d0

SHA1
8f3faaab9eb83af7eb1c9963230e5980642c1dfb

SHA256
1f2a34f84b7f4171bcd0d40c80acee8aef0d9dc3529deb3e372bae180f571c14

SHA512
64b900fb5cefb8dec747c768061ea95d4ae2202127ae41cad46a59ab5e5cdfaaa78743d6383241a124e3ee4e2015566eb8f05285e16c12669745e23d293c90f6

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\downloading.gif

Filesize
8KB

MD5
3488a1749b859e969c01ba981036fab6

SHA1
a65b72461fa14c89fce0d025e43454830a1f7972

SHA256
c3fa333fdbce95d504aee31912993dc17ab31324428f557ac774f7e98b049b99

SHA512
7363003422bdaabb7943439ee1e846867f0f3d0baed3456424544a81989bd2d142a411cf982d90e4158314d410cd1a1a4ee33d8707219b4274cd2841705bcecc

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\endpoint.json

Filesize
610B

MD5
34b2a3afe7ae8ad113f54e64d2f62111

SHA1
c0afa4727bab161b777363fd49225d7ef084c16e

SHA256
1578d085af8165ef971cbb88d327e07c2b82c34eff379fcb2ab030a188b2981d

SHA512
d6a8a70603157f0cf4b4d2a2992b8082d30e35aab7e47f973e8bde5841dc5528f7a62a8d3889093343f0a806a1161965126140345ffcb4cb0dbd36e56f155720

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFG7DD6.tmp

Filesize
150B

MD5
2be48f533744efa173a2ede37ea8031e

SHA1
41fad4dd24cc97a3d3056b026ca8056c9e4b9e3f

SHA256
02375fa63b79648ed6bb419c08f78ba9032ee22ba7170250e24427f47fddfa4e

SHA512
f49495311687f2a1af4ff60f8ff304d3ccddcd66effc36dfcfd71de91ee86a405c14c3f9bd81240cca76d4de1f4abd3259a7af6d53b2c3737c8963123d6f6815

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\Teams\meeting-addin\meeting-addin-t21-msi.log

Filesize
1KB

MD5
ab87654a52b61fde75f0e7c309b2d8f9

SHA1
d6bdcbfa21d0775280e237227b0ce2e8de91fdb0

SHA256
afc6f019e8a229e47cd7d4634d327dd7711493606ce816e8f13442a8d131e13c

SHA512
96e96d2ceaa51a0d660ed8f03f00d2b94cb90902f3c29e65830821e353ff3b80089413595a3e6152bd6e750c70355232baa8820f4e04e27fb003a0bc20e80bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db

Filesize
4KB

MD5
0c10104f99ef8f2a0476409bf24f918d

SHA1
49fb0dd5654ff54c2c772185a861a0e020b0940c

SHA256
a5593a4889231be7bc937df4ab64854aaaed43ef4da8e4c3694b8865bce979cc

SHA512
c58cfebdade8fd18b8c3e997aa5b199a41a576fe71cd435bf4c76a740710ab54b7ba66c9a720b3fac94cb37e2c534a32d7ac6def527ec5dbec40b81b4822efdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
52KB

MD5
9d702e603668aff6c44d4232549575db

SHA1
ab00c1901664814fb1f05275a984992ca9f043dd

SHA256
b570e0062b3953e708a38ec7f29f14d52976d572af9f842a9da80c2c4e986c70

SHA512
8994beb49e764633abd2a0a9637a8ccfef1adddf7ce3a127eef36173613166d689f3234d2a5b5a40d86346037712f3e076d3a5f0530417e8c88bba3499dee6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
56KB

MD5
d2a7391c2104c19e54f3c628765561c3

SHA1
e6a80e274978c79f801971e5b36b115b604e5362

SHA256
87281681d1e2d60cc1315817c759448fe33d45fb730335c70f29b214b5e4b932

SHA512
1668b774a87e0a0ff3d0fa408d21c4deb3fed607d6cf7df2c1b9aca24c5b86b45d6944b2e002b32554cefc2e001389f6a195e928320f40fa6de8a9b447380409

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
48KB

MD5
be6e7f42adbb5946eb94fbfb9bc435c8

SHA1
e567f1c9fc8d0e3accacd77e568ec5f08096aa7d

SHA256
01310c0dee601ecb39abf9095d31b8a3f3df595268c5711fb7d36675f9978d2c

SHA512
7206a6dac21cab5aa310dfe8a5503e3e5f6fdf5bb377c7325a30fcc4c9b0b0defe7673c3245c73aba8235dd62154800169cd663df77287492eb0d9f8723d6cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db.ses

Filesize
53B

MD5
e60ac23ff23935e41ce7dce354e03259

SHA1
bd1ad06b73bc2cce4d21819a26df6550d16b3093

SHA256
ac8d0b38ba1ab12241afa99f942f5948a056918c070a312df20fd6eb8a491c7d

SHA512
e46bd9c1d308b210bb732b3ab5e2fbd70bbd7662206c3ec648907c2e0561e9b6c654b17450c014a6d9dcf720f907d677ef6b16ec3c81ec9e611631c7524f474f

Download Submit
C:\Windows\Installer\MSI7D1A.tmp

Filesize
298KB

MD5
684f2d21637cb5835172edad55b6a8d9

SHA1
5eac3b8d0733aa11543248b769d7c30d2c53fcdb

SHA256
da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

SHA512
7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

Download Submit
C:\Windows\Installer\MSI98C3.tmp

Filesize
113KB

MD5
8fa4088a730b967d85df562fd5ef7d5e

SHA1
629db9229f4a4a691e14f38f4dbffba157fa1ce9

SHA256
cdb195012fa5d3cfb80f8ea9fb23348c8749720d7e3a20cb7774cfd717f2df36

SHA512
1037170aed40aa33a4f983e168ae91247c23768fa502877d0b872a462d04fd5687cc50056add6419e3637306ae15beb1cfd04a51f126109faece09087ec16fb2

Download Submit
C:\Windows\Installer\e587ae8.msi

Filesize
13.2MB

MD5
671d61a6af06bec8d9bec8e495510e06

SHA1
59457005d87757e8e06e6e63c9674655b8b67512

SHA256
34be9ffe274da2accdc4ffe56017c36b123811e945117758c45852bf14cf0d8c

SHA512
8b6c9a99da310fb0a17e46085646f82ce3b3676813fba52e5101b32769170b9c6866b1516ea6cc38933ff86afb0c8b68b6c9b85f23da0551ee26a2d32e5d5f0f

Download Submit
memory/1996-16-0x00000000061C0000-0x00000000066EC000-memory.dmp

Filesize
5.2MB

Download
memory/1996-10-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/1996-22-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/1996-24-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/1996-37-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/1996-31-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/1996-30-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/1996-29-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/1996-13-0x0000000005B20000-0x0000000005B86000-memory.dmp

Filesize
408KB

Download
memory/1996-28-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/1996-11-0x0000000005360000-0x000000000537E000-memory.dmp

Filesize
120KB

Download
memory/1996-19-0x0000000007200000-0x0000000007226000-memory.dmp

Filesize
152KB

Download
memory/1996-9-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/1996-27-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/1996-23-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/1996-26-0x000000000C3B0000-0x000000000C3BE000-memory.dmp

Filesize
56KB

Download
memory/1996-8-0x0000000000800000-0x0000000000A7A000-memory.dmp

Filesize
2.5MB

Download
memory/1996-7-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/1996-25-0x000000000C3D0000-0x000000000C408000-memory.dmp

Filesize
224KB

Download
memory/5112-332-0x0000000005520000-0x0000000005532000-memory.dmp

Filesize
72KB

Download
memory/5112-333-0x0000000005580000-0x00000000055BC000-memory.dmp

Filesize
240KB

Download
memory/5112-319-0x00000000054E0000-0x00000000054EA000-memory.dmp

Filesize
40KB

Download
memory/5112-315-0x0000000005380000-0x000000000539A000-memory.dmp

Filesize
104KB

Download