Malware analysis SetupProd_TeamsAddIn.exe Malicious activity

Add for printing

File name:	SetupProd_TeamsAddIn.exe
Full analysis:	https://app.any.run/tasks/ef18687b-a30c-4e66-bdaf-3a36b73a6773
Verdict:	Malicious activity
Analysis date:	August 22, 2024, 13:45:42
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	F164D65666DCD14CCC2EFE7413234FA1
SHA1:	499922FE5D2296FA5F4CEC488F39AC489D68C6D2
SHA256:	84B04E0A98357EF9FF75884B13288CE8F35993CA025A1D996A1EA140A3A5A7CD
SSDEEP:	3072:X1f8Yo9wu8tQ2uc5pmaE8Hbc/dKS2Jn91f32wx9M41ku+wMfZylcj/8F3fiL2W:XGYo9wWQHbPn9BBywEylcj/s0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Process drops legitimate windows executable
  - SetupProd_TeamsAddIn.exe (PID: 6740)
  - dfsvc.exe (PID: 6800)
- Drops the executable file immediately after the start
  - SetupProd_TeamsAddIn.exe (PID: 6740)
  - dfsvc.exe (PID: 6800)
- Searches for installed software
  - SetupProd_TeamsAddIn.exe (PID: 6740)
- Starts a Microsoft application from unusual location
  - SetupProd_TeamsAddIn.exe (PID: 6692)
  - SetupProd_TeamsAddIn.exe (PID: 6740)
- Reads security settings of Internet Explorer
  - dfsvc.exe (PID: 6800)
- Reads Internet Explorer settings
  - dfsvc.exe (PID: 6800)
- Checks Windows Trust Settings
  - dfsvc.exe (PID: 6800)
- The process creates files with name similar to system file names
  - dfsvc.exe (PID: 6800)
- Executable content was dropped or overwritten
  - dfsvc.exe (PID: 6800)
- The process drops C-runtime libraries
  - dfsvc.exe (PID: 6800)
INFO
- Checks supported languages
  - SetupProd_TeamsAddIn.exe (PID: 6740)
  - dfsvc.exe (PID: 6800)
- Create files in a temporary directory
  - SetupProd_TeamsAddIn.exe (PID: 6740)
  - dfsvc.exe (PID: 6800)
- Reads the machine GUID from the registry
  - dfsvc.exe (PID: 6800)
- Reads the computer name
  - dfsvc.exe (PID: 6800)
- Creates files or folders in the user directory
  - dfsvc.exe (PID: 6800)
- Reads Environment values
  - dfsvc.exe (PID: 6800)
- Disables trace logs
  - dfsvc.exe (PID: 6800)
- Checks proxy server information
  - dfsvc.exe (PID: 6800)
- Reads the software policy settings
  - dfsvc.exe (PID: 6800)
- Process checks whether UAC notifications are on
  - dfsvc.exe (PID: 6800)
- The process uses the downloaded file
  - dfsvc.exe (PID: 6800)
- Dropped object may contain TOR URL's
  - dfsvc.exe (PID: 6800)
- Manual execution by a user
  - control.exe (PID: 320)
- Reads Microsoft Office registry keys
  - control.exe (PID: 320)
- Reads security settings of Internet Explorer
  - control.exe (PID: 320)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:05:30 03:39:47+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.12
CodeSize:	74752
InitializedDataSize:	114688
UninitializedDataSize:	-
EntryPoint:	0x2b03
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft Support and Recovery Assistant for Office 365
FileVersion:	1.0.0.0
LegalCopyright:	© Microsoft Corporation. All rights reserved.
ProductName:	Microsoft Support and Recovery Assistant for Office 365
ProductVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

136

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

320

"C:\WINDOWS\system32\control.exe" SYSTEM

C:\Windows\System32\control.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Control Panel

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\urlmon.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\userenv.dll
c:\windows\system32\winhttp.dll

6692

"C:\Users\admin\AppData\Local\Temp\SetupProd_TeamsAddIn.exe"

C:\Users\admin\AppData\Local\Temp\SetupProd_TeamsAddIn.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Support and Recovery Assistant for Office 365

Exit code:

3221226540

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\setupprod_teamsaddin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

6740

"C:\Users\admin\AppData\Local\Temp\SetupProd_TeamsAddIn.exe"

C:\Users\admin\AppData\Local\Temp\SetupProd_TeamsAddIn.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Support and Recovery Assistant for Office 365

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\setupprod_teamsaddin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll

6764

C:\WINDOWS\system32\rundll32.exe dfshim.dll, ShOpenVerbApplication https://outlookdiagnostics.azureedge.net/sarafiles/Microsoft.Sara.Prod.application?usergroup=Prod&Ring=Prod&symptomid=7DEB9E4F-B4CA-48C4-AA75-F21B4B25B888

C:\Windows\SysWOW64\rundll32.exe

—

SetupProd_TeamsAddIn.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

6800

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

rundll32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

ClickOnce

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\dfsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

5 102

Read events

5 072

Write events

Delete events

Modification events


(PID) Process:	(6800) dfsvc.exe	Key:	HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:	write	Name:	ComponentStore_RandomString
Value: 0KBD8KTP5C12EA7GACZCV41Q
(PID) Process:	(6800) dfsvc.exe	Key:	HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:	delete value	Name:	ComponentStore_RandomString
Value: 0KBD8KTP5C12EA7GACZCV41Q
(PID) Process:	(6800) dfsvc.exe	Key:	HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6800) dfsvc.exe	Key:	HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:	write	Name:	ComponentStore_RandomString
Value: Y2QDQCEJMGPPMOTGRCGY87DJ
(PID) Process:	(6800) dfsvc.exe	Key:	HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager
Operation:	write	Name:	StateStore_RandomString
Value: MD4E7CBKND0LP8Q5OD4H5J1B
(PID) Process:	(6800) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6800) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6800) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6800) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6800) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:

Add for printing

Executable files

213

Suspicious files

Text files

283

Unknown types

Dropped files

PID	Process	Filename		Type
6800	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\W4CR2XAA.HLY\JEHTPOH3.VB8\Microsoft.Sara.exe.manifest		xml
		MD5:799138FA938158C52892B8F977207471	SHA256:F39B77F6FA9D3995908B3EA5B71CEAC7A76FA36680A75B6D82880AF328079431
6740	SetupProd_TeamsAddIn.exe	C:\Users\admin\AppData\Local\Temp\SaraSetup.log		binary
		MD5:2F738E7D3917EEE7FFAD8E07FF54324B	SHA256:127689ED95C9A62E11B13D1E8CA471DB606D8A1605EA2107F6ED208B4A9CE905
6800	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\W4CR2XAA.HLY\JEHTPOH3.VB8\en\offcat.config.xml		xml
		MD5:146D0C42C4F6111DC20CCE076B7F5DB4	SHA256:FD3D83ABB166819AD9EA49350456BC39A191F7C58F4B97C94B309DD2C71D2587
6800	dfsvc.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850		binary
		MD5:CB3B332B6265B65D251F47AE65990297	SHA256:2799EDBD951DEE570D113BF322D3CE0A2AB8B3AF89AF290387001EC303A3FDEA
6800	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\W4CR2XAA.HLY\JEHTPOH3.VB8\en\access.config.xml		xml
		MD5:39E98A49311231F92ADF4FAF229B8E0B	SHA256:BF42C275185C0F4C15705F30A2429461EEC6B0005688C5D33C44DF4FAA628443
6800	dfsvc.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0B8A20E1F3F4D73D52A19929F922C892		der
		MD5:0840F3C261E695105CD15C84EA85BEED	SHA256:F60632399A87485A7417DDF8B407DA66794C37347B3AA9E995EC389ECD091947
6800	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\W4CR2XAA.HLY\JEHTPOH3.VB8\tools\x64\mrmapi.exe		executable
		MD5:2B09ABEFDC84D46D10C2A83B0870F3D4	SHA256:973DEE4EE73FDF7BC5815D7EDF3DDEE8E0C40B259BC1DCDE603B0BB3AE732CAA
6800	dfsvc.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850		der
		MD5:C7D1234376F3389D6C220F0DCF24341B	SHA256:F67F7E62B47D1C4D9059F9F01FF40D52044EE81F594C5B8C8925C254381061E5
6800	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\W4CR2XAA.HLY\JEHTPOH3.VB8\sara2.ico		image
		MD5:64ABE480FD183A30B203DAAC7A523821	SHA256:38FE914C14F96C6BECB22203D722E15036A49F78E085F339236BC7E18D6D3A06
6800	dfsvc.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\36AC0BE60E1243344AE145F746D881FE		der
		MD5:DDF4DE0DC1AC39C22F605957A1FE614B	SHA256:0ACF9791F2CBBF8330653DF8D90E760108DD7ED3B5DB03C4DE164BD5047E4D4A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5212	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6800	dfsvc.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
7020	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6800	dfsvc.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl	unknown	—	—	whitelisted
6800	dfsvc.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl	unknown	—	—	whitelisted
6664	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
1028	SystemSettings.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1028	SystemSettings.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3840	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3584	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6800	dfsvc.exe	152.199.19.160:443	outlookdiagnostics.azureedge.net	EDGECAST	US	whitelisted
3260	svchost.exe	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5212	svchost.exe	40.126.32.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
5212	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
6800	dfsvc.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
6800	dfsvc.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	unknown

DNS requests

Domain	IP	Reputation
google.com	216.58.206.46	whitelisted
outlookdiagnostics.azureedge.net	152.199.19.160	whitelisted
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208 51.124.78.146	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
login.live.com	40.126.32.68 20.190.160.17 40.126.32.136 40.126.32.140 20.190.160.14 40.126.32.76 40.126.32.134 40.126.32.72	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
arc.msn.com	20.24.125.47	whitelisted
slscr.update.microsoft.com	52.165.165.26	whitelisted

Threats

No threats detected

Add for printing

Process	Message
SetupProd_TeamsAddIn.exe	Version verficiation success
SetupProd_TeamsAddIn.exe
SetupProd_TeamsAddIn.exe	Current .net version is 533325
SetupProd_TeamsAddIn.exe
SetupProd_TeamsAddIn.exe	Fail to query SaraInstalled value
SetupProd_TeamsAddIn.exe
SetupProd_TeamsAddIn.exe	C:\WINDOWS\system32\rundll32.exe dfshim.dll, ShOpenVerbApplication https://outlookdiagnostics.azureedge.net/sarafiles/Microsoft.Sara.Prod.application?usergroup=Prod&Ring=Prod&symptomid=7DEB9E4F-B4CA-48C4-AA75-F21B4B25B888
SetupProd_TeamsAddIn.exe
SetupProd_TeamsAddIn.exe	Start to install Office 365 Support and Recovery Assistant
SetupProd_TeamsAddIn.exe

General Info

SetupProd_TeamsAddIn.exe

F164D65666DCD14CCC2EFE7413234FA1

499922FE5D2296FA5F4CEC488F39AC489D68C6D2

84B04E0A98357EF9FF75884B13288CE8F35993CA025A1D996A1EA140A3A5A7CD

3072:X1f8Yo9wu8tQ2uc5pmaE8Hbc/dKS2Jn91f32wx9M41ku+wMfZylcj/8F3fiL2W:XGYo9wWQHbPn9BBywEylcj/s0

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Process drops legitimate windows executable

Drops the executable file immediately after the start

Searches for installed software

Starts a Microsoft application from unusual location

Reads security settings of Internet Explorer

Reads Internet Explorer settings

Checks Windows Trust Settings

The process creates files with name similar to system file names

Executable content was dropped or overwritten

The process drops C-runtime libraries

INFO

Checks supported languages

Create files in a temporary directory

Reads the machine GUID from the registry

Reads the computer name

Creates files or folders in the user directory

Reads Environment values

Disables trace logs

Checks proxy server information

Reads the software policy settings

Process checks whether UAC notifications are on

The process uses the downloaded file

Dropped object may contain TOR URL's

Manual execution by a user

Reads Microsoft Office registry keys

Reads security settings of Internet Explorer

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings