File name:

MSTeamsSetup_c_l_.exe

Full analysis: https://app.any.run/tasks/290fd63e-998e-4008-a144-3183b18b183b
Verdict: Malicious activity
Analysis date: August 12, 2022, 17:41:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

092BFF0405AB418FE22C565E231BE2BA

SHA1:

8AEF2B7D83B3D5AE55B24F25AB6621BB2DEA9287

SHA256:

156CAFA6DA98A57E481AAB74EF748726BD4DCE2912536FB59E65D9A57A3AE7A7

SSDEEP:

24576:4NYuPOTryV7OXRiYZgJw2K9KS74fVyhfP0dhyaz/PxSbQOUP8oSf37Z3/UyD:MOX6743ZvFKS74Nwfahyazx0LZ3jD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • MSTeamsSetup_c_l_.exe (PID: 3524)

    • Application was dropped or rewritten from another process

      • Update.exe (PID: 996)

  • SUSPICIOUS

    • Checks supported languages

      • Update.exe (PID: 996)
      • MSTeamsSetup_c_l_.exe (PID: 3524)

    • Reads the computer name

      • Update.exe (PID: 996)

    • Executable content was dropped or overwritten

      • MSTeamsSetup_c_l_.exe (PID: 3524)

    • Drops a file with a compile date too recent

      • MSTeamsSetup_c_l_.exe (PID: 3524)

    • Reads Environment values

      • Update.exe (PID: 996)

  • INFO

    • Reads Microsoft Office registry keys

      • Update.exe (PID: 996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

SquirrelAwareVersion: 1
ProductVersion: 1.4.4.0
ProductName: Squirrel-based application
OriginalFileName: Setup.exe
LegalCopyright: Copyright (C) 2014
InternalName: Setup.exe
FileVersion: 1.4.4.0
FileDescription: Installer for Squirrel-based applications
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.4.4.0
FileVersionNumber: 1.4.4.0
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x14510
UninitializedDataSize: -
InitializedDataSize: 1187840
CodeSize: 215040
LinkerVersion: 14.16
PEType: PE32
TimeStamp: 2022:04:20 00:24:16+02:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start msteamssetup_c_l_.exe update.exe

Process information

PID
CMD
Path
Indicators
Parent process
996"C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=MSTeamsSetup_c_l_.exe --bootstrapperModeC:\Users\admin\AppData\Local\SquirrelTemp\Update.exe
MSTeamsSetup_c_l_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams
Exit code:
4294967295
Version:
3.1.2.0
Modules
Images
c:\users\admin\appdata\local\squirreltemp\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
3524"C:\Users\admin\AppData\Local\Temp\MSTeamsSetup_c_l_.exe" C:\Users\admin\AppData\Local\Temp\MSTeamsSetup_c_l_.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Installer for Squirrel-based applications
Exit code:
0
Version:
1.4.4.0
Modules
Images
c:\users\admin\appdata\local\temp\msteamssetup_c_l_.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\advapi32.dll
Total events
476
Read events
464
Write events
12
Delete events
0

Modification events

(PID) Process:(996) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(996) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(996) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(996) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(996) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(996) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(996) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(996) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(996) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(996) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
1
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
996Update.exeC:\Users\admin\AppData\Local\SquirrelTemp\SquirrelSetup.logtext
MD5:
SHA256:
3524MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\background.gifimage
MD5:FF1F29DCA0451246C3CA6CB7B023434F
SHA256:753D7D351E427246E2B6CC86C45E21F952939E306C3EB2FDB1BD7D67842C64B8
3524MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\downloading.gifimage
MD5:3488A1749B859E969C01BA981036FAB6
SHA256:C3FA333FDBCE95D504AEE31912993DC17AB31324428F557AC774F7E98B049B99
3524MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\Update.exeexecutable
MD5:55D2BE3EA0DC1DCAEEFDDD7ED12C05E9
SHA256:5CACCD37E4DF62DCF709605DE3F79664DE7190534B56CD69BCC96BDF0F939437
3524MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\endpoint.jsonbinary
MD5:677CAB9A8B50AD026CFA7625A35DD2D7
SHA256:07890DDA20815E1E57DCA9553F5DFCFF1B85F4A4369685D4991599E2618978F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
996
Update.exe
104.208.16.88:443
mobile.pipe.aria.microsoft.com
Microsoft Corporation
US
suspicious

DNS requests

Domain
IP
Reputation
mobile.pipe.aria.microsoft.com
  • 104.208.16.88
whitelisted

Threats

No threats detected
Process
Message
Update.exe
Update.exe Information: 0 :
Update.exe
Starting TelemetryManager constructor
Update.exe
Update.exe Information: 0 :
Update.exe
TelemetryManagerImpl creation started
Update.exe
Update.exe Information: 0 :
Update.exe
Performance counters are disabled. Skipping creation of counters category.
Update.exe
Update.exe Information: 0 :
Update.exe
RecordBatcherTask with ID 4 started.
Update.exe
Update.exe Information: 0 :
Update.exe
DataPackageSender with UserAgent name: AST-exe-C#, version: 3.1.2.0, [Ast_Default_Source]
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MSTeamsSetup_c_l_.exe