File name:

Setup.exe

Full analysis: https://app.any.run/tasks/fa1894ec-ef68-43fb-bf28-f4f45d930f2a
Verdict: Malicious activity
Analysis date: January 22, 2025, 01:38:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

974930CE3F894F494C573FB9E7EE0076

SHA1:

07819B738FAFF62A2724DFCF347860AAAC922A5C

SHA256:

FCC862DB236CCD85A0E8184C72449A657FE31BB90F2DBD650FFF158260622D7D

SSDEEP:

98304:Nrhz972Ytp74dEIRm1otdlqZhY40U+DgLhqO0KkMVqw/DhXtr2MiJK4uFAwN8sgj:yjlNjlj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • The DLL Hijacking

      • Teams.exe (PID: 3208)
      • Teams.exe (PID: 6352)

    • Changes the autorun value in the registry

      • Teams.exe (PID: 2076)

    • Registers / Runs the DLL via REGSVR32.EXE

      • Update.exe (PID: 7080)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Setup.exe (PID: 6504)
      • MSTeamsSetup_c_l_.exe (PID: 7056)
      • Update.exe (PID: 7080)

    • Starts a Microsoft application from unusual location

      • Setup.exe (PID: 6504)

    • Executable content was dropped or overwritten

      • Setup.exe (PID: 6504)
      • MSTeamsSetup_c_l_.exe (PID: 7056)
      • Update.exe (PID: 7080)

    • Reads security settings of Internet Explorer

      • Update.exe (PID: 7080)
      • Teams.exe (PID: 2076)

    • Checks Windows Trust Settings

      • Update.exe (PID: 7080)

    • The process drops C-runtime libraries

      • Update.exe (PID: 7080)

    • Application launched itself

      • Teams.exe (PID: 2464)
      • Teams.exe (PID: 2076)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 244)
      • regsvr32.exe (PID: 6844)

    • Searches for installed software

      • Update.exe (PID: 7080)

    • Creates a software uninstall entry

      • Update.exe (PID: 7080)

  • INFO

    • The sample compiled with english language support

      • Setup.exe (PID: 6504)
      • Update.exe (PID: 7080)

    • Creates files or folders in the user directory

      • Setup.exe (PID: 6504)
      • MSTeamsSetup_c_l_.exe (PID: 7056)
      • Update.exe (PID: 7080)
      • Squirrel.exe (PID: 3288)
      • Teams.exe (PID: 2464)
      • Update.exe (PID: 5544)
      • Teams.exe (PID: 2076)
      • Teams.exe (PID: 6564)

    • Checks supported languages

      • Setup.exe (PID: 6504)
      • MSTeamsSetup_c_l_.exe (PID: 7056)
      • Update.exe (PID: 7080)
      • Squirrel.exe (PID: 3288)
      • Teams.exe (PID: 2464)
      • Update.exe (PID: 5544)
      • Teams.exe (PID: 3208)
      • Teams.exe (PID: 7016)
      • Teams.exe (PID: 6352)
      • Teams.exe (PID: 6564)
      • Teams.exe (PID: 4824)
      • Teams.exe (PID: 2076)
      • Teams.exe (PID: 3544)
      • Teams.exe (PID: 1512)
      • Teams.exe (PID: 2548)

    • Reads the computer name

      • Setup.exe (PID: 6504)
      • Update.exe (PID: 7080)
      • Squirrel.exe (PID: 3288)
      • Update.exe (PID: 5544)
      • Teams.exe (PID: 2464)
      • Teams.exe (PID: 3208)
      • Teams.exe (PID: 2076)
      • Teams.exe (PID: 6352)
      • Teams.exe (PID: 7016)
      • Teams.exe (PID: 6564)
      • Teams.exe (PID: 1512)

    • Reads Microsoft Office registry keys

      • Update.exe (PID: 7080)
      • Teams.exe (PID: 2464)
      • Squirrel.exe (PID: 3288)
      • Update.exe (PID: 5544)
      • Teams.exe (PID: 2076)

    • Reads the software policy settings

      • Update.exe (PID: 7080)
      • Update.exe (PID: 5544)
      • Teams.exe (PID: 2076)
      • Squirrel.exe (PID: 3288)

    • Process checks computer location settings

      • Update.exe (PID: 7080)
      • Teams.exe (PID: 2464)
      • Teams.exe (PID: 2076)
      • Teams.exe (PID: 4824)
      • Teams.exe (PID: 2548)
      • Teams.exe (PID: 3544)

    • Reads the machine GUID from the registry

      • Squirrel.exe (PID: 3288)
      • Update.exe (PID: 5544)
      • Teams.exe (PID: 2076)
      • Update.exe (PID: 7080)

    • Reads CPU info

      • Teams.exe (PID: 2464)
      • Teams.exe (PID: 2076)

    • Reads product name

      • Teams.exe (PID: 2464)
      • Teams.exe (PID: 2076)

    • Reads Environment values

      • Teams.exe (PID: 2464)
      • Teams.exe (PID: 2076)

    • Checks proxy server information

      • Teams.exe (PID: 2464)
      • Update.exe (PID: 5544)
      • Teams.exe (PID: 2076)
      • Update.exe (PID: 7080)
      • Squirrel.exe (PID: 3288)

    • The process uses the downloaded file

      • Update.exe (PID: 7080)

    • Create files in a temporary directory

      • Teams.exe (PID: 2464)
      • Teams.exe (PID: 2076)
      • Update.exe (PID: 7080)

    • Disables trace logs

      • Update.exe (PID: 5544)
      • Update.exe (PID: 7080)
      • Squirrel.exe (PID: 3288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:01:21 16:07:41+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 2274304
InitializedDataSize: 27071488
UninitializedDataSize: -
EntryPoint: 0x21765c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.7.0.3315
ProductVersionNumber: 1.7.0.3315
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Microsoft Teams
FileVersion: 1.7.00.3315
InternalName: Setup.exe
LegalCopyright: Copyright (C) 2016 Microsoft. All rights reserved.
OriginalFileName: Setup.exe
ProductName: Microsoft Teams
ProductVersion: 1.7.00.3315
SquirrelAwareVersion: 1
CompanyName: Microsoft Corporation
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
18
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup.exe msteamssetup_c_l_.exe update.exe squirrel.exe teams.exe no specs update.exe teams.exe no specs teams.exe no specs teams.exe teams.exe no specs teams.exe teams.exe no specs teams.exe no specs teams.exe no specs teams.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
244 /s /n /i:user "C:\Users\admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.2\x64\Microsoft.Teams.AddinLoader.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1512"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --enable-wer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=3800 --field-trial-handle=1800,i,5833771605061345395,7131410816166854461,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Version:
1.7.00.19353
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
2076"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-firstrunC:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe
Update.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams
Version:
1.7.00.19353
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\teams\current\ffmpeg.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2464"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-install 1.7.00.19353C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams
Exit code:
0
Version:
1.7.00.19353
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\uiautomationcore.dll
2548"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4768 --field-trial-handle=1800,i,5833771605061345395,7131410816166854461,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --msteams-process-type=accountSelectWindow /prefetch:1C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Version:
1.7.00.19353
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
3208"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1896,i,9580035878589261955,6433630308446160644,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Exit code:
0
Version:
1.7.00.19353
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
3288"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe" --updateSelf=C:\Users\admin\AppData\Local\SquirrelTemp\Update.exeC:\Users\admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe
Update.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams classic
Exit code:
0
Version:
3.3.13.0
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\squirrel.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
3544"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3156 --field-trial-handle=1800,i,5833771605061345395,7131410816166854461,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --msteams-process-type=notificationsManager /prefetch:1C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Version:
1.7.00.19353
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
4824"C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --enable-wer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Teams" --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --enable-sandbox --first-renderer-process --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2520 --field-trial-handle=1800,i,5833771605061345395,7131410816166854461,131072 --enable-features=ContextBridgeMutability,SharedArrayBuffer,WinUseBrowserSpellChecker,WinUseHybridSpellChecker --disable-features=CalculateNativeWinOcclusion,ExtraCookieValidityChecks,ForcedColors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --msteams-process-type=loadingWindow /prefetch:1C:\Users\admin\AppData\Local\Microsoft\Teams\current\Teams.exeTeams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Teams
Version:
1.7.00.19353
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\current\teams.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
5544C:\Users\admin\AppData\Local\Microsoft\Teams\Update.exe --createShortcut=Teams.exe -l=StartMenuC:\Users\admin\AppData\Local\Microsoft\Teams\Update.exe
Teams.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams classic
Exit code:
0
Version:
3.3.15.0
Modules
Images
c:\users\admin\appdata\local\microsoft\teams\update.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
Total events
15 560
Read events
14 889
Write events
652
Delete events
19

Modification events

(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7080) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
347
Suspicious files
180
Text files
143
Unknown types
0

Dropped files

PID
Process
Filename
Type
7080Update.exeC:\Users\admin\AppData\Local\Microsoft\Teams\packages\Teams-1.7.00.19353-full.nupkg
MD5:
SHA256:
7056MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\background.gifimage
MD5:FF1F29DCA0451246C3CA6CB7B023434F
SHA256:753D7D351E427246E2B6CC86C45E21F952939E306C3EB2FDB1BD7D67842C64B8
6504Setup.exeC:\Users\admin\AppData\Local\Downloads\MSTeamsSetup_c_l_.exeexecutable
MD5:CF0E0F57B68A11D099EC944200A6069D
SHA256:73354811E3109E265821124A18B1B7D9FD3DD1207BB46C18937D250C6AB46DEC
7056MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\downloading.gifimage
MD5:3488A1749B859E969C01BA981036FAB6
SHA256:C3FA333FDBCE95D504AEE31912993DC17AB31324428F557AC774F7E98B049B99
7080Update.exeC:\Users\admin\AppData\Local\Microsoft\Teams\current\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:B532BE6FCC0B9A8541A983109B9F2B9D
SHA256:FF47710B4FA6FF287CF7BF686518008B3A181FDAA71735BF4E0D75C00EE5E9D0
7080Update.exeC:\Users\admin\AppData\Local\Microsoft\Teams\current\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:86CFB9639CE71714EFF03EF8538034A2
SHA256:9D459C4EA36ED23B521CB7844B8B524BF868AA560515A172355FA44963E5B077
7080Update.exeC:\Users\admin\AppData\Local\Microsoft\Teams\current\api-ms-win-core-handle-l1-1-0.dllexecutable
MD5:A45921DDCE0E22AC4070230216A28AAD
SHA256:D84B08DE630E1FEB0DF557BA04632012BAD27ECE4426BE8308D7C3CD2050638C
7080Update.exeC:\Users\admin\AppData\Local\Microsoft\Teams\current\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:42B1252A3EA28CF3566F6B9EE9815195
SHA256:E903AD9E228EE00A40E22F08319DD1B85DB6B33542E146835489B999BFB1C489
7080Update.exeC:\Users\admin\AppData\Local\Microsoft\Teams\current\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:919B224C152EE516ED3726C2D41F8CBC
SHA256:5AD893365305220EF3FD86497ED60978164DB21DBFD61746EAC818041EE8457A
7056MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\endpoint.jsonbinary
MD5:677CAB9A8B50AD026CFA7625A35DD2D7
SHA256:07890DDA20815E1E57DCA9553F5DFCFF1B85F4A4369685D4991599E2618978F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
38
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3508
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3508
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6456
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2728
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2728
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3508
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
3508
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.131:443
www.bing.com
Akamai International B.V.
DE
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1076
svchost.exe
184.30.18.9:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.20
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
www.bing.com
  • 104.126.37.131
  • 104.126.37.139
whitelisted
google.com
  • 142.250.185.238
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.23.77.188
whitelisted
go.microsoft.com
  • 184.30.18.9
whitelisted
login.live.com
  • 40.126.32.68
  • 20.190.160.22
  • 20.190.160.17
  • 40.126.32.134
  • 40.126.32.136
  • 40.126.32.133
  • 40.126.32.72
  • 20.190.160.20
whitelisted
teams.live.com
  • 52.113.194.132
whitelisted
statics.teams.cdn.office.net
  • 23.48.23.22
  • 23.48.23.9
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted

Threats

No threats detected
Process
Message
Update.exe
TelemetryManagerImpl creation started
Update.exe
Update.exe Information: 0 :
Update.exe
Starting TelemetryManager constructor
Update.exe
Update.exe Information: 0 :
Update.exe
Update.exe Information: 0 :
Update.exe
Performance counters are disabled. Skipping creation of counters category.
Update.exe
Update.exe Information: 0 :
Update.exe
RecordBatcherTask with ID 4 started.
Update.exe
Update.exe Information: 0 :
Update.exe
DataPackageSender with UserAgent name: AST-exe-C#, version: 3.3.15.0, [Ast_Default_Source]
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.exe